PoC Guide: nFactor for NetScaler Gateway Authentication with Push Token
February 9, 2022
Author: Matt Brooks
Special thanks: Dan Feller Introduction
Time Based One Time Passwords (TOTP) are an increasingly common method to provide an authentication that can increase security posture with other factors. TOTP with PUSH takes advantage of mobile devices by allowing users to receive and accept authentication validation requests at their fingertips. The exchange is secured by applying a hash to a shared key, distributed during setup.
NetScaler Gateway supports push notifications for OTP and, can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.
Overview
This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with NetScaler Gateway. It uses LDAP to validate Active Directory credentials as the first factor and use Citrix Cloud Push Authentication as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.
It makes assumptions about the completed installation and configuration of the following components:
- NetScaler Gateway installed, licensed, and configure with an externally reachable virtual server bound to a wildcard certificate.
- NetScaler Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
- Citrix Cloud account established
- Endpoint with Citrix Workspace app installed
- Mobile device with Citrix SSO app installed
- Active Directory (AD) is available in the environment
NetScaler Gateway
nFactor
- Log in to the NetScaler ADC UI
- Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See NetScaler ADC SSL certificates for more information.
- Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Push service
- Select Add
- Populate the following fields and click OK:
- Name - a unique value. We will enter values in the following fields to integrate with Citrix Cloud - PUSH Service
- Log in to Citrix Cloud and navigate to Identity and Access Management > API Access
- Create a unique name for the push service and select create client Now we will copy and paste these values to our NetScaler ADC policy to integrate with Citrix Cloud - PUSH Service
- Client ID - copy & paste the Client ID from the Citrix Cloud ID and secret popup
- Client Secret - copy & paste the Client ID from the Citrix Cloud ID and secret popup
- Select Close
- Customer ID - copy & paste the Client ID from the Citrix Cloud Identity and Access Management API Access page
- Click Create
- Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
- Select Add
- Populate the following fields
- Name - a unique value
- Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter 192.0.2.50_LDAP
- Base DN - enter the path to the AD user container. We enter OU=Team Accounts, DC=workspaces, DC=wwco, DC=net
- Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enter workspacesserviceaccount@workspaces.wwco.net
- Confirm / Administrator Password - enter / confirm the admin / service account password
- Server Logon Name Attribute - in the second field below this field enter userPrincipalName
- Select Create For more information see LDAP authentication policies
- Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
- Select the LDAP action created above and select create
- Append OTP or any identifier to the name and unselect authentication
- Under Connection Settings verify the Base DN, Administrator Bind DN, and Password. Be sure that the administrator user or service account is a member of domain administrators. This policy will be used to write the token registered by the user`s authenticator app in the userParameters attribute of their user object.
- Scroll down to Other Settings
- Select Create
- Next navigate to Security > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
- Select Add and select the plus sign in the Factor box
- Enter nFactor_OTP and select create
- Select Add Policy and select Add again next to Select Policy
- Enter authPol_OTPReg
- Under Action Type select NO_AUTHN
- Select Expression Editor and build the expression by selecting the following in the drop-down menus offered:
- HTTP
- REQ
- COOKIE.VALUE(String) = NSC_TASS
- EQ(String) = manageotp
- Select Done, followed by Create, followed by Add
- Select the green plus sign next to the authPol_OTPReg policy to create a factor
- Enter OTPRegAD and select Create
- In the box created select Add Schema
- Select Add and enter lschema_SingleRegOTP
- Under Schema Files navigate to LoginSchema, and select SingleAuthManageOTP.xml
- Select the blue select button, followed by Create, followed by OK
- In the same box select Add Policy and select Add again next to Select Policy
- Enter authPol_LDAP for the name
- Under Action Type select LDAP
- Under Action select your first LDAP authentication action. We use 192.0.2.50_LDAP
