Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Feb 28, 2019 @ 1:09 pm

Navigation

Change Log

Overview

NetScaler 12 Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

Here are some notes:

  • NetScaler Native OTP is part of nFactor, and thus requires Citrix ADC Advanced Edition (aka NetScaler Enterprise Edition) or Citrix ADC Premium Edition (aka NetScaler Platinum Edition) licensing. NetScaler ADC Standard Edition licensing is not sufficient.
  • Workspace app 1809 and newer with Citrix Gateway (NetScaler) 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support it, so you’ll instead have to use a web browser.  💡
  • Citrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor when authenticating using the VPN Plug-in.  💡
  • nFactor requires a AAA vServer, which can be non-addressable – you don’t need any additional public IPs.
  • OTP stores device enrollment secrets in an Active Directory attribute that accepts Strings. Citrix’s documentation uses the userParameters Active Directory attribute.
    • The LDAP bind account must have permission to modify this attribute on every user.
  • Users can enroll multiple devices. There’s no way to prevent this.
  • The manageotp website is usually only protected by single factor authentication. Since users can add multiple devices, the manageotp website must be protected from external access.
  • Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).

Here are the OTP configuration objects:

  • Make sure NTP is configured on the NetScaler. Accurate time is required.
  • An LDAP Policy/Server with authentication disabled and OTP Secret configured. This one OTP-specific LDAP Policy/Server can be used for two scenarios:
    • manageotp device enrollment
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies the entered passcode.
  • An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
    • Single-factor authentication to the manageotp authenticator/device enrollment website.
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled.
  • A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
    • A single-factor Login Schema for manageotp.
    • A dual-factor Login Schema for NetScaler Gateway authentication.
  • An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

  1. Go to Security > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
  2. On the right, click Add.

    1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the manageotp website, and for first factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
  3. Create another LDAP Action.

    1. This one is used by the manageotp site to set the OTP authenticator in Active Directory, so name it accordingly.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work. Then click Test LDAP Reachability.
    5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
    7. Thomas Rolfs in the comments advises not to enable Nested Group Extraction in this LDAP Action.
    8. Click Create when done.
  4. Create another LDAP Action.
    1. This one will verify the OTP code entered by the user, so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
    7. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
    8. Click Create when done.
  5. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
  6. On the right, click Add.

    1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
    2. Change the Action Type to LDAP.
    3. Select your normal LDAP server, which is the one that has Authentication enabled.
    4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
    5. Click Create.
  7. Create another Authentication Policy.

    1. This policy is for OTP management so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the Set OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
    4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
  8. Create another Authentication Policy.

    1. This policy is for OTP verification so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
    4. Enter true in the Expression box, and click Create.

Login Schemas

  1. Go to Security > AAA – Application Traffic > Login Schema.
  2. On the right, switch to the Profiles tab, and click Add.

    1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
    2. Click the Edit icon.
    3. On the left, click the LoginSchema folder to open it.
    4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
    5. On the top right, click Select.
    6. Click Create.
  3. Add another Login Schema profile.

    1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
    2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
    3. Click More to reveal more options.
    4. Scroll down. In the Password Credential Index field, enter 1. This causes nFactor to save the user’s password into AAA Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
    5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
    6. Click Create.
  4. On the right, switch to the Policies tab.
  5. Click Add to add a Login Schema policy.
    1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
    2. Name the Login Schema Policy for OTP management.
    3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters /manageotp, and if the user is on the internal network. You don’t want manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
    4. Click Create.
  6. Create another Login Schema Policy.

    1. In the Profile field, select the dual factor Login Schema.
    2. Name the Login Schema to indicate dual factor authentication.
    3. In the Rule box, enter true.
    4. Click Create.

Authentication PolicyLabel

  1. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
  2. On the right, click Add.
  3. This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
  4. In the Login Schema field, select LSCHEMA_INT, which means noschema.
  5. Click Continue.
  6. In the Policy Binding section, Click to select.
  7. Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
  8. Click Bind.
  9. Click Add Binding to add another one.
  10. Click to select.
  11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
  12. Click Bind.
  13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, right-click on the policies, and click Edit Binding. Click Done.

