PoC Guide: nFactor for Citrix Gateway Authentication with Push Token

Introduction

Time Based One Time Passwords (TOTP) are an increasingly common method to provide an authentication that can increase security posture with other factors. TOTP with PUSH takes advantage of mobile devices by allowing users to receive and accept authentication validation requests at their fingertips. The exchange is secured by applying a hash to a shared key, distributed during setup.

Citrix Gateway supports push notifications for OTP and, can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.

Overview

This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with Citrix Gateway. It uses LDAP to validate Active Directory credentials as the first factor and use Citrix Cloud Push Authentication as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.

It makes assumptions about the completed installation and configuration of the following components:

• Citrix Gateway installed, licensed, and configure with an externally reachable virtual server bound to a wildcard certificate.
• Citrix Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
• Citrix Cloud account established
• Endpoint with Citrix Workspace app installed
• Mobile device with Citrix SSO app installed
• Active Directory (AD) is available in the environment

Refer to Citrix Documentation for the latest product version and license requirements. PUSH Authentication

Citrix Gateway

nFactor

1. Log in to the Citrix ADC UI
2. Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See Citrix ADC SSL certificates
   for more information.

Push service action

1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Push service
2. Select Add
3. Populate the following fields and click OK:
   • Name - a unique value.We will enter values in the following fields to integrate with Citrix Cloud - PUSH Service
   • Log in to Citrix Cloud and navigate to Identity and Access Management > API Access
   • Create a unique name for the push service and select create clientNow we will copy and paste these values to our Citrix ADC policy to integrate with Citrix Cloud - PUSH Service
   • Client ID - copy & paste the Client ID from the Citrix Cloud ID and secret popup
   • Client Secret - copy & paste the Client ID from the Citrix Cloud ID and secret popup
   • Select Close
   • Customer ID - copy & paste the Client ID from the Citrix Cloud Identity and Access Management API Access page
4. Click Create

LDAP - authentication action

1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
2. Select Add
3. Populate the following fields
   • Name - a unique value
   • Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter 192.0.2.50_LDAP
   • Base DN - enter the path to the AD user container. We enter OU=Team Accounts, DC=workspaces, DC=wwco, DC=net
   • Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enter workspacesserviceaccount@workspaces.wwco.net
   • Confirm / Administrator Password - enter / confirm the admin / service account password
   • Server Logon Name Attribute - in the second field below this field enter userPrincipalName
4. Select CreateFor more information see LDAP authentication policies
   

LDAP - token storage action

1. Next navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
2. Select the LDAP action created above and select create
3. Append OTP or any identifier to the name and unselect authentication
4. Under Connection Settings verify the Base DN, Administrator Bind DN, and Password. Be sure that the administrator user or service account is a member of domain administrators. This policy will be used to write the token registered by the user`s authenticator app in the userParameters attribute of their user object.
5. Scroll down to Other Settings
   • OTP Secret - enter userParameters
   • Push Service - select the PUSH service policy created above
6. Select Create

nFactor

1. Next navigate to Security > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
2. Select Add and select the plus sign in the Factor box
3. Enter nFactor_OTP and select create

nFactor - Registration Flow

1. Select Add Policy and select Add again next to Select Policy
2. Enter authPol_OTPReg
3. Under Action Type select NO_AUTHN
4. Select Expression Editor and build the expression by selecting the following in the drop-down menus offered:
   • HTTP
   • REQ
   • COOKIE.VALUE(String) = NSC_TASS
   • EQ(String) = manageotp
5. Select Done, followed by Create, followed by Add
6. Select the green plus sign next to the authPol_OTPReg policy to create a factor
7. Enter OTPRegAD and select Create
8. In the box created select Add Schema
9. Select Add and enter lschema_SingleRegOTP
10. Under Schema Files navigate to LoginSchema, and select SingleAuthManageOTP.xml
11. Select the blue select button, followed by Create, followed by OK
12. In the same box select Add Policy and select Add again next to Select Policy
13. Enter authPol_LDAP for the name
14. Under Action Type select LDAP
15. Under Action select your first LDAP authentication action. We use 192.0.2.50_LDAP
16. Under Expression enter true
17. Select Create followed by Add
18. Select the green plus sign next to the authPol_LDAP policy to create a factor
19. Enter OTPRegDevice and select Create
20. In the same box select Add Policy and select Add again next to Select Policy
21. Enter authPol_OTPAuthDevice for the name
22. Under Action Type select LDAP
23. Under Action select your newly created (second) LDAP authentication action. We use 192.0.2.50_LDAP_OTP
24. Under Expression enter true
25. Select Create followed by Add

