Product Documentation

Client certificate or certificate plus domain authentication

Feb 21, 2018

The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication. In the XenMobile environment, this configuration is the best combination of security and user experience, with the best SSO possibilities coupled with security provided by two-factor authentication at NetScaler.

For optimal usability, you can combine this configuration with Citrix PIN and Active Directory password caching so users do not have to repeatedly enter their Active Directory user names and passwords. Users will need to enter user names and passwords for enrollment, password expiration, and account lockout.


XenMobile doesn't support changing the authentication mode from domain authentication to some other authentication mode after users have enrolled devices in XenMobile.

If you don't allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate subsequently used to authenticate to the XenMobile environment.

You can use the NetScaler for XenMobile wizard to perform the configuration required for XenMobile when using NetScaler certificate-only authentication or certificate plus domain authentication. You can run the NetScaler for XenMobile wizard one time only.

In highly secure environments where usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization, two-factor authentication using a client certificate and a security token is an option. For information, see Configuring XenMobile for Certificate and Security Token Authentication.

Client certificate authentication is available for XenMobile MAM mode (MAM-only) and ENT mode (when users enroll into MDM). Client certificate authentication isn't available for XenMobile ENT mode when users enroll into legacy MAM mode. To use client certificate authentication for XenMobile ENT and MAM modes, you must configure the Microsoft server, the XenMobile server, and then NetScaler Gateway. Follow these general steps, as described in this article.

On the Microsoft server:

  1. Add a certificate snap-in to the Microsoft Management Console.
  2. Add the template to Certificate Authority (CA).
  3. Create a PFX certificate from the CA server.

On the XenMobile server:

  1. Upload the certificate to XenMobile.
  2. Create the PKI entity for certificate-based authentication.
  3. Configure credentials providers.
  4. Configure NetScaler Gateway to deliver a user certificate for authentication.

On NetScaler Gateway, configure as described in Configuring Client Certificate or Client Certificate and Domain Authentication in the NetScaler Gateway documentation.


  • When you create a Microsoft Certificate Services Entity template, to avoid possible authentication issues with enrolled devices, avoid using special characters, such as :, !, $, (), #, % , +, *, ~, ?, |, {}, and []  in the template name.

  • For Windows Phone 8.1 devices using client certificate authentication and SSL Offload, you must disable SSL session reuse for port 443 on both load balancing virtual servers in NetScaler. To do that, Run the following command on the vservers for port 443:

    set ssl vserver <ssl lb vserver> sessReuse DISABLE

    Note: Disabling SSL session reuse disables some of the optimizations that NetScaler provides, which can result in a performance decrease on the NetScaler.

  • To configure Certificate-based Authentication for Exchange ActiveSync, see this Microsoft blog.
  • If you are using private server certificates to secure the ActiveSync traffic to the Exchange Server, ensure that the mobile devices have all of the Root/Intermediate certificates. Otherwise, certificate-based authentication will fail during the mailbox setup in Secure Mail. In the Exchange IIS Console, you must:
    • Add a website for XenMobile use with Exchange and bind the web server certificate.
    • Use port 9443.
    • For that website, you must add two applications, one for "Microsoft-Server-ActiveSync" and one for "EWS". For both of those applications, under SSL Settings, select Require SSL.
  • Make sure that Secure Mail is wrapped with the latest MDX Toolkit, if required for your deployment method.


Add a certificate snap-in to the Microsoft Management Console

1. Open the console and then click Add/Remove Snap-Ins.

2. Add the following snap-ins:

Certificate Templates
Certificates (Local Computer)
Certificates - Current User
Certificate Authority (Local)

localized image

3. Expand Certificate Templates.

localized image

4. Select the User template and Duplicate Template.

localized image

5. Provide the Template display name.

Important: Do not select the Publish certificate in Active Directory check box unless required. If this option is selected, all user client certificates will be pushed/created in Active Directory, which might clutter your Active Directory database.

6. Select Windows 2003 Server for the template type. In Windows 2012 R2 server, under Compatibility, select Certificate authority and set the recipient as Windows 2003.

