Email OTP 编辑

Email OTP is introduced with Citrix ADC 12.1 build 51.x. The Email OTP method enables you to authenticate using the one-time password (OTP) that is sent to the registered email address. When you try to authenticate on any service, the server sends an OTP to the registered email address of the user.

To use the Email OTP feature, you must first register your alternate email ID. An alternative email ID registration is needed so that the OTP can be sent to that mail ID since you would not be able to access the primary email ID if there was an account lockout or in the event of you forgetting the AD password.

You can use Email OTP validation without email ID registration if you have provided the alternate email ID already as part of some AD attribute. You can refer to the same attribute in the email action instead of specifying the alternate email ID in the email address section.

Prerequisites

Before you configure the Email OTP feature, review the following prerequisites:

• Citrix ADC feature release 12.1 build 51.28 and above
• Email OTP feature is available in nFactor authentication flow only
  • For more details, refer to https://support.citrix.com/pages/citrix-adc-authentication-how
  • Supported for AAA-TM, Citrix Gateway (Browser, Native plug-in, and Receiver).

Active directory setting

• Supported version is 2016/2012 and 2008 Active Directory domain function level
• Citrix ADC ldapBind user name must have write access to the user’s AD path

Email Server

• For Email OTP solution to work, ensure that the login based authentication is enabled on the SMTP server. Citrix ADC supports only Auth login based authentication for Email OTP to work.

• To ensure that the Auth login based authentication is enabled, type the following command on the SMTP server. If the login based authentication is enabled, you notice that the text AUTH LOGIN appears in bold in the output.

Limitations

• This feature is supported only if authentication back-end is LDAP.
• Already registered alternate email ID cannot be seen.
• Only the alternate email ID from the KBA Registration page cannot be updated.
• KBA and Email OTP Authentication and Registration cannot be the first factors in the authentication flow. This is by design to achieve a robust authentication.
• Same AD attribute must be configured for KBA and Alternate email ID if using the same authentication LDAP action.
• For native plug-in and Receiver, registration is supported only through a browser.

Active Directory Configuration

• Email OTP uses Active Directory attribute as user data storage.

• After you register the alternate email ID, they are sent to the Citrix ADC appliance and the appliance stores it in the configured KB attribute in the AD user object.

• The alternate email ID is encrypted and stored in the configured AD attribute.

When configuring an AD attribute, consider the following:

• Attribute name length supported must be at least 128 characters.
• Attribute type must be ‘DirectoryString’.
• Same AD attribute can be used for Native OTP and KBA Registration data.
• LDAP administrator must have write access to the selected AD attribute.

Using existing attributes

The attribute used in this example is ‘Userparameters’. As this is an existing attribute within the AD user, you do not need to make any changes to the AD itself. However, you have to make sure that the attribute is not being used.

To ensure that the attribute is not used, navigate to ADSI and select user, right-click on the user, and scroll down to the attribute list. You must see the attribute value for UserParameters as not set. This indicates that the attribute is not being used at the moment.

Configuring Email OTP

Email OTP solution consists of the following two parts:

• Email Registration
• Email Validation

Email Registration

There are two ways of registering a user’s alternate email ID:

1. Along with KBA Registration
2. Only Email ID Registration - This method is supported from 13.0 build 61.x and above; and 12.1 build 58.x and above.

Along With KBA Registration

KBA Registration LoginSchema

1. Navigate to Security > AAA – Application Traffic > Login Schema > Profiles and click Add KBA Registration LoginSchema.

   

2. Configure KBA Registration Authentication Schema. This loginschema once generated shows all the Questions configured for the end user during the registration process. In Email Registration section, check the Register Alternate Email option to Register user’s alternate email ID.

   

   

3. In the Email Registration section, check Register Alternate Email to register an alternate email ID.

   

Do the following configuration using the CLI command prompt after the aforementioned KBA Registration schema is created successfully.

1. Bind Portal Theme and Certificate to VPN global.

   bind authentication vserver authvs -portaltheme RfWebUI
   bind vpn global -userDataEncryptionKey c1
   <!--NeedCopy-->