Native One Time Passwords (OTP) – Citrix Gateway 13

Last Modified: May 23, 2020 @ 5:36 am

Navigation

Change Log

Overview

Citrix ADC 13 Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Citrix SSO app (mobile VPN Client) to receive push notifications, or Google Authenticator to generate Passcodes. See the following for an overview:

Here are some notes and requirements for Native OTP:

  • Licensing – Citrix ADC Native OTP is part of nFactor, and thus requires Citrix ADC Advanced Edition or Citrix ADC Premium Edition licensing. Citrix ADC Standard Edition licensing is not sufficient.
    • OTP Push Notifications require ADC Premium Edition
  • Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support nFactor with Receiver, so you’ll instead have to use a web browser.

  • Citrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor when authenticating from the VPN Plug-in.

  • Push notifications – Citrix ADC 13 and newer supports OTP push notifications of logon request to the mobile (iOS, Android) Citrix SSO app. Other authenticator apps are not supported for OTP Push, but they can be used with OTP Passcode.
  • Authenticator – If not using Citrix SSO app, then Google Authenticator can generate passcodes. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  • Internet for Push – Push notifications requires the Citrix ADC appliance to be able to send API calls across the Internet to Citrix Cloud.
  • Active Directory attribute – Citrix ADC stores OTP device enrollment secrets in an string-based Active Directory attribute. Citrix’s documentation uses the userParameters Active Directory attribute.
    • The LDAP bind account must have permission to modify this attribute on every user.
    • The userParameters attribute must not be populated. Active Directory Users & Computers might set the userParameters attribute if you modify any of the RDS property pages.
  • Enroll multiple devices – Citrix ADC 13 and newer lets you control the number of devices that a user can enroll.
  • Manageotp is difficult to secure – The manageotp website is usually only protected by single factor authentication so external access must be blocked.
    • Andreas Nick OTPEdit is an out-of-band tool to register OTP devices without using manageotp. 💡

Notes on Citrix ADC Configuration Objects for OTP

Here are some notes on the Citrix ADC OTP configuration objects. Detailed instructions are provided later.

  • Make sure NTP is configured on the Citrix ADC. Accurate time is required.
  • AAA vServer – nFactor requires a AAA vServer, which can be non-addressable. You don’t need any additional public IP for OTP.
    • An Authentication Profile links the AAA vServer to the Citrix Gateway vServer.
  • Citrix Cloud – For Push notifications, create a Citrix Cloud account. No Citrix Cloud licensing needed. Citrix ADC uses Cloud API credentials to authenticate with Citrix Cloud.
  • NSC_TASS cookie – To access the manageotp web page, users add /manageotp to the end of the Gateway URL. Citrix ADC puts this URL path into a cookie called NSC_TASS. You can use this cookie and its value in policy expressions for determining which Login Schema is shown to the user.
  • Login Schema for manageotp – The built-in Login Schema file named SingleAuthManageOTP.xml has hidden fields that enable the manageotp web page. If the Login Schema Policy expression permits the SingleAuthManageOTP.xml Login Schema to be shown to the user, then after authentication the user will be taken to the manageotp web page.

    • LDAP authentication is expected to be bound to the same factor as this SingleAuthManageOTP login schema.
    • The next factor is a LDAP Policy/Server with authentication disabled (unchecked) but with arguments specifying the Active Directory attribute for the OTP Secret and Push Service configuration.

  • Login Schema for OTP authentication – The built-in Login Schema file named DualAuthPushOrOTP.xml performs the two-factor authentication utilizing the push service. There’s a checkbox that lets users choose Passcode instead of Push. This login schema has a Credential called otppush.

    • If you prefer to not use Push, then you can use a normal DualAuth.xml Login Schema file since for passcode authentication there are no special Login Schema requirements other than collecting two password fields.
    • Both methods expect an authenticating LDAP Policy/Server to be bound to the same Factor as the Login Schema.
    • The next factor should be a non-authenticating LDAP Policy/Server that optionally has the the Push Service defined and must have the OTP Secret attribute defined.
  • Single Sign-on to StoreFront – The OTP dual authentication Login Schema essentially collects two passwords (AD password plus push, or AD password plus passcode). Later, Citrix Gateway needs to use the AD password to perform Single Sign-on to StoreFront. To ensure the AD password is used instead of the OTP passcode, configure the OTP dual authentication Login Schema to store the AD password in a AAA attribute and then use a Citrix Gateway Traffic Policy/Profile to utilize the AAA attribute during Single Sign-on to StoreFront.
  • nFactor Visualizer – Citrix ADC 13 has a nFactor Visualizer to simplify the OTP configuration. Or you can manually create the LDAP Policies/Actions, the Login Schema Policies/Profiles, the PolicyLabels, and then bind them to a AAA vServer.

OTP Encryption

ADC 13.0 build 41 and newer let you encrypt the OTP secrets stored in Active Directory.