7. Under Security, select the Enroll option in the Allow column for the authenticated users.

localized image

8. Under Cryptography, make sure you provide the key size, which you will need to enter during XenMobile configuration.

localized image

9. Under Subject Name, select Supply in the request. Apply the changes and then save.

localized image

Adding the template to Certificate Authority

1. Go to Certificate Authority and select Certificate Templates.

2. Right-click in the right pane and then select New > Certificate Template to Issue.

localized image

3. Select the template you created in the previous step and then click OK to add it into the Certificate Authority.

localized image

Creating a PFX certificate from the CA server

1. Create a user .pfx cert using the service account with which you logged in. This .pfx will be uploaded into XenMobile, which will request a user certificate on behalf of the users who enroll their devices.

2. Under Current User, expand Certificates.

3. Right-click in the right pane and then click Request New Certificate.

localized image

4. The Certificate Enrollment screen appears. Click Next.

localized image

5. Select Active Directory Enrollment Policy and then click Next.

localized image

6. Select the User template and then click Enroll.

localized image

7. Export the .pfx file that you created in the previous step.

localized image

8. Click Yes, export the private key.

localized image

9. Select Include all certificates in the certification path if possible and select the Export all extended properties check box.

localized image

10. Set a password that you'll use when uploading this certificate into XenMobile.

localized image

11. Save the certificate onto your hard drive.

Uploading the certificate to XenMobile

1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings screen appears.

2. Click Certificates and then click Import.

3. Enter the following parameters:

  • Import: Keystore
  • Keystore type: PKCS#12
  • Use as: Server
  • Keystore file: Click Browse to select the .pfx certificate you just created.
  • Password: Enter the password you created for this certificate.
localized image

4. Click Import.

5. Verify that the certificate installed correctly. It should display as a User certificate.

Creating the PKI entity for certificate-based authentication

1. In Settings, go to More > Certificate Management > PKI Entities.

2. Click Add and then click Microsoft Certificate Services Entity. The Microsoft Certificate Services Entity: General Information screen appears.

3. Enter the following parameters:

  • Name: Type any name
  • Web enrollment service root URL: https://RootCA-URL/certsrv/
    Be sure to add the last slash (/) in the URL path.
  • certnew.cer page name: certnew.cer (default value)
  • certfnsh.asp: certfnsh.asp (default value)
  • Authentication type: Client certificate
  • SSL client certificate: Select the User Certificate to be used to issue the XenMobile client certificate.
localized image

4. Under Templates, add the template that you created when configuring the Microsoft certificate. Be sure not to add spaces.

localized image

5. Skip HTTP Parameters and then click CA Certificates.

6. Select the root CA name that corresponds to your environment. This root CA is part of the chain imported from the XenMobile client certificate.

localized image

7. Click Save.

Configuring credentials providers

1. In Settings, go to More > Certificate Management > Credential Providers.

2. Click Add.

3. Under General, enter the following parameters:

  • Name: Type any name.
  • Description: Type any description.
  • Issuing entity: Select the PKI entity created earlier.
  • Issuing method: SIGN
  • Templates: Select the template added under the PKI entity.
localized image

4. Click Certificate Signing Request and then enter the following parameters:

  • Key algorithm: RSA
  • Key size: 2048
  • Signature algorithm: SHA1withRSA
  • Subject name: cn=$user.username

For Subject Alternative Names, click Add and then enter the following parameters:

  • Type: User Principal name
  • Value: $user.userprincipalname
localized image

5. Click Distribution and enter the following parameters:

  • Issuing CA certificate: Select the Issuing CA that signed the XenMobile Client Certificate.
  • Select distribution mode: Select Prefer centralized: Server-side key generation.
localized image

6. For the next two sections -- Revocation XenMobile and Revocation PKI -- set the parameters as required. For the purpose of this article, both options are skipped.

