Jump to content
Welcome to our new Citrix community!
  • PoC Guide: nFactor for NetScaler Gateway Authentication with Push Token


    Richard Faulkner
    • Validation Status: Validated
      Summary: PoC Guide: nFactor for NetScaler Gateway Authentication with Push Token
      Has Video?: No

    PoC Guide: nFactor for NetScaler Gateway Authentication with Push Token

    February 9, 2022

    Author:  Matt Brooks

    Special thanks:  Dan Feller Introduction

    Time Based One Time Passwords (TOTP) are an increasingly common method to provide an authentication that can increase security posture with other factors. TOTP with PUSH takes advantage of mobile devices by allowing users to receive and accept authentication validation requests at their fingertips. The exchange is secured by applying a hash to a shared key, distributed during setup.

    NetScaler Gateway supports push notifications for OTP and, can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.

    image.png.fb0f1d819cc3f0e4f00fae772002af0b.png

    Overview

    This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with NetScaler Gateway. It uses LDAP to validate Active Directory credentials as the first factor and use Citrix Cloud Push Authentication as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.

    It makes assumptions about the completed installation and configuration of the following components:

    • NetScaler Gateway installed, licensed, and configure with an externally reachable virtual server bound to a wildcard certificate.
    • NetScaler Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
    • Citrix Cloud account established
    • Endpoint with Citrix Workspace app installed
    • Mobile device with Citrix SSO app installed
    • Active Directory (AD) is available in the environment
    Refer to NetScaler Documentation for the latest product version and license requirements. PUSH Authentication

    NetScaler Gateway

    nFactor

    1. Log in to the NetScaler ADC UI
    2. Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See NetScaler ADC SSL certificates for more information.
    Push service action
    1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Push service
    2. Select Add
    3. Populate the following fields and click OK: image.jpg.d41f125cf245e6b5f914853728b46cac.jpg
      • Name - a unique value. We will enter values in the following fields to integrate with Citrix Cloud - PUSH Service
      • Log in to Citrix Cloud and navigate to Identity and Access Management > API Access
      • Create a unique name for the push service and select create client Now we will copy and paste these values to our NetScaler ADC policy to integrate with Citrix Cloud - PUSH Service image.jpg.6729507c856cd2c12ed11c9160475f7d.jpg
      • Client ID - copy & paste the Client ID from the Citrix Cloud ID and secret popup
      • Client Secret - copy & paste the Client ID from the Citrix Cloud ID and secret popup
      • Select Close image.png.9610a147bc9d25589ef8366aca27034f.png
      • Customer ID - copy & paste the Client ID from the Citrix Cloud Identity and Access Management API Access page
    4. Click Create
    LDAP - authentication action
    1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
    2. Select Add
    3. Populate the following fields
      • Name - a unique value
      • Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter 192.0.2.50_LDAP
      • Base DN - enter the path to the AD user container. We enter OU=Team Accounts, DC=workspaces, DC=wwco, DC=net
      • Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enter workspacesserviceaccount@workspaces.wwco.net
      • Confirm / Administrator Password - enter / confirm the admin / service account password
      • Server Logon Name Attribute - in the second field below this field enter userPrincipalName
    4. Select Create image.png.faf8363741774f5da4b732c19bfd0c9d.pngFor more information see LDAP authentication policies
    LDAP - token storage action
    1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
    2. Select the LDAP action created above and select create
    3. Append OTP or any identifier to the name and unselect authentication image.png.1254f67ab8433eddf21bb6f4c1aef3ef.png
    4. Under Connection Settings verify the Base DN, Administrator Bind DN, and Password. Be sure that the administrator user or service account is a member of domain administrators. This policy will be used to write the token registered by the user`s authenticator app in the userParameters attribute of their user object. image.jpg.efa96207830b24209d78ae112407ae4d.jpg
    5. Scroll down to Other Settings
      • OTP Secret - enter userParameters
      • Push Service - select the PUSH service policy created above image.jpg.b5c0b8e47079857fe740ae6285a21f6e.jpg
    6. Select Create image.png.6e6adaebfb8ba3d67138ce1f6e5be33f.png
    nFactor
    1. Next navigate to Security > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
    2. Select Add and select the plus sign in the Factor box
    3. Enter nFactor_OTP and select create image.png.a35cfed90591a21d50186c7dc2ab512c.png
    nFactor - Registration Flow
    1. Select Add Policy and select Add again next to Select Policy
    2. Enter authPol_OTPReg
    3. Under Action Type select NO_AUTHN
    4. Select Expression Editor and build the expression by selecting the following in the drop-down menus offered:
      • HTTP
      • REQ
      • COOKIE.VALUE(String) = NSC_TASS
      • EQ(String) = manageotp
    5. Select Done, followed by Create, followed by Add image.png.f8eb5107440f9be18e2f2bbbc0ef97c4.png
    6. Select the green plus sign next to the authPol_OTPReg policy to create a factor
    7. Enter OTPRegAD and select Create
    8. In the box created select Add Schema
    9. Select Add and enter lschema_SingleRegOTP
    10. Under Schema Files navigate to LoginSchema, and select SingleAuthManageOTP.xml
    11. Select the blue select button, followed by Create, followed by OK
    12. In the same box select Add Policy and select Add again next to Select Policy
    13. Enter authPol_LDAP for the name
    14. Under Action Type select LDAP
    15. Under Action select your first LDAP authentication action. We use 192.0.2.50_LDAP
    16. Under Expression enter true image.png.879f0772ce8f71a8e488a680950cfa5a.png
    17. Select Create followed by Add
    18. Select the green plus sign next to the authPol_LDAP policy to create a factor
    19. Enter OTPRegDevice and select Create
    20. In the same box select Add Policy and select Add again next to Select Policy
    21. Enter authPol_OTPAuthDevice for the name
    22. Under Action Type select LDAP
    23. Under Action select your newly created (second) LDAP authentication action. We use 192.0.2.50_LDAP_OTP
    24. Under Expression enter true image.png.96b15d3765a19f71cce22ff6a1b72acd.png
    25. Select Create followed by Add
    nFactor - Authentication Flow
    1. Select the blue plus sign under the authPol_OTPReg policy
    2. Enter authPol_OTPAuth
    3. Under Action Type select NO_AUTHN
    4. Under Expression enter true
    5. Select Create
    6. Select the green plus sign next to the authPol_OTPAuth policy to create a factor
    7. Enter OTPAuthAD
    8. Select Create
    9. In the box created select Add Schema
    10. Select Add and enter lschema_DualAuthOTP
    11. Under Schema Files navigate to LoginSchema, and select DualAuthPushOrOTP.xml
    12. Select the blue select button, followed by Create, followed by OK
    13. In the same box select Add Policy
    14. Select the policy we created during the setup of the Registration flow that maps to your first LDAP authentication action. We use authPol_LDAP
    15. Select Add
    16. Select the green plus sign next to the authPol_Ldap policy to create a factor
    17. Enter OTPAuthDevice This Factor will use the OTP token to perform the 2nd factor authentication
    18. Select Create
    19. In the same box select Add Policy
    20. Select the policy authPol_OTPAuthDevice that we created during setup of the Registration flow
    21. Select Add
    22. Now we`ve completed the nFactor flow setup and can click Done image.png.54b701e8b0280d7c6f0f58fc6edc277b.png
    NetScaler ADC Authentication, Authorization,and Auditing (NetScaler ADC AAA) virtual server
    1. Next navigate to Security > AAA - Application Traffic > Virtual Servers and select Add
    2. Enter the following fields and click OK:
      • Name - a unique value
      • IP Address Type - Non Addressable image.png.1eb69751cde4c99d1868b7f986f68436.png
    3. Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
    4. Select No nFactor Flow
    5. Under Select nFactor Flow click the right arrow, select the nFactor_OTP flow created earlier
    6. Click Select, followed by Bind image.png.d3d527669f0d02a12fb2932dd1f73f20.png
    NetScaler Gateway - virtual server
    1. Next navigate to NetScaler Gateway > Virtual Servers
    2. Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
    3. Select Edit
    4. Under Basic Authentication - Primary Authentication select LDAP Policy
    5. Check the policy, select Unbind, select Yes to confirm, and select Close
    6. Under the Advanced Settings menu on the right select Authentication Profile
    7. Select Add
    8. Enter a name. We enter PUSH_auth_profile
    9. Under Authentication virtual server click the right arrow, and select the NetScaler ADC AAA virtual server we created PUSH_Auth_Vserver
    10. Click Select, and Create
    11. Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed image.png.1ee9ea7a52bdad0961cedcadc6ba5159.png
    12. Click Done
    User Endpoint