ADC uses a certificate to encrypt the contents of the Attribute. It currently is not possible to configure the certificate from the GUI, so you’ll need to SSH to the ADC and run the following command:

bind vpn global -userDataEncryptionKey MyCertificate

To enable OTP attribute encryption:

  1. In the ADC menu, go to Security > AAA – Application Traffic.
  2. On the right, click Change authentication AAA OTP Parameter.
  3. Check the box for OTP Secret encryption and then click OK.
  4. If you have a previous implementation of ADC OTP that stored unencrypted OTP secrets, then use the Python OTP encryption tool at /var/netscaler/otptool/OTP_encryption_tool to encrypt the AD attribute using the userDataEncryptionKey certificate. The same tool can be used to change the encryption certificate. More details at OTP encryption tool at Citrix Docs.

AAA Virtual Server

Create a AAA vServer that is the anchor point for our OTP nFactor configuration.

  1. Go to Security > AAA – Application Traffic.
  2. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
  3. Go to Security > AAA – Application Traffic > Virtual Servers.
  4. On the right, click Add.
  5. This AAA vServer is for OTP so name it accordingly.
  6. Change the IP Address Type to Non Addressable. You don’t need to specify any additional IP address.
  7. Click the blue OK button.
  8. Click where it says No Server Certificate.

    1. In the Server Certificate Binding section, click Click to select.
    2. Click the radio button next to a certificate, and then click the blue Select button at the top of the page. You can select the same certificate as the Citrix Gateway Virtual Server.
    3. Click Bind.
  9. Click Continue to close the Certificate section.
  10. In the Advanced Authentication Policies section, don’t bind anything and just click Continue. We’ll bind a nFactor Flow later.
  11. You can optionally improve the SSL ciphers on this AAA Virtual Server but it’s probably not necessary since this AAA vServer is not directly addressable.
  12. Nothing else is needed at this time so click the blue back arrow on the top left.

Push Service

If your Citrix ADC has Internet access, then you can enable OTP Push Authentication. The ADC must be able to reach the following FQDNs:

  • mfa.cloud.com
  • trust.citrixworkspacesapi.net

Create an API Client at citrix.cloud.com:

  1. Go to https://citrix.cloud.com and login. Your cloud account does not need any licensed services.
  2. On the top left, click the hamburger (menu) icon, and then click Identity and Access Management.
  3. Switch to the tab named API Access.
  4. On this page, notice the Customer ID. You’ll need this value later.
  5. Enter a name for a new API client and then click Create Client
  6. Click Download to download the client credentials.

On ADC 13, create the Push Service:

  1. In Citrix ADC 13 management GUI, navigate to the Push Service node. The easiest way to find it is to enter Push in the search box on the top left.
  2. On the right, click Add.
  3. In the Create Push Service page, do the following:
    1. Enter a name for the Push Service.
    2. Enter the Client ID and Client Secret that you downloaded when creating your API Client.
    3. Enter the Customer ID shown on the Create Client web page at cloud.com. Make sure there are no hidden characters or whitespace around the Customer ID.
  4. Click Create.
  5. On the top right, click the refresh icon until the Status changes to COMPLETE. If it won’t go past CCTOKEN, then make sure you entered the API Client info correctly, especially the Customer ID, which might have hidden characters around it.

LDAP Actions/Servers

Create three LDAP Actions (aka LDAP Servers):

  • One LDAP Action for normal LDAP authentication against Active Directory
  • One LDAP Action to set the OTP Active Directory attribute and register with push
  • One LDAP Action to perform push authentication (in a dual-authentication flow)

Create normal LDAP Action

  1. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP.
  2. On the right, click Add.
  3. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. There are no special instructions for this LDAP Server.

Create LDAP Action for OTP Device Registration

Create the LDAP Action for OTP device registration that sets the OTP Active Directory attribute and registers with push:

  1. Create another LDAP Action.
  2. Name it according to this goal: used by the manageotp web site to set the OTP authenticator in Active Directory.
  3. On the right, uncheck the box next to Authentication.
  4. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users. A regular non-admin LDAP Bind account won’t work.
  5. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new LDAP Action won’t work.
  6. Click Test LDAP Reachability.
  7. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
  8. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where Citrix ADC will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
    • userParameters is populated by Active Directory Users & Computers if you set anything on the RDS tabs (e.g. RDS Roaming Profile).
  9. Select the Push Service that you created earlier.
  10. Click Create when done.

Create LDAP Action for OTP Authentication

Create a LDAP Action that performs OTP push authentication or verifies the OTP Passcode. The only difference from the prior LDAP Action is the addition of an LDAP Search Filter.

  1. Create another LDAP Action.
  2. Give the LDAP Action a name.
  3. On the right, uncheck the box next to Authentication.
  4. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
  5. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new LDAP Action won’t work.
  6. Click Test LDAP Reachability.
  7. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
  8. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
  9. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
  10. In the Push Service drop-down, select the Push Service that you already created.
  11. Click Create when done.

nFactor Visualizer

We will build a nFactor Flow that looks something like this:

  • First factor on the left chooses either OTP Device Registration or OTP Authentication. If user enters /manageotp, then nFactor Flow takes the top path. Otherwise, nFactor flow takes the bottom path.
    • Login Schema is not needed for the first factor.
  • Second factor for Manage OTP = Login Schema with Manage OTP flag and normal LDAP authentication before allowing users to add devices.
    • Third factor is just an LDAP Policy configured with the OTP Active Directory attribute and Push Service. No Login Schema needed.
  • Second factor for OTP Authentication = Login Schema with OTP Push (or OTP Passcode) and normal LDAP authentication.
    • Third factor is just an LDAP Policy with the OTP Active Directory attribute and Push Service. No Login Schema needed.

nFactor Visualizer notes:

  • nFactor Visualizer is not required. You can instead follow the older manual ADC 12.1 instructions.
  • It doesn’t seem to be possible to rename any part of the flow once it’s created. To rename, you basically remove the entire flow and rebuild it.
  • nFactor Visualizer does not support policy expressions for Login Schemas so the older ADC 12.1 instructions must be modified to support two different branches.