7. Click Renewal.

8. For Renew certificates when they expire, select ON.

9. Leave all other settings as default or change them as required.

localized image

10. Click Save.

Configuring Secure Mail to use certificate-based authentication

When you add Secure Mail to XenMobile, be sure to configure the Exchange settings under App Settings.

localized image

Configuring NetScaler certificate delivery in XenMobile

1. Log on to the XenMobile console and click the gear icon in the upper-right corner. The Settings screen appears.

2. Under Server, click NetScaler Gateway.

3. If NetScaler Gateway isn't already added, click Add and specify the settings:

  • External URL: https://YourNetScalerGatewayURL
  • Logon Type: Certificate
  • Password Required: OFF
  • Set as Default: ON

4. For Deliver user certificate for authentication, select On.

localized image

5. For Credential Provider, select a provider and then click Save.

6. If you will use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the LDAP connector in XenMobile as follows: Go to Settings > LDAP, select the directory and click Edit, and select sAMAccountName in User search by.

localized image

Enable Citrix PIN and user password caching

To enable Citrix PIN and user password caching, go to Settings > Client Properties and select these check boxes: Enable Citrix PIN Authentication and Enable User Password Caching. For more information, see Client properties.

Creating an Enterprise Hub policy for Windows Phone

For Windows Phone devices, you must create an Enterprise Hub device policy to deliver the AETX file and the Secure Hub client.


Ensure that both the AETX and Secure Hub files were using the same enterprise certificate from the certificate provider and the same Publisher ID from the Windows Store developer account.

1. In the XenMobile console, click Configure > Device Policies.

2. Click Add and then, under More > XenMobile Agent, click Enterprise Hub.

3. After naming the policy, be sure to select the correct .AETX file and signed Secure Hub app for the Enterprise Hub.

localized image

4. Assign the policy to delivery groups and save it.

Troubleshooting your client certificate configuration

After a successful configuration of the preceding configuration plus the NetScaler Gateway configuration, the user workflow is as follows:

1. Users enroll their mobile device.

2. XenMobile prompts users to create a Citrix PIN.

3. Users are then redirected to the XenMobile Store.

4. When users start Secure Mail, XenMobile will not prompt them for user credentials in order to configure their mailbox. Instead, Secure Mail requests the client certificate from Secure Hub and submits it to Microsoft Exchange Server for authentication. If XenMobile prompts for credentials when users start Secure Mail, check your configuration.

If users can download and install Secure Mail, but during the mailbox configuration Secure Mail fails to finish the configuration:

1. If Microsoft Exchange Server ActiveSync is using private SSL server certificates to secure the traffic, verify that the Root/Intermediate certificates are installed on the mobile device.

2. Verify that the authentication type selected for ActiveSync is Require client certificates.

localized image

3. On Microsoft Exchange Server, check the Microsoft-Server-ActiveSync site to have client certificate mapping authentication enabled (by default it is disabled). The option is under Configuration Editor > Security > Authentication.

localized image

Note: After selecting True, be sure to click Apply for the changes take effect.

4. Check the NetScaler Gateway settings in the XenMobile console: Ensure that Deliver user certificate for authentication is ON and that Credential provider has the correct profile selected, as described earlier in "To configure NetScaler certificate delivery in XenMobile."

To determine if the client certificate was delivered to a mobile device:

1. In the XenMobile console, go to Manage > Devices and select the device.

2. Click Edit or Show More.

3. Go to the Delivery Groups section, and search for this entry:

NetScaler Gateway Credentials : Requested credential, CertId=

To validate whether client certificate negotiation is enabled:

1. Run this netsh command to show the SSL Certificate configuration that is bound on the IIS website:

netsh http show sslcert

2. If the value for Negotiate Client Certificate is Disabled, run the following command to enable it:

netsh http delete sslcert ipport=

netsh http add sslcert ipport= certhash=cert_hash appid={app_id} certstorename=store_name verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

For Example:

netsh http add sslcert ipport= certhash=609da5df280d1f54a7deb714fb2c5435c94e05da appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=ExampleCertStoreName verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

If you cannot deliver Root/Intermediate certificates to a Windows Phone 8.1 device through XenMobile:

  • Send Root/Intermediate certificates (.cer) files through email to the Windows Phone 8.1 device and install them directly.

If Secure Mail won't install successfully on Windows Phone 8.1:

  • Verify that the Application Enrollment Token (.AETX) file is delivered through XenMobile using the Enterprise Hub device policy.
  • Verify that the Application Enrollment Token was created using the same Enterprise Certificate from the certificate provider used to wrap Secure Mail and sign Secure Hub apps.
  • Verify that the same Publisher ID is being used to sign and wrap Secure Hub, Secure Mail, and the Application Enrollment Token.