I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?

I have not seen standalone Windows Citrix Receiver to be able to leverage two-factor authentication. I just searched again and could not find any Citrix documentation regarding such support or enabling standalone Windows Receiver to work with two-factor. If you have any tidbits indicating otherwise, please share - else, if you desire two-factor authentication, your best bet is to start all sessions from the WebTop.

Michael, It is mentioned in the support documentation here: Receiver for Windows Requirements It is also confirmed in the comments of this blog post (at the bottom), by the author of the original post: Receiver for Windows 4.0 Released It is mentioned both places that NetScaler Gateway and StoreFront are required. I am looking for a way to emulate this with F5 APM/LTM and/or iRules.

I certainly do fully trust and respect the information provided by Citrix in those articles, but they do not explain how to configure Citrix environment to take advantage of that. If Citrix says it's supported, then they need to provide documentation to their customers on how to enable/configure this option. If you come across such documentation/information, please post it here and we will gladly investigate.

Hi Michael Ill try and dig something up. We currently have two factory authentication working from the Windows 8 Citrix Receiver client, back to a Netscaler Gateway, with Storefront. We have currently working through and evaluation of F5, with APM, etc - for the purpose of replacing the Citrix solution... So I can confirm it is possible; I know from the engineer that completed it; it wasnt pretty making it work; but it was possible - Ill see what I can find.

I would also be interested in this

Two-factor authentication for Citrix Receiver for Windows

Michael_Koyfma1
Cirrus
May 18, 2015
Currently, Receiver does not support such behavior. It relies on the user having access to the token prior to starting the login attempt
Henrik_S
Nimbostratus
Jun 03, 2015
This is possible through a netscaler by the use of radius auth With Challenge respons like here With sms passcode, so where am I missing out? http://www.smspasscode.com/media/1937/netscaler-advanced-guide-for-sms-passcode.pdf
Michael_Koyfma1
Cirrus
Jun 03, 2015
Interesting point, Henrik - was not aware that mobile Receiver supports this type of iterative communication via Radius. It's a bit different with APM as it does its own built-in OTP - so we'd need to investigate exactly how the communication happens between Netscaler and Receiver to ensure that APM can something similar. I would suggest opening a case with support to have it escalated and investigated further.
Henrik_S
Nimbostratus
Jun 04, 2015
Done, case id: C1847563
Andrey_Terentye
Historic F5 Account
Jun 11, 2015
The 11.6.0 HF5 functionality does not cover: 1. APM Webtop (StoreFront replacement) deployment 2. SMS/OTP authentication

What 11.6.0 HF5 enables is ability to display logon dialog with two password fields (for token and AD password) for Windows Receiver client (other clients can be manually configured to display two fields).

When Windows Receiver sees two-password dialog it assumes it is talking to StoreFront, hence limitation (1).

The two-password dialog is not suitable for SMS/OTP case as token is not know to the user up front (as it is in classic RSA+AD case). With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation (2).
jkari_144214
Nimbostratus
Jan 21, 2016
Hello, is this feature (With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation) available in some newest versions of F5?

I'm currently building F5 configuration for Citrix Storefront and we need sms-auth for it. We have some portals with OTP exist and we would like to use OTP when user uses Citrix Receiver to connect Storefront via F5.
- henning_mne
  Nimbostratus
  Mar 30, 2016
  I've just visited a customer asking the same question. They would like to use OTP/SMS in combination with Citrix Receiver to replace a Netscaler and SMS Passcode setup. I'm not able to trigger a new prompt asking for passcode/token only from the APM. I would really appreciate an update regarding such a feature.
- J_Hord
  Nimbostratus
  Dec 16, 2016
  Any updated on this. I too have a customer wanting this integration. It acutally works in the sense that the RADIUS triggers and goes through it's Auth routine. However it appears to be impacting the credentials delivered to StoreFront and it's breaking authentication.
- The-messenger
  Cirrostratus
  Mar 16, 2017
  Any update on this? I am also interested in this and as well, using a Radius server.
  
  I've implemented DUO security for 2 factor on the web side, works very well and DUO uses a Radius server. I need to implement 2 factor for the receiver as well.