Two-factor authentication for Citrix Receiver for Windows

I have not seen standalone Windows Citrix Receiver to be able to leverage two-factor authentication. I just searched again and could not find any Citrix documentation regarding such support or enabling standalone Windows Receiver to work with two-factor. If you have any tidbits indicating otherwise, please share - else, if you desire two-factor authentication, your best bet is to start all sessions from the WebTop.

Michael,

It is mentioned in the support documentation here: Receiver for Windows Requirements

It is also confirmed in the comments of this blog post (at the bottom), by the author of the original post: Receiver for Windows 4.0 Released

It is mentioned both places that NetScaler Gateway and StoreFront are required. I am looking for a way to emulate this with F5 APM/LTM and/or iRules.

I certainly do fully trust and respect the information provided by Citrix in those articles, but they do not explain how to configure Citrix environment to take advantage of that. If Citrix says it's supported, then they need to provide documentation to their customers on how to enable/configure this option. If you come across such documentation/information, please post it here and we will gladly investigate.

Hi Michael

Ill try and dig something up. We currently have two factory authentication working from the Windows 8 Citrix Receiver client, back to a Netscaler Gateway, with Storefront.

We have currently working through and evaluation of F5, with APM, etc - for the purpose of replacing the Citrix solution...

So I can confirm it is possible; I know from the engineer that completed it; it wasnt pretty making it work; but it was possible - Ill see what I can find.

I would also be interested in this

If you come across config details that were done on StoreFront/Netscaler to make this work, please post them here. I am not able to find any details on how to configure this anywhere. :(

Hi Michael

In short; on the Citrix Access Gateway (VPX).

• Created a Virtual Server...
• Added Primary Authentication, Windows LDAP
• Added Secondary Authentication, Radius for Token
• Added a new policy - WindowsRT_policy
  • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS WindowsRT
  • Create a new Profile - WindowsRT_profile
  • Network Configuration
    • Not Configured
  • Client Experience
    • Home Page = None
    • Split Tunnel = Off
    • Session Time Out = 30
    • Client Access = Allow
    • Client Access URL Encoding = Obscure
    • Client Access Persistent Co.. = Allow
    • Plug-In Type = Windows/mac OS-X
    • Single Sign on to Web Applications = Ticed
    • Credential Index = Primary
    • Single Sign On with Windows = Unticked
    • Client Clean up prompt = Ticked
  • Security
    • Default Athorization Action = Allow
    • Secure Browse = Ticked
  • Published Application
    • ICA Proxy = On
    • Web Interface Address = https:///Citrix/UnisonWeb
    • Web Interface Portal Mode = Normal
    • Single-Signon Domain =
• Added new Policy - Ipad_policy
  • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS ipad
  • Create a new Profile - IPad_profile
  • Network Configuration
    • Not Configured
  • Client Experience
    • All settings as per Windows Profile
  • Security
    • All settings as per Windows Profile
  • Published Application
    • Web Interface Address = https://spctxstore1.unison.co.nz/Citrix/Unison/PNAgent/config.xml
    • All other settings as per Windows Profile

So within the Windows 8 metro application we are presented with Username, Password and Token fields... same applies to the ipad.

Ideally it would be over two screens, to allow us to use the F5 token feature...

Hope that helps?

Thanks, David. Curious about your Windows 8 Receiver line - did you edit out the hostname from it? It appears that Netscaler is configured to hit StoreFront Web store, not the "native" Store. Is that correct?

If you want to use our OTP/token built-in feature, I would suggest directing the users to access your Citrix environment from the browser first - that way it is VERY easy for us to build a policy that will successfully perform two-factor authentication(especially our own) in stages as you desire. As far as I know, Citrix's native two-factor capabilities with Receiver do not allow for an [easy] integration with one-time tokens that are delivered via SMS/email after supplying the user's account info. Accommodating such behavior is much easier when user comes in from the browser-based interface first.

Hi Michael

Yes I did; and when I edit the post I can see that the site has tried to get tricky, but wont allow me to make changes to my post now... For the purpose of clarity..

Windows RT Policy

• Web Interface Address = https://[internal storefront]/Citrix/UnisonWeb

Ipad Policy

• Web Interface Address = https://[internal storefront]/Citrix/Unison/PNAgent/config.xml

The downside to the approach of launching the application from a web interface is:

• Not as touch friendly as the Citrix Receiver Application
• Not seamless - as you get prompted for what to do with the .ica file
• A change for users - ie going from the seamless experience, to something that requires more steps

With the earlier versions of Citrix Receiver for Windows 8 we required to have a storefront server, I don't believe this is the case any more... but I believe it is the storefront that does complete the SMS authentication...

So in a totally ideal world - we wouldn't have Citrix at all :) but for application/desktop publishing it is here to stay. Therefore, the next best thing for me would be to be able to get rid of the Citrix Storefront and Citrix Netscaller devices; and replace the with the F5, utilising the built in OTP features (as this is another product I can also get rid of).

Thanks David

Any progress?