PoC Guide - ZTNA - Adaptive Authentication - Internal Employee vs External Employee

Overview

With the hybrid workforce company’s need to identify whether employees are accessing their application from a corporate office or over the internet. With many companies adopting Zero Trust the focus on employee location is less significant. Never the less identifying employee access locations gives companies an opportunity to lower authentication requirements, reduce friction, and thereby improve user experience. Employees in an internal location behind a secure perimeter may only require two authentication factors, whereas those in an external location may require three, to confidently verify their identify and establish trust.

Implementing multifactor authentication is one of the best ways to verify identity, and improve security posture. LDAP is a command method to verify domain username and password. Native (time-based) One Time Password (OTP) is a convenient way to implement another factor using readily available authenticator applications. It allows users to enter validation codes from their authenticator application, into a gateway form, to authenticate.

Citrix Adaptive Authentication supports LDAP, and Native OTP authentication, and they can provide authentication for various services including Citrix Secure Private Access and Citrix Virtual Apps and Desktops service. In this POC Guide we demonstrate using them for authentication.

Introduction

The animation below shows an endpoint that passes a device posture check and the user is challenged for domain credentials. Next an endpoint fails a device posture check and the user is challenged for domain credentials and a native otp passcode.

It makes assumptions about the completed installation, and configuration of the following components:

• Citrix ADC installed, licensed, and configured with an externally reachable AA virtual server bound to a wildcard certificate
• Citrix ADC integrated with Citrix Cloud using Oauth
• Endpoint with Citrix Workspace app installed
• A supported Authenticator app, that supports Time Based OTP, installed (including Microsoft Authenticator, Google Authenticator, or Citrix SSO)
• Active Directory (AD) is reachable via a Citrix Connector Appliance

Refer to Citrix Documentation for the latest product version, and license requirements: Native OTP Authentication

Configuration

This proof of concept guide demonstrates how to:

1. Configure Citrix Cloud
2. Configure Adaptive Authentication Policies - CLI
3. Configure Adaptive Authentication Policies - GUI
4. Configure SPA and CVADs to use SmartTags
5. Validate User Endpoint Authentication

Configure Citrix Cloud

1. Connect to Citrix cloud and log in as your administrator account
2. Within Citrix Workspace, access Identity and Access Management from the upper-left menu
3. Configure Citrix Gateway - Adaptive Authentication as an authentication method for the Workspace.

Configure Adaptive Authentication Policies - CLI

First, we log in to the CLI on our Citrix ADC and enter the authentication actions and associated policies for EPA and LDAP respectively along with the login schema. Then we log in to our GUI to build apply our policies and complete the multifactor authentication configuration.

Ldap Polices

For LDAP Actions populate the required fields to create the LDAP action in a string and paste it into the CLI:

• ldapAction - enter the action name.
• serverIP - enter the domain server/s FQDN or IP address.
• serverPort - enter the LDAP port.
• ldapBase - enter the string of domain objects and containers where pertinent users are stored in your directory.
• ldapBindDn - enter the service account used to query domain users.
• ldapBindDnPassword - enter your service account password.
• ldapLoginName - enter the user object type.
• groupAttrName - enter the group attribute name.
• subAttributeName - enter the sub attribute name.
• secType - enter the security type.
• ssoNameAttribute - enter the single sign-on name attribute.

For LDAP Policies populate the required fields to reference the LDAP Action in a string and paste it into the CLI:

• Policy - enter the policy name.
• action - enter the name of the Email action we created above.

For more information see LDAP authentication policies

1. First connect to the CLI by opening an SSH session to the NSIP address of the Citrix ADC and log in as the admin user.

ldapupnmanage

This action & policy matches requests to the site fqdn adaptiveauth.wwco.net with /manageotp appended to the url and allows them to enroll in native OTP with their authenticator app

Update the following fields for your environment and copy and paste the string into the CLI: add authentication ldapAction authact_ldapupnmanage -serverIP 10.53.8.10 -serverPort 636 -authTimeout 3600 -ldapBase "DC=wwco,DC=net" -ldapBindDn s_adc@yourdomain.com -ldapBindDnPassword abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute UserPrincipalName -nestedGroupExtraction ON -maxNestingLevel 3 -groupNameIdentifier userPrincipalName -groupSearchAttribute userPrincipalName -groupSearchSubAttribute userPrincipalName

add authentication Policy authpol_ldapupnmanage -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\")" -action authact_ldapupnmanage

workspaceoauth

This action & policy establishes secure oauth communication with Citrix cloud for the primary Workspace URL.