AAA vServer

  1. Go to Security > AAA – Application Traffic.
    1. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
  2. Go to Security > AAA – Application Traffic > Virtual Servers.
  3. On the right, click Add.
  4. This AAA vServer is for OTP so name it accordingly.
  5. Change the IP Address Type to Non Addressable.
  6. Click OK.
  7. Click where it says No Server Certificate.

    1. In the Server Certificate Binding section, click Click to select.
    2. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
    3. Click Bind.
  8. Click Continue to close the Certificate section.
  9. In the Advanced Authentication Policies section, click where it says No Authentication Policy.

    1. Click where it says Click to select.
    2. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click the blue Select button.
    3. In the Select Next Factor field, click where it says Click to select.
    4. Click the radio button next to the OTP PolicyLabel, and click Select.
    5. Click Bind.
  10. In the Advanced Authentication Policies section, click Continue.
  11. On the right, in the Advanced Settings column, click Login Schemas.
  12. On the left, scroll down, and click where it says No Login Schema.

    1. Click where it says Click to select.
    2. Click the radio button next to the Manage OTP Login Schema, and click Select.
    3. Click Bind.
  13. Click where it says 1 Login Schema.

    1. Click Add Binding.
    2. Click where it says Click to select.
    3. Click the radio button next to the dual factor Login Schema, and click Select.
    4. Click Bind.
    5. Make sure the single factor Manage OTP Login Schema is higher in the list (lower priority number) than the dual factor Login Schema. Click Close.
  14. On the right, in the Advanced Settings column, click Portal Themes.
  15. On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
  16. Click Done.

Traffic Policy for Single Sign-on

  1. On the left, go to NetScaler Gateway > Policies > Traffic.
  2. On the right, switch to the Traffic Profiles tab, and click Add.
  3. This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
  4. Scroll down.
  5. In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.
    http.REQ.USER.ATTRIBUTE(1)
  6. Click Create.
  7. On the right, switch to the Traffic Policies tab, and click Add.
  8. In the Request Profile field, select the Traffic Profile you just created.
  9. Name the Traffic Policy.
  10. In the Expression box, enter true (Default Syntax).
    • If your NetScaler Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.
      http.req.method.eq(post)||http.req.method.eq(get) && false
  11. Click Create.

NetScaler Gateway and Authentication Profile

  1. Go to NetScaler Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
  3. Scroll down to the Policies section, and click the plus icon.
  4. Change the Choose Policy drop-down to Traffic, and click Continue.
  5. Click to select.
  6. Click the radio button next to the Traffic Policy you created earlier, and click Select.
  7. Click Bind.
  8. On the right, in the Advanced Settings column, click Authentication Profile.
  9. On the left, scroll down to the Authentication Profile section.
  10. Click Add to create one.
  11. Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
  12. In the Authentication Virtual Server section, Click to select.
  13. Click the radio button next to the OTP AAA vServer, and click Select.
  14. Click Create.
  15. Scroll down again to the Authentication Profile section, and click OK.
  16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
  17. Go to System > Profiles.
  18. On the right, switch to the SSL Profile tab.
  19. Edit the ns_default_ssl_profile_frontend profile.
  20. Make sure HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

  1. In the NetScaler GUI, navigate to ConfigurationTraffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

  1. Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
  2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
  3. Click Add Device.
  4. Enter a device name, and click Go.
  5. Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
  6. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  7. Click Test.
  8. Enter the passcode shown in your Authenticator, and click Go.
  9. If you logoff of manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
  10. It should Single Sign-on into StoreFront.

CLI Commands

Here’s a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_set_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_set_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth

add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/16)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver Gateway.corp.com -portaltheme RfWebUI
bind vpn vserver Gateway.corp.com -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom

310 thoughts on “Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1”

  1. We have Citrix native OTP as a MFA configure for our customer with all infra i.e. ADC, VDI, StoreFront and all component in domain1.

    Customer is establishing transitive trust relationship with domain2.

    Now, does user from domain2 will be able to authenticate to gateway using Native OTP which is configured for domain1?(by assuming the service account will have all the required access in domain2 as well to read and write userparameter inside AD.)

