Gateway

Configure domain and security token authentication for Citrix Endpoint Management

You can configure Citrix Endpoint Management to require users to authenticate with their LDAP credentials plus a one-time password, using the RADIUS protocol. This section describes the required NetScaler Gateway configuration for that two-factor authentication type.

Prerequisites

If you have not already run the NetScaler for Citrix Endpoint Management wizard, see the NetScaler for Citrix Endpoint Management Wizard section in Configuring Settings for Your Citrix Endpoint Management Environment. Make sure that your NetScaler configuration includes the following:

  • LDAP port number = 636 (which is the default port for secure LDAP connections)
  • Server Logon Name Attribute = samAccountName or the userPrincipalName as per your requirements

To configure domain and security token authentication

  1. Go to NetScaler Gateway > Virtual Servers. Select the virtual server and then click Edit.

  2. Click No CA Certificate.

  3. In Select CA Certificate, choose a certificate, click OK, click Bind, and then click Done.

  4. Go to Policies > Session > Session Profiles, select the profile, and click Edit.

  5. Click the Client Experience tab.

  6. In Credential Index, choose SECONDARY.

  7. Click OK.

  8. Go to Policies > Authentication > LDAP, click the LDAP Policy tab, and click Edit.

  9. Use the following expression to use separate NetScaler Gateway VIPs for Citrix Endpoint Management and Citrix Virtual Apps and Desktops.

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

  10. Go to Policies > Authentication > RADIUS and then click the Servers tab.

  11. Click Add, enter the RADIUS server details, and click Create.

  12. Go to Policies and then click Add.

  13. Enter a Name for the policy. From the Server drop-down menu, select the RADIUS server name that you have created.

  14. In Expression, enter REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver and click Create.

  15. Select the virtual server and then click Edit.

  16. Under Primary Authentication, click LDAP Policy.

  17. Select the policy, click Unbind, and click Close.

  18. On the Authentication row, click + to add the RADIUS authentication.

  19. Under Choose Type, from Choose Policy, select RADIUS.

  20. Click Bind.

  21. Select the RADIUS authentication policy that you created earlier and then click Insert.

  22. Click OK.

  23. To add LDAP as the secondary authentication policy: On the Authentication row, click +.

  24. From Choose Policy, choose LDAP.

  25. From Choose Type, choose Secondary.

  26. From Select Policy, choose the LDAP policy.

  27. Select the policy and then click OK.

  28. Click Bind.

  29. Click Done.

  30. Verify that the policies you created have the highest priority. This ensures that they have the highest priority even if more policies get added for non-mobile users. For more information, see Setting Priorities for Authentication Policies

Configure domain and security token authentication for Citrix Endpoint Management