Product Documentation

Configuring Domain and Security Token Authentication for XenMobile

You can configure XenMobile to require users to authenticate with their LDAP credentials plus a one-time password, using the RADIUS protocol. This section describes the required Citrix Gateway configuration for that two-factor authentication type.

Prerequisites

If you have not already run the Citrix ADC for XenMobile wizard, see the Citrix ADC for XenMobile Wizard section in Configuring Settings for Your XenMobile Environment. Make sure that your Citrix ADC configuration includes the following:

  • LDAP port number = 636 (which is the default port for secure LDAP connections)
  • Server Logon Name Attribute = samAccountName or the userPrincipalName as per your requirements

To configure domain and security token authentication

  1. Go to Citrix Gateway > Virtual Servers. Select the virtual server and then click Edit.

  2. Click No CA Certificate.

  3. From Select CA Certificate, choose a certificate, click OK, click Bind, and then click Done.

    localized image

  4. Go to Policies > Session > Session Profiles, select the profile which starts with AC_OS, and click Edit.

    localized image

  5. Click the Client Experience tab and go to the bottom of the page.

    localized image

  6. From Credential Index, choose SECONDARY.

    localized image

  7. Click OK.

    localized image

  8. Go to Policies > Authentication > LDAP, click the LDAP Policy tab, and click Edit.

    localized image

  9. To use separate Citrix Gateway VIPs for XenMobile and XenApp/XenDesktop, in Expression, replace NS_TRUE with the following:

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

    localized image

  10. Go to Policies > Authentication > RADIUS and then click the Servers tab.

    localized image

  11. Click Add, enter the Radius server details, and click Create.

    localized image

  12. Go to Policies and then click Add.

    localized image

  13. Enter a Name for the policy. From the Server drop-down menu, select the Radius server name (Radius_Server in our example).

  14. For Expression, enter REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver and click Create.

    localized image

  15. Select the virtual server and then click Edit.

    localized image

  16. Under Primary Authentication, click LDAP Policy.

    localized image

  17. Select the policy, click Unbind, and click Close.

    localized image

  18. On the Authentication row, click + to add the Radius authentication.

    localized image

  19. Under Choose Type, from Choose Policy, select RADIUS.

    localized image

  20. Click Bind.

    localized image

  21. Select the Radius authentication policy you created earlier and then click Insert.

    localized image

  22. Click OK.

    localized image

  23. To add LDAP as the secondary authentication policy: On the Authentication row, click +.

    localized image

  24. From Choose Policy, choose LDAP.

    localized image

  25. From Choose Type, choose Secondary.

    localized image

  26. From Select Policy, choose the LDAP policy.

    localized image

  27. Select the policy and then click OK.

    localized image

  28. Click Bind.

    localized image

  29. Click Done.

    localized image

  30. Verify that the policies you created have the highest priority. This ensures that they will have the highest priority even if additional policies get added for non-mobile users. For more information, see Setting Priorities for Authentication Policies

Configuring Domain and Security Token Authentication for XenMobile