Create Flow and first factor that selects Manage or selects Authenticate

  1. In ADC 13, go to Security > AAA – Application Traffic > nFactor Visualizer > nFactor Flows. Or search the menu for nFactor.
  2. On the right, click Add.
  3. Click the blue plus icon to create a factor.
  4. Name the factor based on this goal: choose manageotp or authenticate based on whether the user entered /manageotp or not. The name of the first factor is also the name of the nFactor Flow.
  5. Click the blue Create button.
  6. The first factor does not need a Schema.
  7. In the first factor, click where it says Add Policy.
  8. In the Choose Policy to Add page, click Add to create an authentication policy.

    1. Name this policy according to this goal: if this policy’s expression is true, then select the manageotp branch (instead of OTP authentication).
    2. For the Action Type drop-down, select NO_AUTHN. This policy is merely a decision point for the next factor so no actual authentication will occur at this time. The next factor is configured later.
    3. In the Expression box, enter something similar to the following. The IP subnet expression restricts the manageotp web page to only internal users.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
    4. Then click the blue Create button.
  9. Click the blue Add button to bind this policy to the factor.
  10. In the first factor, below the policy you just added, click the blue plus arrow to create another policy.
  11. In the Choose Policy to Add page, click Add to create another policy.

    1. Name the policy according to this goal: select the dual factor OTP authentication branch.
    2. For the Action Type drop-down, select NO_AUTHN. This is a decision point policy without authentication that leads to the next factor that does the actual authentication.
    3. In the Expression box, enter true to capture all OTP users that did not match the prior manageotp policy.
    4. Click the blue Create button.
  12. Click Add to bind this policy to the first factor but after (higher priority number) than the manageotp policy.

Create second factor for manageotp

  1. In the first factor, click the green plus icon to the right of the “SelectManageOTP” policy. If the “SelectManageOTP” policy is true, then this new factor will be evaluated.
  2. Name this factor according to this goal: perform single-factor LDAP authentication before allowing access to the manageotp web page.
  3. Then click the blue Create button.
  4. In the second factor, click where it says Add Schema.
  5. In the Choose Schema page, click Add to create a Login Schema.

    1. Name the Login Schema according to this goal: ask user for one password that will be verified with LDAP (Active Directory) before showing the manageotp web page.
    2. In the Authentication Schema field, click the pencil icon.
    3. The existing window expands to show the Login Schema Files. On the left, click the LoginSchema folder to see the files in that folder.
    4. In the list of files, click SingleAuthManageOTP.xml. This login schema asks for one password and has the special hidden credential to enable the manageotp web page.
    5. To actually select this file, on the top right, click the blue Select button. The Login Schema window will then collapse so that Login Schema Files are no longer shown.
    6. Make sure the Authentication Schema field shows the Login Schema file that you selected.
    7. Then click the blue Create button.
  6. Click OK to bind the Schema to the factor.
  7. In the second factor, below the Schema, click Add Policy.
  8. In the Choose Policy to Add page, if you already have a normal Advanced Expression LDAP policy, then select it.
  9. Otherwise, click Add to create one.

    1. Name this policy according to this goal: perform normal LDAP authentication against an Active Directory domain.
    2. In the Action Type drop-down, select LDAP.
    3. In the Action drop-down, select the LDAP Action/Server you created earlier that performs normal authentication.
    4. In the Expression box, enter true, which is an Advanced Expression.
    5. Click the blue Create button.
  10. Click Add to bind this LDAP Policy to the factor.

Create third factor that registers an OTP device with Active Directory and Push

  1. In the second factor, click the green plus icon to create another factor. This new factor is only evaluated if the LDAP Policy is successful.
  2. Name the factor according to this goal: register the device with Active Directory and optionally Push.
  3. This factor does not need any Schema.
  4. In the third factor, click Add Policy
  5. In the Choose Policy to Add page, click Add to create a policy.

    1. Name the policy according to this goal: Register OTP devices using LDAP Action without authentication that has the OTP Secret Attribute specified.
    2. In the Action Type drop-down, select LDAP.
    3. In the Action drop-down, select the LDAP Action you created earlier that registers new devices. Make sure authentication is disabled in the LDAP Action, and make sure it has OTP Secret and optionally OTP Push configured.
    4. In the Expression field, enter true.
    5. Click the blue Create button.
  6. Click the blue Add button to bind this policy to the factor.

The Factors for manageotp are complete. Now we build the factors for authenticating using OTP.