    Now we test PUSH by registering a mobile device and authenticating into our Citrix Virtual Apps and Desktops environment.

    Registration with Citrix SSO app

    1. Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway with /manageotp appended to the end of the FQDN. We use https://gateway.workspaces.wwco.net/manageotp
    2. After your browser is redirected to a login screen enter user UPN and password image.png.0a01b6ff0bdd85042b77ebd717dd0b09.png
    3. On the next screen select Add Device, enter a name. We use iPhone7 image.png.6a106aebc81b2a00dbfaef0c661adfa2.png
    4. Select Go and a QR code will appear image.png.18b05bffac1298fc7c9381b0b6a5acfc.png
    5. On your mobile device open your Citrix SSO app which is available for download from apps stores
    6. Select Add New Token
    7. Select Scan QR Code image.png.3617fc6e8ed246bd488cd2b6518cfb9d.png
    8. Select Aim your camera at the QR Code and once it`s captured select Add image.png.2eab35169d5d6237e07a6004079643b3.png
    9. Select Save to store the token image.png.ab818ef311c72156e222ed31717809de.png
    10. The Token is now active and begins displaying OTP codes at 30 second intervals image.png.68fa44020df85d9641d533a8bb38fac9.png
    11. Select Done and you will see confirmation that the device was added successfully image.png.3713673fc77e0f08fc27375741c34af5.png
    Citrix Virtual Apps and Desktops Authentication, Publication, and Launch
    1. Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://gateway.workspaces.wwco.net
    2. After the your browser is redirected to a login screen enter user UPN and password. On this screen you see the option to Click to input OTP manually if for some reason your camera is not working image.png.e1d50bc0fe612a79c750926b487754e1.png
    3. On your mobile device in your Citrix SSO app select OK to confirm PUSH authentication image.png.1e363a2b9c0efa215006cd62a67e2287.png
    4. Verify the users virtual apps, and desktops are enumerated, and launch once logged in image.png.03779287df81197ccc7e31cec570d09e.png
    Summary

    With Citrix Workspace and NetScaler Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can get access to all of their Workspaces resources by entering their standard domain user and password and simply confirming their identity with the push off a button in the Citrix SSO app on their mobile device.

    References

    For more information refer to:

    Authentication Push – watch a Tech Insight video regarding the use of TOTP to improve authentication security for your Citrix Workspace

    Authentication - On-Premises NetScaler Gateway – watch a Tech Insight video regarding integrating with on-premises NetScaler Gateway to improve authentication security for your Citrix Workspace

     

     


    User Feedback

    Recommended Comments



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...