- Under Expression enter true
- Select Create followed by Add
- Select the green plus sign next to the authPol_LDAP policy to create a factor
- Enter OTPRegDevice and select Create
- In the same box select Add Policy and select Add again next to Select Policy
- Enter authPol_OTPAuthDevice for the name
- Under Action Type select LDAP
- Under Action select your newly created (second) LDAP authentication action. We use 192.0.2.50_LDAP_OTP
- Under Expression enter true
- Select Create followed by Add
- Select the blue plus sign under the authPol_OTPReg policy
- Enter authPol_OTPAuth
- Under Action Type select NO_AUTHN
- Under Expression enter true
- Select Create
- Select the green plus sign next to the authPol_OTPAuth policy to create a factor
- Enter OTPAuthAD
- Select Create
- In the box created select Add Schema
- Select Add and enter lschema_DualAuthOTP
- Under Schema Files navigate to LoginSchema, and select DualAuthPushOrOTP.xml
- Select the blue select button, followed by Create, followed by OK
- In the same box select Add Policy
- Select the policy we created during the setup of the Registration flow that maps to your first LDAP authentication action. We use authPol_LDAP
- Select Add
- Select the green plus sign next to the authPol_Ldap policy to create a factor
- Enter OTPAuthDevice This Factor will use the OTP token to perform the 2nd factor authentication
- Select Create
- In the same box select Add Policy
- Select the policy authPol_OTPAuthDevice that we created during setup of the Registration flow
- Select Add
- Now we`ve completed the nFactor flow setup and can click Done
- Next navigate to Security > AAA - Application Traffic > Virtual Servers and select Add
- Enter the following fields and click OK:
- Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
- Select No nFactor Flow
- Under Select nFactor Flow click the right arrow, select the nFactor_OTP flow created earlier
- Click Select, followed by Bind
- Next navigate to NetScaler Gateway > Virtual Servers
- Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
- Select Edit
- Under Basic Authentication - Primary Authentication select LDAP Policy
- Check the policy, select Unbind, select Yes to confirm, and select Close
- Under the Advanced Settings menu on the right select Authentication Profile
- Select Add
- Enter a name. We enter PUSH_auth_profile
- Under Authentication virtual server click the right arrow, and select the NetScaler ADC AAA virtual server we created PUSH_Auth_Vserver
- Click Select, and Create
- Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed
- Click Done
Now we test PUSH by registering a mobile device and authenticating into our Citrix Virtual Apps and Desktops environment.
Registration with Citrix SSO app
- Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway with /manageotp appended to the end of the FQDN. We use https://gateway.workspaces.wwco.net/manageotp
- After your browser is redirected to a login screen enter user UPN and password
- On the next screen select Add Device, enter a name. We use iPhone7
- Select Go and a QR code will appear
- On your mobile device open your Citrix SSO app which is available for download from apps stores
- Select Add New Token
- Select Scan QR Code
- Select Aim your camera at the QR Code and once it`s captured select Add
- Select Save to store the token
- The Token is now active and begins displaying OTP codes at 30 second intervals
- Select Done and you will see confirmation that the device was added successfully
- Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://gateway.workspaces.wwco.net
- After the your browser is redirected to a login screen enter user UPN and password. On this screen you see the option to Click to input OTP manually if for some reason your camera is not working
- On your mobile device in your Citrix SSO app select OK to confirm PUSH authentication
- Verify the users virtual apps, and desktops are enumerated, and launch once logged in
With Citrix Workspace and NetScaler Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can get access to all of their Workspaces resources by entering their standard domain user and password and simply confirming their identity with the push off a button in the Citrix SSO app on their mobile device.
References
For more information refer to:
Authentication Push – watch a Tech Insight video regarding the use of TOTP to improve authentication security for your Citrix Workspace
Authentication - On-Premises NetScaler Gateway – watch a Tech Insight video regarding integrating with on-premises NetScaler Gateway to improve authentication security for your Citrix Workspace
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now