Create a second factor for LDAP Authentication

  1. Go back to the first factor and click the green plus icon next to the OTP Authentication policy.
  2. Name the factor according to this goal: ask user for one password + push, or two passwords, and then perform LDAP authentication. OTP authentication is performed in the next factor (see below).
  3. In the second factor, click where it says Add Schema.
  4. In the Choose Schema window, click Add.

    1. Name the Login Schema according to this goal: ask for one password + OTP push, or ask for two passwords.
    2. In the Authentication Schema field, click the pencil icon.
    3. The window expands to show Login Schema Files. On the left, click the LoginSchema folder to see the files under it.
    4. On the left, click the DualAuthPushOrOTP.xml file.
    5. Or if you don’t want push, then click a normal two password schema like DualAuth.xml. You can modify the DualAuth.xml file to indicate to the user that the OTP Passcode is expected in the second field.
    6. Then on the top right click the blue Select button. This causes the Login Schema window to collapse and no longer show the Login Schema Files.
    7. In the Authentication Schema field, makes sure the correct file name is selected.
    8. Click More.
    9. At the bottom, in the Password Credential Index field, enter a 1 to save the first password into AAA Attribute 1, which we’ll use later in a Traffic Policy that performs Single Sign-on to StoreFront.
    10. Then click the blue Create button.
  5. Click OK to bind the Schema to the factor.
  6. In the second factor, below the schema, click where it says Add Policy.
  7. In the Select Policy drop-down, select your normal LDAP Active Directory authentication policy. This is the same one you used for the second factor in the manageotp branch.
  8. Click the blue Add button to bind this LDAP policy to the second factor.

Create third factor to perform OTP authentication (Push or Passcode)

  1. In the second factor, click the green plus icon next to the LDAP Policy to create another factor.
  2. Name the factor according to this goal: perform OTP Push or Passcode authentication.
  3. Be aware that the nFactor Visualizer might swap your third factors.
  4. This third factor does not need a Login Schema.
  5. In the new third factor (probably the top one, follow the arrows), click where it says Add Policy.
  6. In the Choose Policy to Add page, click Add to create a policy.

    1. Name this policy according to this goal: perform OTP Push or OTP Passcode authentication.
    2. In the Action Type drop-down, select LDAP.
    3. In the Action drop-down, select the LDAP action you created earlier that verifies the OTP push or passcode. This is the Action that has the LDAP Filter configured.
    4. In the Expression box, enter true.
    5. Click the blue Create button.
  7. Click the blue Add button to bind this policy to the third factor.
  8. Click the blue Done button to close the Flow.

Bind nFactor Flow to AAA Virtual Server

  1. In the nFactor Flows menu node, highlight the nFactor Flow and click the button labelled Bind to Authentication Server.
  2. In the Authentication Server drop-down, select the AAA vServer you created earlier.
  3. Everything else should already be filled in so just click the blue Create button.

Maximum Number of Registered OTP Devices

ADC 13 lets you restrict the number of OTP devices each user can register:

  1. In the ADC menu, go to Security > AAA – Application Traffic.
  2. On the right, click Change authentication AAA OTP Parameter.
  3. Enter the number of devices each user can register and then click OK.
  4. When the user attempts to register more than the max number of devices, the error message is not user friendly.
  5. But you can see the actual error by grepping /var/log/ns.log for otp. which might show <Max permitted otp devices reached>.

Traffic Policy for Single Sign-on to StoreFront

Create Traffic Profile

  1. On the left, go to Citrix Gateway > Policies > Traffic.
  2. On the right, switch to the tab named Traffic Profiles, and click Add.
  3. Name the Traffic Profile according to this goal: use the AAA attribute 1 as password when doing Single Sign-on to StoreFront.
  4. Scroll down.
  5. In the SSO Password Expression box, enter the following which uses the Login Schema Password Attribute specified earlier.
    AAA.USER.ATTRIBUTE(1)
  6. Click the blue Create button.

Create Traffic Policy

  1. On the right, switch to the tab named Traffic Policies, and click Add.
  2. In the Request Profile field, select the Traffic Profile you just created.
  3. Name the Traffic Policy.
  4. In the Expression box, enter true (Advanced Syntax).
    • If your Citrix Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.
      http.req.method.eq(post)||http.req.method.eq(get) && false
  5. Click the blue Create button.

Citrix Gateway, Traffic Policy, and Authentication Profile

Note: ADC 13.0 build 36.27 will perform a core dump if AppFlow is enabled on the appliance so make sure AppFlow is disabled under Advanced Features. The core dump seems to happen even if no AppFlow policies are bound to the Gateway Virtual Server.

Edit an existing Citrix Gateway Virtual Server

  1. Go to Citrix Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If you don’t have one, see the other Citrix Gateway topics on this site.

Bind the Traffic Policy

  1. While editing a Gateway Virtual Server, scroll down to the Policies section, and click the plus icon.
  2. Change the Choose Policy drop-down to Traffic, and then click the blue Continue button.
  3. In the Policy Binding section, click Click to select.
  4. Click the radio button next to the Traffic Policy you created earlier, and then click the blue Select button at the top of the page.
  5. Click the blue Bind button.

