Forum Discussion
SamuelB
Nimbostratus
NimbostratusTwo-factor authentication for Citrix Receiver for Windows
I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?
Michael_Koyfma1Cirrus
I am glad you brought this up so that I can share the good news! It's possible to do now with 11.6.0 HF4!
It will get easier when v12.0 is launched in the summer, but until then you can try this when you upgrade to 11.6.0 HF4:
Create a new Variable Assignment action in front of your Logon Page. On the left hand side, specify this variable name: session.citrix.client_auth_type
And on the right hand side, put in this value: expr {"1"}
This should enable 2-factor prompt.
Also, keep in mind that 11.6.0 HF4 now supports native StoreFront protocol integration - no more legacy mode needed.
nirobi03_194837This is prompting Citrix Receiver for 2FA, but it is failing. Will this work with a radius server / hard token?
- Michael_Koyfma1
I am glad that the prompt is working for you! What exactly is failing though? This certainly works - but you need to manipulate things - perform token validation first, then perform primary username/password authentication. Check the main Citrix iApp/Deployment Guide - the token should get set to password1 session variable... I would recommend running through the iApp to setup 2FA with Citrix(use RSA as an example) - then add this session variable assignment and replace RSA Auth with whatever token auth you're doing(via RADIUS, I assume).
- nirobi03_194837
It is prompting me for the passcode when creating the account, then it is asking me to log into my StoreFront and it fails there.
Is it failing because my Passcode is a OTP and by the time I'm authenicating into my storefront the OTP has changed?
- nirobi03_194837
Also, thanks for the quick responses!!!!
- nirobi03_194837
The above issue is from Windows 7 - Citrix Receiver.
From iPad, it fails when Citrix Receiver is asking for username, password, domain, passcode. I receive: Could not logon. Veryify your credentials and network connectivity.
- Michael_Koyfma1Are you trying to add brand new account to the Receiver? Like I said, you really need to modify the access policy as well to ensure it handles 2-fa authentication. An example of such policy is created by the latest iApp when you select RSA SecurID 2FA integration. Did you look into that?
- nirobi03_194837
Yes, I just created a new iApp to test with. My web browser is working with 2FA.
- Michael_Koyfma1
Interesting....can you please open a case with support on it to investigate and PM me the case number so that I can follow-up on it? Thanks
- nirobi03_194837
Sent. Thank you, I look forward to hearing from you.
Henrik_SHello, I've followed this post and added the session variable to get the "passcode" form Field presented by Citrix Receiver. However I'm using the builtin OTP and would like a Challenge-respons function as I get when I'm sent to a secondary logon-page before OTP verify while using a normal browser, is this possible?