Update the following fields for your environment and copy and paste the string into the CLI: add authentication OAuthIDPProfile authact_workspaceoauth -clientID xyz1 -clientSecret abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -redirectURL "https://accounts.cloud.com/core/login-cip" -issuer "https://adaptiveauth.yourdomain.com" -audience xyz2 -sendPassword ON

add authentication OAuthIdPPolicy authpol_workspaceoauth -rule true -action authact_workspaceoauth

workspaceoauth2

This action & policy establishes secure oauth communication with Citrix cloud for the custom Workspace URL.

Update the following fields for your environment and copy and paste the string into the CLI: add authentication OAuthIDPProfile authact_workspaceoauth2 -clientID xyz11 -clientSecret abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -redirectURL "https://workspace.yourdomain.com/core/login-cip" -issuer "https://adaptiveauth.yourdomain.com" -audience xyz22 -sendPassword ON

add authentication OAuthIdPPolicy authpol_workspaceoauth2 -rule true -action authact_workspaceoauth2

ldapupn

This action & policy does ldap authentication with the domain directory using UserPrincipalName.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication ldapAction authact_ldapupn -serverIP 10.53.8.10 -serverPort 636 -authTimeout 3600 -ldapBase "DC=yourdomain,DC=com" -ldapBindDn s_adc@yourdomain.com -ldapBindDnPassword abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute UserPrincipalName -nestedGroupExtraction ON -maxNestingLevel 3 -groupNameIdentifier userPrincipalName -groupSearchAttribute userPrincipalName -groupSearchSubAttribute userPrincipalName

add authentication Policy authpol_ldapupn -rule true -action authact_ldapupn

ldapsam

This action & policy does ldap authentication with the domain directory using SamAccountName.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication ldapAction authact_ldapsam -serverIP 10.53.8.10 -serverPort 636 -authTimeout 3600 -ldapBase "DC=yourdomain,DC=com" -ldapBindDn s_adc@yourdomain.com -ldapBindDnPassword abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute sAMAccountName -nestedGroupExtraction ON -maxNestingLevel 3 -groupNameIdentifier sAMAccountName -groupSearchAttribute sAMAccountName -groupSearchSubAttribute sAMAccountName

add authentication Policy authpol_ldapsam -rule true -action authact_ldapsam

ldapupn_otp

This action & policy does native otp authentication.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication ldapAction authact_ldapupn_otp -serverIP 10.53.8.10 -serverPort 636 -authTimeout 3600 -ldapBase "DC=yourdomain,DC=com" -ldapBindDn s_adc@yourdomain.com -ldapBindDnPassword abc123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_02_02_16_16_21 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute UserPrincipalName -authentication DISABLED -nested GroupExtraction ON -maxNestingLevel 3 -groupNameIdentifier userPrincipalName -groupSearchAttribute userPrincipalName -groupSearchSubAttribute userPrincipalName -OTPSecret userParameters

add authentication Policy authpol_ldapupn_otp -rule true -action authact_ldapupn_otp