Create Authentication Profile

Create and bind an Authentication Profile to link the Gateway Virtual Server to the AAA Virtual Server:

  1. While editing a Gateway Virtual Server, on the right, in the Advanced Settings column, click Authentication Profile.
  2. On the left, scroll down to the Authentication Profile section.
  3. Click Add to create one.
  4. Authentication Profile links the Citrix Gateway vServer with the OTP AAA vServer, so name it accordingly.
  5. In the Authentication Virtual Server section, click Click to select.
  6. Click the radio button next to the OTP AAA vServer, and then click the blue Select button at the top of the page.
  7. Click the blue Create button.
  8. Scroll down again to the Authentication Profile section, and click the blue OK button. Your selection isn’t saved until you click OK.
  9. The Portal Theme bound to the Gateway Virtual Server should be X1, RfWebUI, or a derivative.

Update Content Switching Expression for Unified Gateway

If your Citrix Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

  1. In the Citrix ADC GUI, navigate to ConfigurationTraffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp User Experience

To access the manageotp web page:

  1. Point your browser to https://mygateway.corp.com/manageotp or similar. Add /manageotp to the end of your Gateway URL.
  2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
  3. Click Add Device.
  4. Enter a device name, and click Go.
  5. For OTP Push, on your phone, install the Citrix SSO app if it’s not already installed. Then launch it.
    1. Switch to the Password Tokens tab and tap Add New Token.
    2. Tap Scan QR Code.
    3. Then scan the QRCode shown in your browser.
    4. You should see the Device Name. Tap Save.
  6. If OTP Passcode, launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
    1. Citrix SSO app also supports passcode.
    2. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  7. If you configured OTP Push, then you won’t see a Test button. To display the Test button, simply refresh your browser page.
  8. Click Test.
  9. Enter the passcode shown in your Authenticator, and click Go.

    1. Citrix SSO app shows the passcode on the main Password Tokens view.
  10. When done, on the top right, click your name and Log Off.
  11. The OTP registration info is stored in the Active Directory attribute. If users need to re-register, then help desk might need permission to clear this Active Directory attribute.

Perform OTP Authentication

  1. If you access your Gateway URL normally, you’ll be prompted for either one password or two passwords. If one password, then enter your normal LDAP credentials and Citrix Gateway will send a push notification to your phone. If two passwords, then enter the OTP passcode in the second field.
  2. The push notification is shown on the phone’s lock screen. Tap it to open the Citrix SSO app.
  3. Tap Allow to allow the authentication request.
  4. Tap OK when prompted with Logon Success.
  5. After Gateway authentication, Gateway should Single Sign-on into StoreFront with no additional password prompts.

CLI Commands

Here’s a complete OTP nFactor Flow (Visualizer) CLI configuration (except encrypted passwords):

# AAA Global Settings
# -------------------
enable ns feature AAA
set aaa otpparameter -maxOTPDevices 1


# Push Service
# ------------

add authentication pushService cloudPush -namespace "https://mfa.cloud.com/" -clientID b6effb5e-b2d3125 -clientSecret 152c84647b -encrypted -encryptmethod ENCMTHD_3 -CustomerID MyCompan -trustService "https://trust.citrixworkspacesapi.net/"

# LDAP Actions
# ------------
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword a368c -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN

add authentication ldapAction OTPRegisterDevice -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword 1f952a81 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -pushService cloudPush -OTPSecret userParameters

add authentication ldapAction LDAPOTPAuthentication -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword 4319b4d7 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -pushService cloudPush -OTPSecret userParameters


# Advanced Authentication Policies
# --------------------------------
add authentication Policy _OTP-AAA_OTPManageOrAuthenticate__root_0 -rule true -action NO_AUTHN

add authentication Policy SelectManageDevices -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)" -action NO_AUTHN

add authentication Policy SelectOTPAuthentication -rule true -action NO_AUTHN

add authentication Policy LDAPAdv -rule true -action LDAP-Corp

add authentication Policy OTPRegisterDevice -rule true -action OTPRegisterDevice

add authentication Policy LDAPOTPAuthentication -rule true -action LDAPOTPAuthentication


# Login Schemas
# -------------
add authentication loginSchema SinglePasswordForManageOTP -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

add authentication loginSchema OTPPushOrPasscode -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuthPushOrOTP.xml" -passwordCredentialIndex 1


# Authentication Policy Labels
# ----------------------------
add authentication policylabel OTPManageOrAuthenticate__root -loginSchema LSCHEMA_INT
bind authentication policylabel OTPManageOrAuthenticate__root -policyName SelectManageDevices -priority 100 -gotoPriorityExpression NEXT -nextFactor AuthenticateToManageDevices__OTPManageOrAuthenticate
bind authentication policylabel OTPManageOrAuthenticate__root -policyName SelectOTPAuthentication -priority 110 -gotoPriorityExpression NEXT -nextFactor OTPAuthentication__OTPManageOrAuthenticate

add authentication policylabel AuthenticateToManageDevices__OTPManageOrAuthenticate -loginSchema SinglePasswordForManageOTP
bind authentication policylabel AuthenticateToManageDevices__OTPManageOrAuthenticate -policyName LDAPAdv -priority 100 -gotoPriorityExpression NEXT -nextFactor OTPDeviceRegistration__OTPManageOrAuthenticate

