Email OTP authentication 编辑

Email OTP is introduced with Citrix ADC 12.1 build 51.x. The Email OTP method enables you to authenticate using the one-time password (OTP) that is sent to the registered email address. When you try to authenticate on any service, the server sends an OTP to the registered email address of the user.

To use the Email OTP feature, you must first register your alternate email ID. An alternative email ID registration is needed so that the OTP can be sent to that mail ID since you would not be able to access the primary email ID if there was an account lockout or in the event of you forgetting the AD password.

You can use Email OTP validation without email ID registration if you have provided the alternate email ID already as part of some AD attribute. You can refer to the same attribute in the email action instead of specifying the alternate email ID in the email address section.

Prerequisites

Before you configure the Email OTP feature, review the following prerequisites:

• Citrix ADC feature release 12.1 build 51.28 and above
• Email OTP feature is available in nFactor authentication flow only
  • For more details, refer to https://support.citrix.com/pages/citrix-adc-authentication-how
  • Supported for AAA-TM, Citrix Gateway (Browser, Native plug-in, and Receiver).

Active directory setting

• Supported version is 2016/2012 and 2008 Active Directory domain function level
• Citrix ADC ldapBind user name must have write access to the user’s AD path

Email server

• For the Email OTP solution to work, ensure that the login based authentication is enabled on the SMTP server. Citrix ADC supports only AUTH LOGIN based authentication for Email OTP to work.

• To ensure that the AUTH LOGIN based authentication is enabled, type the following command on the SMTP server. If the login based authentication is enabled, you notice that the text AUTH LOGIN appears in bold in the output.

Limitations

• This feature is supported only if the authentication back-end is LDAP.
• Already registered alternate email ID cannot be seen.
• Only the alternate email ID from the KBA Registration page cannot be updated.
• Email OTP authentication cannot be the first factor in the authentication flow. This is by design to achieve a robust authentication.
• If both Alternate email ID and KBA are configured using the same authentication action, the attribute must be the same for both.
• For the native plug-in and Receiver, registration is supported only through a browser.

Active Directory configuration

• Email OTP uses the Active Directory attribute as user data storage.

• After you register the alternate email ID, the email ID is sent to the Citrix ADC appliance and the appliance stores it in the configured KB attribute in the AD user object.

• The alternate email ID is encrypted and stored in the configured AD attribute.

When configuring an AD attribute, consider the following:

• Attribute name length supported must be at least 128 characters.
• Attribute type must be ‘DirectoryString’.
• Same AD attribute can be used for Native OTP and Email OTP registration data.
• LDAP administrator must have write access to the selected AD attribute.

Using existing attributes

The attribute used in this example is Userparameters. As this is an existing attribute within the AD user, you do not need to make any changes to the AD itself. However, you have to make sure that the attribute is not being used.

To ensure that the attribute is not used, navigate to ADSI and select user, right-click on the user, and scroll down to the attribute list. You must see the attribute value for UserParameters as not set. This indicates that the attribute is not being used at the moment.

Configure Email OTP

Email OTP solution consists of the following two parts:

• Email registration
• Email validation

Email ID registration

Do the following configuration by using the CLI after the KBA registration schema is created successfully:

1. Bind the portal theme and the certificate to VPN global.

   bind authentication vserver authvs -portaltheme RfWebUI
   bind vpn global -userDataEncryptionKey c1
   <!--NeedCopy-->