EPA_internal_cert_domain

This determines whether the client is attempting authentication from a valid Enterprise public IP address (this would correspond to the Network Address Translation ranges used on external firewalls and routers). It also verifies the country. It also verifies a valid enterprise device certificate. It also verifies the device is joined to the enterprise domain.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication epaAction authact_EPA_internal_cert_domain -csecexpr "sys.client_expr(\"device-cert_0_0\") && sys.client_expr("sys_0_DOMAIN_yourdomain.com")" -defaultEPAGroup VALIDINTERNALCERTDOMAIN -quarantineGroup NOVALIDINTERNALCERTDOMAIN

add authentication Policy authpol_EPA_internal_cert_domain -rule "CLIENT.IP.SRC.IN_SUBNET(1.0.0.0/8) && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\")" -action authact_EPA_internal_cert_domain

noauthn

This action & policy is a place holder for no authentication commonly used as a placeholder for a next policylabel to evaluate when previous policies in the current policylabel fail.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication noAuthAction authact_noauthn

add authentication Policy authpol_noauthn -rule true -action authact_noauthn

Login Schema

Next we create Login Schemas used with each factor.

lspol_singlemanage

This login schema is used for Native OTP registration.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication loginSchema lsact_singlemanage -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

add authentication loginSchemaPolicy lspol_singlemanage -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\")" -action lsact_singlemanage

lspol_singleauth

This login schema is used for LDAP username and password authentication.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication loginSchema lsact_singleauth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

add authentication loginSchemaPolicy lspol_singleauth -rule true -action lsact_singleauth

lspol_dualauthotp

This login schema is used for Native OTP authentication.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication loginSchema lsact_dualauthotp -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"

add authentication loginSchemaPolicy lspol_dualauthotp -rule true -action lsact_dualauthotp

Smart Tags

Next we create Smart Tags that will relay device posture check results back to Citrix Cloud services.

lspol_singlemanage

This login schema is used for Native OTP registration.

Update the following fields for your environment and copy and paste the string into the CLI:

add authentication loginSchema lsact_singlemanage -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

add authentication loginSchemaPolicy lspol_singlemanage -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\")" -action lsact_singlemanage

Certificates

Domain Certificate

In this POC we used a wildcard certificate corresponding to our Active Directory domain and it also corresponds to the fully qualified domain name we use to access to the Gateway virtual server (adaptiveauth.yourdomain.com)

1. Log in to the Citrix ADC GUI
2. Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate and CAs installed and linked. See Citrix ADC SSL certificates for more information.

Device Certificate

There are many systems and options for user and device certificate management. In this POC we use the Microsoft Certificate Authority installed on our Active Directory server. We also have our Windows 10 endpoint joined to the domain.

1. From the start menu on our domain joined Windows 10 endpoint we enter mmc, right-click and run as administrator
2. Select File > Add/Remove, select Certificates, select the arrow to move it to the Selected snap-in pane, select Computer account, Next, Local computer, Finish and, click OK
3. Open the Personal folder, right-click the Certificates folder > All Tasks > Request New Certificate
4. Click next until you are offered certificate types, select Computer, and click Enroll, followed by Finish
5. Double-click the certificate it installed, select the Certification Path tab, select the root CA on the top, and click View Certificate. (Note: We can export the CA from the Active Directory server, yet for the POC we can eliminate steps by doing it here)
6. In the popup select the Details tab, select Copy to File, click Next, click Next (to accept DER encoding)
7. Select browse, and enter a file name, select save, select next, and select finish to store the CA certificate file.
8. Now we will import it into the ADC by navigating to **Traffic Management > SSL> Certificates > CA Certificates
9. Click Install, we enter the name DeviceCertificateCA, select Chose File, Local, and select the file, Open and click Install

For more information see LDAP authentication policies

Configure Adaptive Authentication Policies - GUI

Now we will create an AAA Virtual Server and bind certificates, policies, and schema with the appropriate priority.

Certificates

1. Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See Citrix ADC SSL certificates for more information.
2. Next navigate to Security > AAA - Application Traffic > Virtual Servers, and select Add
3. Enter the following fields:
   • Name - a unique value. We enter nativeotp_authvserver
   • IP Address Type - Non Addressable
4. Click Ok
5. Select No Server Certificate, select the arrow under Select Server Certificate, select the domain certificate, click Select, Bind, and Continue
6. Under Advanced Authentication Policies, select No Nfactor Flow
7. Select the right arrow under Select nFactor Flow, select factor0_notp, click Select, click Bind
8. Click Continue, followed by Done

Authentication Policies

Login Schema

Traffic Policy

Now we create a traffic policy to relay the LDAP password to StoreFront, instead of the OTP passcode.

