For Citrix NetScaler versions 10.5+, the No Certificate Redirect function is not supported if Subject:CN is selected from the User Name Field dropdown in the Certificate Authentication AAA section (resolved in NetScaler 11.0+ versions)

To access NetScaler with a SecureAuth IdP-issued certificate, end-users must go to the SecureAuth IdP certificate enrollment realm (SecureAuth IdP Configuration Steps below) first to enroll for a certificate, and then go into NetScaler where it is validated

Versions pre-10.5 support the No Certificate Redirect, so end-users can initiate the login process at Citrix and be redirected to SecureAuth IdP if no certificate is present

Use this guide to enable Multi-Factor Authentication access to Citrix Receiver AGEE.

SecureAuth IdP is a Variable Authentication Solution (VAS) that conducts multi-factor enrollment to create an X.509 client certificate that is specific to the user (tied to the data store user profile) and to the device.

The user will be prompted for the client certificate to access Citrix Receiver; and with the presentation of the certificate, a successful second factor authentication is accomplished.

1. Have a Citrix Receiver AGEE and access to the management console

2. Download the SecureAuth CA Public Certificates zip bundle

3. Create a New Realm for the Citrix Receiver integration in the SecureAuth IdP Web Admin

4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

 

1. Log into the Citrix Receiver AGEE admin console, and expand the SSL menu under Traffic Management, and click Certificates

2. Click Install to upload the SecureAuth CA Public Certificates zip bundle

 

3. Provide the Certificate-Key Pair Name of the certificate

4. Click Browse in the Certificate File Name section, and select the SecureAuth CA Public Certificates file

5. Select PEM from the Certificate Format options

6. Click Install

7. Repeat steps 3-6 as needed to upload the certificates

 

8. Once the certificates are uploaded, they will appear on the Certificates page

9. Right-click the Intermediate certificates, and click Link

 

10. Select the appropriate Root Certificate from the CA Certificate Name dropdown

11. Click OK

12. Repeat steps 9-11 as needed to link the intermediate certificates with the root certificates

 

A VPN Virtual Server is required for this integration

13. In the admin console, select Virtual Servers under NetScaler Gateway

14. Select the appropriate Virtual Server to use for this integration, or click Add to create a new one

See below for Virtual Server creation steps

 

1. Set a Name for the new Virtual Server

2. Provide the IPAddress

3. Provide the Port number

4. Click OK

 

15. Open the Virtual Server, and click on the CA Certificate option under Certificates

 

16. Click the Select CA Certificate dropdown to be taken to the SSL Certificates page

17. Select the Certificates uploaded in steps 3-6, and click OK

18. Click Bind

19. Repeat steps 16-19 until the five certificates are uploaded to the Virtual Server

 

20. In the Virtual Server, click the + in the Authentication section to add an Authentication CERT Policy

 

21. Select CERTIFICATE from the Choose Policy dropdown

22. Select Primary from the Choose Type dropdown

23. Click Continue

 

24. Click the + in the Select Policy section to create a new certificate policy

25. Once the policy and profile are created (steps 26-34 below), click Bind

 

26. Provide a Name for the new certificate policy

27. Click the + in the Server section to create a new certificate profile

28. Select the newly created profile (steps 31-34 below) from the Server dropdown

29. Create an ns_true Expression

30. Click Create

 

31. Provide a Name for the new certificate profile

32. Select ON from the Two Factor options

33. Select Subject:CN from the User Name Field dropdown

34. Click Create

 

35. In the Virtual Server, click the + in the Authentication section to add an Authentication LDAP Policy  

 

36. Select LDAP from the Choose Policy dropdown

37. Select Secondary from the Choose Type dropdown

38. Click Continue

 

39. Click the + in the Select Policy section to create a new LDAP policy

40. Once the policy and profile are created (steps 41-57 below), click Bind

 

41. Provide a Name for the new LDAP policy

42. Click the + in the Server section to create a new LDAP server

43. Select the newly created server (steps 46-57 below) from the Server dropdown

44. Create an ns_true Expression

45. Click Create

 

46. Provide a Name for the new LDAP server

47. Provide the Server Name or the Server IP Address

48. Select the Security Type from the dropdown

49. Provide the Port of the LDAP directory

50. Provide the Base DN of the location of users in the LDAP directory

51. Provide the Citrix service account information in the Administrator Bind DN field

52. Select --<< New >>-- from the Server Logon Name Attribute dropdown, and set it to sAMAccountName

53. Select memberOf from the Group Attribute dropdown

54. Select --<< New >>-- from the Sub Attribute Name dropdown, and set it to Subject:CN

55. Select Disabled in the Nested Group Extraction section

56. Configure the rest as required for the LDAP directory

57. Click Create

 

58. In the Virtual Server, open the SSL Profile menu

59. Click the + in the SSL Profile section to create a new SSL profile

60. Select the newly created SSL profile (steps 61-63 below) from the SSL Profile dropdown, and click OK

 

61. Provide a Name for the new SSL profile

62. Select NO from the Deny SSL Renegotiation dropdown

63. Click Create

 

64. In the Virtual Server, click the + in the Policies section to configure the Client Experience

 

65. Select Session from the Choose Policy dropdown

66. Select Request from the Choose Type dropdown

67. Click Continue

68. Click the + in the Select Policy section to create a new session policy

69. Once the policy and profile are created (steps 70-78 below), click Bind

 

 

70. Provide a Name for the new session policy

71. Click the + in the Action section to create a new session profile

72. Select the newly created session profile (steps 74-78 below) from the Action dropdown

73. Click Create

 

74. Provide a Name for the new session profile

75. In the Client Experience section, select Allow from the Clientless Access dropdown

76. Select Clear from the Clientless Access URL Encoding dropdown

77. Select Java from the Plug-in Type dropdown

78. Click Create

For the Citrix Receiver policy, the User Agent could be Citrix Receiver, iOS, and Android

Make sure that the Citrix Receiver policy has the highest Priority, i.e. the lowest number