  2. Hi Carl,

    Thank you for another nice guide.
    I configured as above, but at the first try to register a device using /manageotp page, after correct authentication by LDAP, the page shows:
    “Session absent to manage otp for user, probably misconfiguration. Please contact your adminsitrator.” (with that typo, in NS 13.0 92.12nc).
    At ns.log appears:
    …default SSLVPN Message 6150 0 : “OTP registration/management is invoked when there is no session or valid otp action”
    The aaad.debug do not shows errors.
    What can be the error?
    Tks,
    Denis

  3. hi Carl,

    Thanks for the blog i have configured the OTP setup on our environment. but when we try to access the manageotp page to register the device it asks user name and password after put the user name password get an error ” try after some time or contact your helpdesk”

    Please help

  4. Thanks Carl
    Please, in a Netscaler native OTP scenario, in the registration part (after the user has entered their Active Directory credentials), is it possible for the user to register or receive the QR code in their email? or some other method by initial mail to register?

    Thanks you

    1. There might be a way to hack it. Somebody might have already posted instructions on how to do it. But I usually don’t recommend Native OTP because of the difficulty in locking down the manageotp site.

    2. Helo guys,

      What we did on a client:
      We created a group in AD with users who could access /manageotp. And inside the AAA VIP, we created a policy that validated if the user was part of this group, he could access /manageotp. If you weren’t part of the group, you would block access to the page. That worked fine.
      You have to create this policy inside the OTP-AAA along with the plicy of Corp-Adv and OTP_pollabel (following the Blog document).

      try to do this in homologation, in our client we adjusted and it is working.

  5. Hello Karl

    Thanks for a great article as always, everything seems to have worked.
    Now I try it the other way around, so first factor OTP then LDAP , so that the LDAP factor can not be blocked by repeated failed attempts.
    so I did the following:
    1.authpol: LDAP no auth
    2.polllabel: OTP verify
    3, polllabel: LDAP auth

    but unfortunately it did not work, I get the error message “Failure_reason “External authentication server denied access” on level polllabel: LDAP auth

    Any idea what the reason is ? Looking forward for your comments. Thanks.

  6. Dear Carl, thanks for the great walkthrough – always a fan of your work. One question. I´ve built up above setup and everything is working well with Citrix SSO App… but the customer states that registering other devices or authenticator apps do not work. It is not writing the userParameters property to the ad-object… I assume I have to add another OTP-Registration Profile … but how… ? Any help would be highly appreciated… Bets regards!

    1. Martin, saw this same issue in testing and found that once you enable the Push Service the /manageotp page only allows a single device. Disabling the Push Service allows the user to add multiple devices up to the set limits. Makes sense since there isn’t a builtin mechanism to define which device should be used for push while the others can be used for OTP. If multiple devices existed, which one would it push too? Not sure there is a way around this.

  7. Hi Carl,

    Hi Carl, Thanks a lot for this article.

    I have ADC in Primary Site using native OTP configuration. For DR ADC how can we sync same OTP configuration. my requirement is for both Primary and DR site user should have same OTP. Is there any posiblity to achive this?

  8. Hi Carl, thanks for the great article but have a problem using SSO to RDP back-end with native OTP. Have created a gateway with an authentication profile doing LDAPS first and then native OTP. Traffic policy and loginschema attribute(1) are set. When launching the RDP bookmark it prefills the username but does not SSO and have to type in the LDAP password to connect. Any advice?

  9. Hi Carl, Can we use any alternative for SSO Traffic policy, we are using 12.1 just as AAA authentication virtual server in citrix cloud
    we have two domain and want to have separate MFA solutions.

  10. Failed to add device it says. The Native OTP was working earlier, no change was implemented recently. What could be the problem? Any tips for troubleshooting?Cheers

    1. Hi Mark,
      did you solve this problem? I just implemented native OTP as a PoC and run into the same problem.

  11. Hi everyone, just a security concern. We have configured OTP and everything works like a charm. However, if an LDAP account is compromised, someone can easily connect to the OTP page (single authentication), change device and then, access all applications. Is there a way to secure this ? Is it wise to let OTP accessible from Internet ? Thank you for your suggestion.