1. Navigate to Citrix Gateway > Virtual Servers > Policies > Traffic
2. Select the Traffic Profiles Tab, and click Add
3. Enter the name notp_trafficprofile
4. Select HTTP
5. In the SSO Password Expression enter http.REQ.USER.ATTRIBUTE(1)
6. Click Create
7. Now click the Traffic Policies Tab
8. In the Request Profile field, select the notp_trafficprofile Traffic Profile you just created.
9. Enter the name nOTP_TrafficPolicy
10. In the Express box enter true
11. Click Create

Validate User Endpoint

Now we test Native OTP by authenticating into our Citrix Virtual Apps and Desktops environment.

Registration with Citrix SSO app

First the user registers their device for Native OTP using the Citrix SSO app.

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway with /manageotp appended to the end of the FQDN. We use https://adaptiveauth.yourdomain.com/manageotp
2. After your browser is redirected to a login screen enter user UPN, and password
3. On the next screen select Add Device, enter a name. We use iPhone7_nOTP
4. Select Go, and a QR code appears
5. On your mobile device open your Citrix SSO app or other authenticator app such as Microsoft or Google’s (available for download from app stores)
6. Select Add New Token
7. Select Scan QR Code
8. Select Aim your camera at the QR Code, and once it`s captured select Add
9. Select Save to store the token
10. The Token is now active, and begins displaying OTP codes at 30 second intervals
11. Select Done and you see confirmation that the device was added successfully

Login to Citrix Cloud Services

Then the user enters their UserPrincipalName, Password, and the OTP Passcode from the Citrix SSO app to access their virtual apps, and desktops.

• Open a browser (or Citrix Workspace app), and navigate to your Workspace FQDN (found in Citrix Cloud under Workspace Configuration). We use https://adaptiveauth.yourdomain.com

Trusted Scenario

1. Ensure that the device is domain joined, and has an Enterprise device certificate installed, and or is inside the configured “internal” location range.
2. After your browser is redirected to a login screen enter user UserPrincipalName, and password
3. Verify the users Secure Private Access apps and Citrix Virtual Apps and Desktops are displayed

UnTrusted Scenario

1. Ensure that the device is not domain joined, and or missing the Enterprise device certificate, and or outside of the configured “internal” location range.
2. After your browser is redirected to a login screen enter user UserPrincipalName, and password
3. Open the Citrix SSO app enter the OTP code in the passcode field for the iPhone7_nOTP device entry
4. Verify the users Secure Private Access apps and Citrix Virtual Apps and Desktops are displayed

Troubleshooting

Here we look at a couple common troubleshooting areas for Native OTP.

NTP Errors

Upon login with your OTP code the page may post a message advising you to verify NTP synchronization. The Citrix ADC’s time must be sync in order to generate the correct time based OTP. If you have not implemented NTP follow these steps:

• Set the time manually on your Citrix ADC to the current time. This will speed up the synchronization that would otherwise take a longer period time
• Add NTP Server/s
• If you still get an NTP error upon submitting the OTP code see Time Display on NetScaler Does Not Sync Using NTP

Authentication Errors

• Cannot complete your request. - if this error message occurs after successful authentication it likely indicates an error passing user credentials to StoreFront. Verify the Dual Authentication schema and Traffic Policy settings.
• Try again or contact your help desk - this error message often indicates a LDAP login failure. If you have verified the password is correct verify the Administrator bind password has been set. You may have had an existing LDAP authentication policy, and created the manage policy by selecting it, followed by selecting add. This step saves time by populating existing settings like the Base DN, and you may see the Administrator password field appears to be populated, but you MUST reenter the password.

Summary

Identifying employee access locations gives companies an opportunity to lower authentication requirements, reduce friction, and thereby improve user experience. Employees in an internal location behind a secure perimeter may only require two authentication factors, whereas those in an external location may require three, to confidently verify their identify and establish trust.

References

For more information refer to:

Native OTP Authentication – find more details regarding Native OTP implementation, and use cases.