add authentication policylabel OTPAuthentication__OTPManageOrAuthenticate -loginSchema OTPPushOrPasscode
bind authentication policylabel OTPAuthentication__OTPManageOrAuthenticate -policyName LDAPAdv -priority 100 -gotoPriorityExpression NEXT -nextFactor OTPPushOrPasscode__OTPManageOrAuthenticate

add authentication policylabel OTPDeviceRegistration__OTPManageOrAuthenticate -loginSchema LSCHEMA_INT
bind authentication policylabel OTPDeviceRegistration__OTPManageOrAuthenticate -policyName OTPRegisterDevice -priority 100 -gotoPriorityExpression NEXT

add authentication policylabel OTPPushOrPasscode__OTPManageOrAuthenticate -loginSchema LSCHEMA_INT
bind authentication policylabel OTPPushOrPasscode__OTPManageOrAuthenticate -policyName LDAPOTPAuthentication -priority 100 -gotoPriorityExpression NEXT


# Authentication Virtual Servers
# ------------------------------
add authentication vserver OTP-AAA SSL 0.0.0.0
bind authentication vserver OTP-AAA -policy _OTP-AAA_OTPManageOrAuthenticate__root_0 -priority 100 -nextFactor OTPManageOrAuthenticate__root -gotoPriorityExpression NEXT


# Authentication Profiles
# -----------------------
add authentication authnProfile OTP-AAA -authnVsName OTP-AAA


# NetScaler Gateway Session Profiles
# ----------------------------------
add vpn sessionAction AC_OS_10.2.4.120 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://xdc01.corp.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://xdc01.corp.local"

add vpn sessionAction AC_WB_10.2.4.120 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://xdc01.corp.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain corp.local -clientlessVpnMode OFF


# NetScaler Gateway Session Policies
# ----------------------------------
add vpn sessionPolicy PL_OS_10.2.4.120 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" AC_OS_10.2.4.120

add vpn sessionPolicy PL_WB_10.2.4.120 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" AC_WB_10.2.4.120


# NetScaler Gateway Global Settings
# ---------------------------------
enable ns feature SSLVPN


# NetScaler Gateway Virtual Servers
# ---------------------------------
add vpn vserver gateway2 SSL 10.2.4.220 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -authnProfile OTP-AAA -vserverFqdn gateway3.corp.com
bind vpn vserver gateway2 -portaltheme RfWebUI
bind vpn vserver gateway2 -policy LDAP-Corp -priority 100
bind vpn vserver gateway2 -policy PL_OS_10.2.4.120 -priority 100
bind vpn vserver gateway2 -policy PL_WB_10.2.4.120 -priority 100


# SSL Virtual Servers
# -------------------
bind ssl vserver gateway2 -certkeyName WildcardCorpCom.cer_CERT_KEY
bind ssl vserver gateway2 -eccCurveName P_256
bind ssl vserver gateway2 -eccCurveName P_384
bind ssl vserver gateway2 -eccCurveName P_224
bind ssl vserver gateway2 -eccCurveName P_521

bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom.cer_CERT_KEY
bind ssl vserver OTP-AAA -eccCurveName P_256
bind ssl vserver OTP-AAA -eccCurveName P_384
bind ssl vserver OTP-AAA -eccCurveName P_224
bind ssl vserver OTP-AAA -eccCurveName P_521

 

48 thoughts on “Native One Time Passwords (OTP) – Citrix Gateway 13”

  1. Hi Carl, do you know if is it possible to set an email policy as authentication factor?
    I need to change the OTP sended to user’s device with OTP sended by user’s e-mail. This because the customer doesn’t want to enroll users personal devices.
    Thank you.

      1. Thank you Carl. Do you think is it possible to modify the OTP authentication with e-mail authentication ?
        Should be necessary to fill the filed the userParameter with a token …
        I tried in my lab environment, starting with a Native OTP auth schema but I can’t to invoke the mail send.
        Do you have any tips?
        Thank you

  2. There are some users who are deleted from AD. But their mobile authentication APP still showing the code. How to check which users have registered their device for OTP? And how to remove users from Netscaler OTP whose AD profile is deleted

    1. If the user doesn’t exist in AD and there’s no OTP secret in AD, then the user won’t be able to login.

      1. Hi Carl, I have a situation in which MAx OTP allowed = 1, I go to /manage OTP and delete secret. It show successufully deleted but when I add the new device it says that I reached maximum device. From AD never secret will be deleted. OTP user data is crypted with the same certificate before user register device for the first time. AD is not balanced during test to make easy replication/persistent aspects. Where do you thing I could keep going on the analysis? Many thanks

  3. Hi, Sorry for my last comment . I found my error. The script was just looking for Notepad(86x) and not Notepad(64x), thanks for your work.

  4. Hi Carl , thanks again for this huge article. I have a question regarding the Wilcard certificate from your domain. Is it a simple Web certificate request from IIS and your local authority ? or is it with additionnal OID for authentification ?
    Thanks

      1. Thanks Carl , it work well. I’ve make a mistake by binding the certificate with the shell activated.
        Solution is working now.
        I have just a little concern about manage OTP page. The filter by “&& client.IP.SRC.IN_SUBNET(192.168.1.0/24)” isn’t working in my case.
        I cannot acces to the page with the condition activated.
        If you have an idea ? 🙂

  5. What a post!!
    I’m newie in this topic; and I’m searching and learning about the OTP advantages; and I have certain doubts, so if you can helpme I really appreciated..

