Citrix Gateway

Configure domain and security token authentication for Citrix Endpoint Management

You can configure Citrix Endpoint Management to require users to authenticate with their LDAP credentials plus a one-time password, using the RADIUS protocol. This section describes the required Citrix Gateway configuration for that two-factor authentication type.


If you have not already run the Citrix ADC for Citrix Endpoint Management wizard, see the Citrix ADC for Citrix Endpoint Management Wizard section in Configuring Settings for Your Citrix Endpoint Management Environment. Make sure that your Citrix ADC configuration includes the following:

  • LDAP port number = 636 (which is the default port for secure LDAP connections)
  • Server Logon Name Attribute = samAccountName or the userPrincipalName as per your requirements

To configure domain and security token authentication

  1. Go to Citrix Gateway > Virtual Servers. Select the virtual server and then click Edit.

  2. Click No CA Certificate.

  3. From Select CA Certificate, choose a certificate, click OK, click Bind, and then click Done.

    Select certificate

  4. Go to Policies > Session > Session Profiles, select the profile which starts with AC_OS, and click Edit.

    Edition session profile

  5. Click the Client Experience tab and go to the bottom of the page.

    Client experience tab settings

  6. From Credential Index, choose SECONDARY.

    Select secondary

  7. Click OK.


  8. Go to Policies > Authentication > LDAP, click the LDAP Policy tab, and click Edit.

    Edit LDAP policy

  9. To use separate Citrix Gateway VIPs for Citrix Endpoint Management and Citrix Virtual Apps and Desktops, in Expression, replace NS_TRUE with the following:

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver


  10. Go to Policies > Authentication > RADIUS and then click the Servers tab.

    Servers page

  11. Click Add, enter the RADIUS server details, and click Create.

    Add server

  12. Go to Policies and then click Add.

    Add policies

  13. Enter a Name for the policy. From the Server drop-down menu, select the RADIUS server name (Radius_Server in our example).

  14. For Expression, enter REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver and click Create.


  15. Select the virtual server and then click Edit.

    Edit virtual server

  16. Under Primary Authentication, click LDAP Policy.

    Select primary authentication

  17. Select the policy, click Unbind, and click Close.

    Unbind the policy

  18. On the Authentication row, click + to add the RADIUS authentication.

    Add RADIUS authentication

  19. Under Choose Type, from Choose Policy, select RADIUS.

    Select RADIUS policy

  20. Click Bind.

    Bind policy

  21. Select the RADIUS authentication policy you created earlier and then click Insert.

    Bind RADIUS authentication policy

  22. Click OK.

    Click OK

  23. To add LDAP as the secondary authentication policy: On the Authentication row, click +.

    Add LDAP policy

  24. From Choose Policy, choose LDAP.

    Select LDAP policy

  25. From Choose Type, choose Secondary.

    Select secondary

  26. From Select Policy, choose the LDAP policy.

    Select policy page

  27. Select the policy and then click OK.

    Select the LDAP policy

  28. Click Bind.

    Bind policy

  29. Click Done.

    Click Done

  30. Verify that the policies you created have the highest priority. This ensures that they have the highest priority even if more policies get added for non-mobile users. For more information, see Setting Priorities for Authentication Policies

Configure domain and security token authentication for Citrix Endpoint Management