nFactor - Authentication Flow

1. Select the blue plus sign under the authPol_OTPReg policy
2. Enter authPol_OTPAuth
3. Under Action Type select NO_AUTHN
4. Under Expression enter true
5. Select Create
6. Select the green plus sign next to the authPol_OTPAuth policy to create a factor
7. Enter OTPAuthAD
8. Select Create
9. In the box created select Add Schema
10. Select Add and enter lschema_DualAuthOTP
11. Under Schema Files navigate to LoginSchema, and select DualAuthPushOrOTP.xml
12. Select the blue select button, followed by Create, followed by OK
13. In the same box select Add Policy
14. Select the policy we created during the setup of the Registration flow that maps to your first LDAP authentication action. We use authPol_LDAP
15. Select Add
16. Select the green plus sign next to the authPol_Ldap policy to create a factor
17. Enter OTPAuthDevice This Factor will use the OTP token to perform the 2nd factor authentication
18. Select Create
19. In the same box select Add Policy
20. Select the policy authPol_OTPAuthDevice that we created during setup of the Registration flow
21. Select Add
22. Now we`ve completed the nFactor flow setup and can click Done

Citrix ADC Authentication, Authorization,and Auditing (Citrix ADC AAA) virtual server

1. Next navigate to Security > AAA - Application Traffic > Virtual Servers and select Add
2. Enter the following fields and click OK:
   • Name - a unique value
   • IP Address Type - Non Addressable
3. Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
4. Select No nFactor Flow
5. Under Select nFactor Flow click the right arrow, select the nFactor_OTP flow created earlier
6. Click Select, followed by Bind

Citrix Gateway - virtual server

1. Next navigate to Citrix Gateway > Virtual Servers
2. Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
3. Select Edit
4. Under Basic Authentication - Primary Authentication select LDAP Policy
5. Check the policy, select Unbind, select Yes to confirm, and select Close
6. Under the Advanced Settings menu on the right select Authentication Profile
7. Select Add
8. Enter a name. We enter PUSH_auth_profile
9. Under Authentication virtual server click the right arrow, and select the Citrix ADC AAA virtual server we created PUSH_Auth_Vserver
10. Click Select, and Create
11. Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed
12. Click Done

User Endpoint

Now we test PUSH by registering a mobile device and authenticating into our Citrix Virtual Apps and Desktops environment.

Registration with Citrix SSO app

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway with /manageotp appended to the end of the FQDN. We use https://gateway.workspaces.wwco.net/manageotp
2. After your browser is redirected to a login screen enter user UPN and password
3. On the next screen select Add Device, enter a name. We use iPhone7
4. Select Go and a QR code will appear
5. On your mobile device open your Citrix SSO app which is available for download from apps stores
6. Select Add New Token
7. Select Scan QR Code
8. Select Aim your camera at the QR Code and once it`s captured select Add
9. Select Save to store the token
10. The Token is now active and begins displaying OTP codes at 30 second intervals
11. Select Done and you will see confirmation that the device was added successfully

Citrix Virtual Apps and Desktops Authentication, Publication, and Launch

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway. We use https://gateway.workspaces.wwco.net
2. After the your browser is redirected to a login screen enter user UPN and password. On this screen you see the option to Click to input OTP manually if for some reason your camera is not working
3. On your mobile device in your Citrix SSO app select OK to confirm PUSH authentication
4. Verify the users virtual apps, and desktops are enumerated, and launch once logged in

Summary

With Citrix Workspace and Citrix Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can get access to all of their Workspaces resources by entering their standard domain user and password and simply confirming their identity with the push off a button in the Citrix SSO app on their mobile device.

References

For more information refer to:

Authentication Push
– watch a Tech Insight video regarding the use of TOTP to improve authentication security for your Citrix Workspace

Authentication - On-Premises Citrix Gateway
– watch a Tech Insight video regarding integrating with on-premises Citrix Gateway to improve authentication security for your Citrix Workspace