By Lal Mohan

, , , , , , , ,

Citrix Cloud’s FREE Two-Factor Authentication that no one talks about!

You’ve probably heard of various 2FA solutions that you deploy for remote access in Citrix, but have you explored what Citrix Cloud itself has to offer? Surprisingly, Citrix Cloud offers a free two-factor authentication solution that often flies under the radar. In this comprehensive guide, we’re going to shed light on this hidden gem, providing you with step-by-step instructions on how to enable it and outlining its prerequisites and limitations.

Benefits

Citrix Cloud offers a cloud-based Time-based One-Time Password (TOTP) feature designed for organizations that rely on Windows Active Directory as their primary identity. The TOTP micro-service enhances the security of the user’s Citrix Workspace experience by introducing multi factor authentication capabilities, including the following:

  1. User Convenience: Users can conveniently request and install a new token using Citrix SSO, Microsoft Authenticator, Google Authenticator, and other supported methods. You can use any of the above apps of your choice
  2. Effortless Administration: Administrators can effortlessly implement TOTP multifactor authentication with minimal setup requirements. There is no need to install idP certs, gather Sign-in and Logout URLs, setup an application via the 2FA vendor consoles etc
  3. Token Management: Admins also have the ability to easily disable a user’s token when necessary, providing greater control over security access.
  4. Free for all Citrix Cloud customers: This is completely free of charge so you have no reason to not to use it if you don’t own any of the multi-factor solutions from mainstream vendors. Other than a couple of limitations which I will talk later in the blog post, this solution is so easy to setup and will get you up and running in literally 3 clicks. Good job, Citrix! You have made us all proud after a very long time.. 😉
  5. There is no need to pre-enroll your users unlike other 2FA solutions which is huge IMO.

Prerequisites

  • You will need to have your Citrix Cloud tenancy set up, the cloud connectors built and configured and farm created in Citrix Cloud
  • Your AD users will need to have their email address populated in Active Directory. You can use any email service of your choice and users don’t need to have a mailbox in the domain
  • Your users will of course need a smartphone for the token once they are enrolled

Enabling Two Factor Authentication

Enabling 2FA is a two step process. Let’s see how it’s all done.

Login to your Citrix Cloud tenancy first and click on the Hamburger icon on the top right. You will see the below drop down

Click on Identity and Access Management

You will see an option that says Active Directory + Token. To the far right of that, the status should say Not Connected.

Click on the 3 dots and click Connect

You will be greeted with the below screen, just click Save and Finish

Now you will need to head over to the Workspace Configuration as below. This is where you enable 2 factor for your subscribers consuming apps and desktops

Click on Authentication tab

Select Active Directory + Token

You get the below confirmation message. Tick the box and Confirm.

Now, you gotta give Citrix cloud a few minutes to do all the heavy lifting for you. If you refresh the Gateway page, you may get a receive a “Cannot complete your request” message. Don’t worry, it’s still not ready yet.

Once ready, you will be greeted with the below screen

That’s all you need to do to enable Citrix flavour of 2FA auth. This can’t be hard, can it?

Let’s enroll now and test.

Enrolling to two factor

As above, enrollment is also a breeze which will come as a welcome news for your end users and the PMs managing the end user communication.

The enrollment is done right on the Citrix Gateway page.

On the gateway page, click on Don’t have a token? link

enter your AD username alongside domain name OR email address and click Next

Please note that when using email address, users must use the same email that is specified in their domain account in Active Directory

Check your email for the verification code.

The email from Citrix with the verification code will look like the below and is valid for only 24 hours.

Enter the verification code along with your AD password below

Click Next

Once entered, you will get a QR code that you can scan using an Authenticator app of your choice. If you already have one installed, skip the steps for downloading and installing the app on your smart phone.

Scan the QR code using your app and click Finish and Sign In

You will be back at the Gateway sign in page now, just sign in using the code generated from the smartphone app.

That’s it. You are logged in now. I thought that was quite an impressive feat from Citrix to say the least.

Reset a Client device

If your service desk wants to reset an end user device due to whatever reason, they can navigate to the Recovery tab under Identity and Access Management in cloud portal. Choose the domain and search for the user name

Limitations

Not everything is rosy about the solution though. Some of the limitations that you need to be aware of are

  1. Conditional Access: Citrix’s TOTP solution does not have the ability to apply Conditional Access policies. For eg, if you wish to bypass 2FA for your internal users coming in from a secure office network, you can’t do that. The only way I can think of circumventing this is to host an on-prem Storefront deployment and route your internal users onto them. This isn’t pretty but meets the purpose. You can also be a little smart when deciding the DNS names for external Citrix gateway access and make it same as internal access URL (where possible). That way users dont need to remember multiple URLs
  2. No Push Authentication method available and users will need to manually enter the code whilst logging in
  3. Single Device Enrollment: This solution only supports single device at a time. Having said that if you would like to access Citrix gateway from another device, you can definitely register your new client which will then remove the access from your previously enrolled device. I actually could access from multiple devices without re registering the devices so not quite sure if that is to do with fact that I have been switching between a mac and a PC and this limitation only applies to switching between Windows PCs alone
  4. Only applicable to Citrix Cloud

Lessons from the Field

  • If for whatever reason you decide to switch to another authentication method, you dont need to re-enroll or re register your device when switching back to token method and your existing TOTP tokens configured on your smartphone will work without issues
  • The TOTP tokens on the app will be valid for 30 seconds
  • You can choose any authenticator app of your choice such as Okta verify, Authy, Google Authenticator, Microsoft Authenticator etc
  • Though Citrix says only a single device could be enrolled at a time, I was able to login from multiple devices (a Mac and a PC) without issues using a browser. Not sure if Citrix lifted the Single device limitation or if it’s a bug.

That’s it folks. Hope someone finds this useful.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.