    1) In the Login Schema Policy, if I change the subnet parameters for something like just “manageotp”, that’s would allow me that any user can access via browser to /manageotp page…

    2) If I configure the push notifications as a DualOPT but my NS haven´t access to internet, the Gateway service will use the google authenticator or will send error?

    3) And the last one for the pilot :D; if the client has his NS in a subnet and looks access from his NAT public IP address, the OTP will works normally as in intranet or is only limited to work on intranet.

    Thank very much for any comments that you make can do.

    1. Granting unlimited access to /manageotp is dangerous because /manageotp only requires single factor authentication.

      Without push, users will need to enter the passcode.

      Are you asking if OTP will work if exposed (NAT) to the Internet? Certainly. If push, then ADC will push to cloud, which pushes to user’s phone. If not push, then user will have to enter passcode that is displayed in the OTP app.

  6. Hi Carl,

    thank you for sharing the config details. In the past I already configured that solution for a customer successfully. Now I’m sitting on a new configuration for a different customer and I get an error when I try to register an Device.

    I double/tripple checked the configuration today. I’m able to register the device with the OTPedit App with the bound service account to the LDAP action. Once I enrolled the device with the OTPedit tool, I can logon with that user and the bounded device.

    The only thing that is not working is the device enrollment via /manageotp after successfull logging in. The message is: Failed to add ‘devicename’

    Once I added an device via the OTPedit Tool, and I log on to the /manageotp website I can see that device registered and I can also successfull test it.

    The ADC Build is: NS13.0.52.24.nc

    Do you have any ideas?

    best regards

    1. Never mind i was to quick :-), i can now add a device but when i want to add it i get a error: “Failed to add”, the time is correct and the netscaler has internet access.

  7. Hi Carl,

    Great article again, thanks a lot. I’ve got everything working for our primary domain, but now i also want this to work on the domains where we have a forest domain trust to (from the primary domain where storefront etc. is running). I already have all the LDAP policies to the different domains. We want to use only one URL for our customers, and don’t want to bind every LDAP policy to the server (there’s is a limitation of 32 ldap policies, we have around 40)
    I’ve read something about policy labels and that we need to use UPN and extract the domain to use towards storefront. Can you (or maybe one of your followers) put me in the right direction on how to achieve this? I’m a bit stuck on how to extract the domain from the users UPN. Hope you can help.

  8. Hi Carl,
    thank you for your valuable work!

    I’ve successfully configured OTP auth but now i need to add a second LDAP domain. How i can accomplished this? I’m already using Upn as login name.
    Do i need to bind a new nfactor flow to AAA vserver or can i add more policy/action to existing nfactor flow?

    Thank you for your thoughts.
    Stefano

    1. You should be able to bind multiple LDAP Policies/Servers, one for each domain. ADC will loop through each one until the UPN matches.

    1. Hi Carl,

      Could you please help with the above question ? by the way i am a big fan and your page have been of great help since i found it.

      Regards,
      Olu

      1. Yes, it was a misconfiguration for me. I had to use the Commands to set it up and i was able to reach the manageOTP page to register a device. But i am still having one issue and would appreciate it if @Carl Could help out.

        After the complete setup, I was able to reach the manageotp device registration page and after registering a device it doesn’t seem to persist. if i access the url with the same user i don’t see the previously enrolled device. please help.

        Thanks in advance.

  9. Hi Carl, awesome work! Never would get OTP up and running without your support…
    I wonder what happened to OTP Encryption if I have to regular replace the Encryption Certificate. May I use a cert from internal CA with extended lifetime?
    Regards, Armin

  10. Hi Carl,

    Thank you, everything is working, except one thing. When the userparameter field is empty on a user, it can’t login at url/manageotp, when i manually put something (like the number 1) in the field, it’s working. They can register their device and this will overwrite the field. I can’t figure out if i’m doing something wrong, do you have an idea where to look?

  11. Hi,
    I successfully deployed OTP, however have 2 comments.
    1. When push method is selected in LDAP Actions – OTP device is not being entered into UserParameters.
    2. With enabled encryption of OTP device in UserParameters, first thing is to change search UserParameters string in LDAP Action. However after change it is not possible by user to remove by himself OTP device. I believe without encryption it was possible.

    Any advice?
    here are the logs

    CTXADC [1334]: (0-219) ns_ldap_register_encrypted_otp: Failed to bas64 deocde OTP data, processing it as plain text

    CTXADC [1334]: (0-219) unsigned int aaad_base64decode(char*, unsigned int, char*, unsigned int): Base64 Decode: Failed to decode string…

    CTXADC [1334]: (0-219) receive_ldap_user_search_event: noauth, preparing to update otp in attribute for , devicelen 10, devicename __u31_234, devicetag len 0, devivetag ^C

    CTXADC [1334]: (0-219) aaad_json_read_otp_attribute_value: Failed to bas64 deocde OTP data, processing it as plain text

    CTXADC [1334]: (0-219) unsigned int aaad_base64decode(char*, unsigned int, char*, unsigned int): Base64 Decode: Failed to decode string…

    1. Hi,

      After latest 13.0 47.24 firmware update, my OTP encryption stopped working. Did anybody notice the same? I have constantly failed to add device. When disabling encryption of OTP device, it works correctly.