    1. the way i have got around this is created a security group members have to be in to get to the otp page externally. we are then only letting people have timed access to register there devices then access is taken away. if they change devices policies will be in place to contact for access to be given again.

  12. Does anyone know if it is possible (some Responder maybe), inhibit the option to delete the device for users? I have already limited the number of devices for users (to just 1), but I would like to not let ordinary users delete and add another device instead.
    This function should only be enabled for the NetScaler administrator.
    It’s possible ?

  13. Hi,

    I have citrix gateway 12 vpx
    For some reason he writes me this message
    The server met an error. Please try again or contact your administrator
    Once I change the setting in the Clientless Access session profile from OFF to ON I can connect
    What could be the reason?

  14. I have google auth working and I can login.
    My problem is I can ping everything that I want on my internal network, but it seems like UPD/TCP traffic is not allowed.
    Also maybe this is because my DNS and Default gateway is wrong. Is there any way to pull from a DHCP server? I can’t figure out a place to configure a default gateway on the netscaler.

  15. I wants to deploy this where 4 domains including child domains configured on ADC and 4 seperate LDAP configured..

    My concern- do I need to add 2 ldap actions and other policies per LDAP server, which means 4×2=8 ldap actions/policies to enable this Native otp feature?

      1. Thanks for the response Carl. Any specific requirement to configure Native OTP on Multi-Domain environment?

  16. Hello Carl, I am working in an environment where no machine has internet access neither LDAP server nor the Citrix ADC when I am trying to add a device in manage OTP page, I am getting error saying “failed to add ”

    Can you help me fixing this please

    Environment background:
    -ADC Version 12.1 55.18nc
    -ADC and LDAP is in same network
    -ADC LDAP does not have internet access
    -Client PC and mobile has internet access

    1. Check /var/log/ns.log for errors. You can do a “tail -f /var/log/ns.log” while trying to register a device.

      1. Just to add more info, it happen the same to my env. because i didn’t use a user with proper permission for LDAP binding, user must have write acces to userParameters atribute

  17. Hi Carl,

    Thank you so much on this.
    I follow exactly what you did here but upon logging initially to enroll my device I cannot able to login and the error says

    “KB questions and answers not registered”.

    Hope you can help me on this one. 🙂 thanks!

  18. Hello people,

    I was thinking …………. is it possible to enable OTP only for external accesses? (internal users would not need to use OTP).
    What should I do in this case?

  19. Hello

    I have configured Citrix Native OTP the following all works

    can register a device

    can get pass the logon with your username and OTP, but when it goes to redirect you to the store front I get cannot complete request. I have gone through everything.

    if I take the otp setting off and use single factor works fine and can get to the store front.

    I have noticed on the store front server when the issue happening getting this error.

    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. and it shows the user testing password as the username. very odd behaviour.

    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

    The credentials supplied were;

    user: Passwordxxxxxxxxxx

    domain: mydomain.local

    event ID 7

    ADC Formware version NS13.061.48nc

    any pointers?

    Thanks

    1. I’m guessing there’s something wrong with the Traffic Policy or the Login Schema and puts the password in the AAA Attribute number.

      1. in the traffic profile sso urser expression is set to AAA.USER.ATTRIBUTE(1) then in the traffic policy it links to the profile and expression is true.

  20. Hello Everyone!

    How to configure on LDAP server that is balancing (I have a VIP on NetScaler doing Balance to 2 LDAP Server) ?
    I did the configuration based on IP of VIP (with two LDAP Server), but when enable the OTP on my Gateway VIP, the portal stoped (cannot complete your request).

    1. Did you configure the Traffic Policy?

      What error are you seeing in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services?

      1. In fact, it gives the error before the Citrix Gateway Portal login appears.
        I did a test removing the customized portal and the Login page appeared, but without OTP. And I couldn’t log in (User and password incorrect). Without OTP it works.

          1. I redid the configuration on top of the RfWebUI theme, I customized it on VIP and OTP.AAA (TrafficPolicy) and it worked.

            Thank you! Your blog and explanations are great, congratulations!

Leave a Reply

Your email address will not be published. Required fields are marked *