Two-factor authentication for Citrix Receiver for Windows

The above issue is from Windows 7 - Citrix Receiver.

From iPad, it fails when Citrix Receiver is asking for username, password, domain, passcode. I receive: Could not logon. Veryify your credentials and network connectivity.

Also, thanks for the quick responses!!!!

It is prompting me for the passcode when creating the account, then it is asking me to log into my StoreFront and it fails there.

Is it failing because my Passcode is a OTP and by the time I'm authenicating into my storefront the OTP has changed?

I am glad that the prompt is working for you! What exactly is failing though? This certainly works - but you need to manipulate things - perform token validation first, then perform primary username/password authentication. Check the main Citrix iApp/Deployment Guide - the token should get set to password1 session variable... I would recommend running through the iApp to setup 2FA with Citrix(use RSA as an example) - then add this session variable assignment and replace RSA Auth with whatever token auth you're doing(via RADIUS, I assume).

This is prompting Citrix Receiver for 2FA, but it is failing. Will this work with a radius server / hard token?

I am glad you brought this up so that I can share the good news! It's possible to do now with 11.6.0 HF4!

It will get easier when v12.0 is launched in the summer, but until then you can try this when you upgrade to 11.6.0 HF4:

Create a new Variable Assignment action in front of your Logon Page. On the left hand side, specify this variable name: session.citrix.client_auth_type

And on the right hand side, put in this value: expr {"1"}

This should enable 2-factor prompt.

Also, keep in mind that 11.6.0 HF4 now supports native StoreFront protocol integration - no more legacy mode needed.

Any progress?

Hi Michael

Yes I did; and when I edit the post I can see that the site has tried to get tricky, but wont allow me to make changes to my post now... For the purpose of clarity..

Windows RT Policy

• Web Interface Address = https://[internal storefront]/Citrix/UnisonWeb

Ipad Policy

• Web Interface Address = https://[internal storefront]/Citrix/Unison/PNAgent/config.xml

The downside to the approach of launching the application from a web interface is:

• Not as touch friendly as the Citrix Receiver Application
• Not seamless - as you get prompted for what to do with the .ica file
• A change for users - ie going from the seamless experience, to something that requires more steps

With the earlier versions of Citrix Receiver for Windows 8 we required to have a storefront server, I don't believe this is the case any more... but I believe it is the storefront that does complete the SMS authentication...

So in a totally ideal world - we wouldn't have Citrix at all :) but for application/desktop publishing it is here to stay. Therefore, the next best thing for me would be to be able to get rid of the Citrix Storefront and Citrix Netscaller devices; and replace the with the F5, utilising the built in OTP features (as this is another product I can also get rid of).

Thanks David

Thanks, David. Curious about your Windows 8 Receiver line - did you edit out the hostname from it? It appears that Netscaler is configured to hit StoreFront Web store, not the "native" Store. Is that correct?

If you want to use our OTP/token built-in feature, I would suggest directing the users to access your Citrix environment from the browser first - that way it is VERY easy for us to build a policy that will successfully perform two-factor authentication(especially our own) in stages as you desire. As far as I know, Citrix's native two-factor capabilities with Receiver do not allow for an [easy] integration with one-time tokens that are delivered via SMS/email after supplying the user's account info. Accommodating such behavior is much easier when user comes in from the browser-based interface first.

Hi Michael

In short; on the Citrix Access Gateway (VPX).

• Created a Virtual Server...
• Added Primary Authentication, Windows LDAP
• Added Secondary Authentication, Radius for Token
• Added a new policy - WindowsRT_policy
  • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS WindowsRT
  • Create a new Profile - WindowsRT_profile
  • Network Configuration
    • Not Configured
  • Client Experience
    • Home Page = None
    • Split Tunnel = Off
    • Session Time Out = 30
    • Client Access = Allow
    • Client Access URL Encoding = Obscure
    • Client Access Persistent Co.. = Allow
    • Plug-In Type = Windows/mac OS-X
    • Single Sign on to Web Applications = Ticed
    • Credential Index = Primary
    • Single Sign On with Windows = Unticked
    • Client Clean up prompt = Ticked
  • Security
    • Default Athorization Action = Allow
    • Secure Browse = Ticked
  • Published Application
    • ICA Proxy = On
    • Web Interface Address = https:///Citrix/UnisonWeb
    • Web Interface Portal Mode = Normal
    • Single-Signon Domain =
• Added new Policy - Ipad_policy
  • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS ipad
  • Create a new Profile - IPad_profile
  • Network Configuration
    • Not Configured
  • Client Experience
    • All settings as per Windows Profile
  • Security
    • All settings as per Windows Profile
  • Published Application
    • Web Interface Address = https://spctxstore1.unison.co.nz/Citrix/Unison/PNAgent/config.xml
    • All other settings as per Windows Profile

So within the Windows 8 metro application we are presented with Username, Password and Token fields... same applies to the ipad.

Ideally it would be over two screens, to allow us to use the F5 token feature...

Hope that helps?