  12. Hi Carl,

    Thanks for a great article. Could you confirm two things:

    1. Push notification is only available with the Citrix SSO APP?

    2. Before implementing the native OTP solution, the workspace app would ask for the username and password. The last username that logged in was remembered. Like the image on this page: https://discussions.citrix.com/topic/390720-citrix-4x-constantly-prompting-to-login

    Now with OTP configured, it pops up the gateway GUI like the image in the overview under Workspace app 1809. Is that by design or can it be changed? The users like that they don’t have to type their username every time.

    Regards,

    Blair

    1. 1. That’s correct.

      2. nFactor behaves differently than non-nFactor in that nFactor requires displaying a Web View. Another option is to use a browser to login, and many browsers have password managers.

  13. Great post, got native OTP working on a Netscaler Enterprise. My only problem is IOS devices with the Workspace App, these are unable to login after enabling OTP on the portal

  14. Hi Carl,

    Thank You.For a single domain it works great but I am struggling implementing it on a single Ctrix Gateway server with multiple domains and the OTP using Nfactor as the users want to use domain\username .Any recommendations as I tried the domain dropdown as a first factor but have issue with the expressions and OTP as a second factor between the different domains ?

    1. Hi Carl,

      Thanks very much for the great post. I have similar issue with deploying native OTP and multiple domains. Is it simple that adding more server & policy per domain?

  15. Hi,

    Thanks for this! Push notifications are all working well. However with the pushService enabled on the OTPRegisterDevice LDAP action, we can only register Citrix SSO apps as devices. We add it, refresh the page, and the device is there, with the LDAP attribute updated.

    If we attempt to use another app (e.g. Google or Microsoft Authenticator), or just click Go/continue, the LDAP attribute isn’t updated, and the device isn’t added.

    Changing the pushService on OTPRegisterDevice to blank allows us to add other apps and log in with the OTP code manually, even using the SSO app via manual code. However now the push notifications don’t work.

    Is this an expected limitation, or is there a workaround to this, to allow both Citrix SSO app push notifications, and adding non-Citrix-SSO-apps?

  16. Hi Carl
    if we using SSO on citrix adc what license do we buy.?
    is it possible to standard Edition..?

    Thank you carl.

    1. All AAA vServer features, including nFactor, require Advanced Edition (aka Enterprise Edition).

      Citrix Gateway can SSON to StoreFront without needing AAA license.

  17. Feedback to version 13. Cool but unfortunately not much useful for me.

    I was so hopeful to see “Push Notification” but…
    We have Enterprise edition and it has Native OTP, but Push OTP is available only for Platinum edition.
    IT is difficult for us to go through approval process for license upgrade just for that. Now I will have to roll out OTP without Push notification. It will seems like half backed feature for our end user, since everyone expects Push OTP these days.

    I have designed and implemented (for now in Lab) ManageOtp, SelfService Password Reset with OTP.
    Original user access enroll into OTP with single factor (if no device registered), but later (when we have registered device) user will need OTP to access it. If device lost, our support desk will clear attribute filed and let user login with single password to enroll new device. It all works fine.

    Also I was so happy to see nFlow visualization, until I checked it out.
    It took quite complicated nFlow to make my design work. I was hopping that new nFlow visualization will be able to pick it up.
    But no. I had to re-do everything using nFlow visualization. Why? At the end it should be same commands. Why it can not just create flows based on already created policies? I spent few weeks building and testing it, now I have to re-do it to be able to visualize it?

    In short two greatest features in Release 13, and I can not use them …

  18. Carl, on this statement “Manageotp is difficult to secure – The manageotp website is usually only protected by single factor authentication so external access must be blocked.” – Gateway can be configured to ask for 2 factors when manageotp is accessed externally.

    We are updating mainline docs as well to mention this explicitly. Essentially, otp management is presented through nFactor. That means, it could be made as stringent as required.

    1. What alternative multi-factor would you recommend for protection of manageotp? I wonder if email factor would work.

  19. Thank you for the testing. Are you using a windows plugin or MAC CitrixSSO to do the test?

    One more question, when I made a change to the login schema, it only affect web browser login, but not affect plugin login display, right?

  20. Amazing quick post!

    Actually I have tested these new features in Gateway 13. Including push notification, registered device limit, nFactor visualizer, almost everything is working good. But also, I got some problems here:

    1. After I downloaded the latest Windows Gateway Plugin, and connect to my gateway, there is an script error shown “jQuery is undefined” on the plugin. (https://discussions.citrix.com/topic/403232-windows-gateway-plug-in-error-jquery-is-undefined/)

    2. The Gateway 13 release note also noticed that new Windows plugin support hostname/FQDN DNS split tunnel. Since my Windows plugin doesn’t work properly, I am not sure whether this is the same feature that CitrixSSO(MAC) supports.(There is a input box for “domains” on CitrixSSO(MAC) when you add a new gateway connection to the plugin)

    3. The push notification is only functioning when you are using web browser, i wish it also could support the plugin…..

Leave a Reply