I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?

I have not seen standalone Windows Citrix Receiver to be able to leverage two-factor authentication. I just searched again and could not find any Citrix documentation regarding such support or enabling standalone Windows Receiver to work with two-factor. If you have any tidbits indicating otherwise, please share - else, if you desire two-factor authentication, your best bet is to start all sessions from the WebTop.

Michael, It is mentioned in the support documentation here: Receiver for Windows Requirements It is also confirmed in the comments of this blog post (at the bottom), by the author of the original post: Receiver for Windows 4.0 Released It is mentioned both places that NetScaler Gateway and StoreFront are required. I am looking for a way to emulate this with F5 APM/LTM and/or iRules.

I certainly do fully trust and respect the information provided by Citrix in those articles, but they do not explain how to configure Citrix environment to take advantage of that. If Citrix says it's supported, then they need to provide documentation to their customers on how to enable/configure this option. If you come across such documentation/information, please post it here and we will gladly investigate.

Hi Michael Ill try and dig something up. We currently have two factory authentication working from the Windows 8 Citrix Receiver client, back to a Netscaler Gateway, with Storefront. We have currently working through and evaluation of F5, with APM, etc - for the purpose of replacing the Citrix solution... So I can confirm it is possible; I know from the engineer that completed it; it wasnt pretty making it work; but it was possible - Ill see what I can find.

I would also be interested in this

Two-factor authentication for Citrix Receiver for Windows

jkari_144214
Nimbostratus
Jan 21, 2016
Hello, is this feature (With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation) available in some newest versions of F5?

I'm currently building F5 configuration for Citrix Storefront and we need sms-auth for it. We have some portals with OTP exist and we would like to use OTP when user uses Citrix Receiver to connect Storefront via F5.
- J_Hord
  Nimbostratus
  Mar 16, 2017
  It works with the HTML based interactions with Citrix. Does not work with ICA Native traffic. It's a known issue and there's a RFE for it but no confirmed release date.
- The-messenger
  Cirrostratus
  Mar 16, 2017
  Any update on this? I am also interested in this and as well, using a Radius server.
  
  I've implemented DUO security for 2 factor on the web side, works very well and DUO uses a Radius server. I need to implement 2 factor for the receiver as well.
- J_Hord
  Nimbostratus
  Dec 16, 2016
  Any updated on this. I too have a customer wanting this integration. It acutally works in the sense that the RADIUS triggers and goes through it's Auth routine. However it appears to be impacting the credentials delivered to StoreFront and it's breaking authentication.
Andrey_Terentye
Historic F5 Account
Jun 11, 2015
The 11.6.0 HF5 functionality does not cover: 1. APM Webtop (StoreFront replacement) deployment 2. SMS/OTP authentication

What 11.6.0 HF5 enables is ability to display logon dialog with two password fields (for token and AD password) for Windows Receiver client (other clients can be manually configured to display two fields).

When Windows Receiver sees two-password dialog it assumes it is talking to StoreFront, hence limitation (1).

The two-password dialog is not suitable for SMS/OTP case as token is not know to the user up front (as it is in classic RSA+AD case). With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation (2).
Henrik_S
Nimbostratus
Jun 04, 2015
Done, case id: C1847563
Michael_Koyfma1
Cirrus
Jun 03, 2015
Interesting point, Henrik - was not aware that mobile Receiver supports this type of iterative communication via Radius. It's a bit different with APM as it does its own built-in OTP - so we'd need to investigate exactly how the communication happens between Netscaler and Receiver to ensure that APM can something similar. I would suggest opening a case with support to have it escalated and investigated further.
Henrik_S
Nimbostratus
Jun 03, 2015
This is possible through a netscaler by the use of radius auth With Challenge respons like here With sms passcode, so where am I missing out? http://www.smspasscode.com/media/1937/netscaler-advanced-guide-for-sms-passcode.pdf
Michael_Koyfma1
Cirrus
May 18, 2015
Currently, Receiver does not support such behavior. It relies on the user having access to the token prior to starting the login attempt
Henrik_S
Nimbostratus
May 18, 2015
Hello, I've followed this post and added the session variable to get the "passcode" form Field presented by Citrix Receiver. However I'm using the builtin OTP and would like a Challenge-respons function as I get when I'm sent to a secondary logon-page before OTP verify while using a normal browser, is this possible?
nirobi03_194837
Nimbostratus
May 06, 2015
Sent. Thank you, I look forward to hearing from you.
Michael_Koyfma1
Cirrus
May 05, 2015
Interesting....can you please open a case with support on it to investigate and PM me the case number so that I can follow-up on it? Thanks
nirobi03_194837
Nimbostratus
May 05, 2015
Yes, I just created a new iApp to test with. My web browser is working with 2FA.