Kevin Halstead1709153093 Posted October 12, 2015 Share Posted October 12, 2015 HI, We have set up two factor authentication, Radius using SecurEnvoy (Primary) and LDAP (Secondary). Login in through the web provides a Username, password 1 and Password 2 for the token and this is fine and the passcode token is accepted fine. However we would like to use the Receiver App, We enrol the user, it pops up asking for Username, password and passcode. Put these in and everything works great. However you fully log the user off and back on again, it only asks for the username and password. It does not ask for the Radius passcode. Putting in the username and password for LDAP allows the user to log on. I am completely baffled, I know the policy initially works as it asks for the code to enrol and Secure Envoy sees this in the logs and allows the user to log on. The Receiver app just doesn't seem to invoke it any further. Any ideas? Link to comment Share on other sites More sharing options...
Christoph Wegener Posted October 13, 2015 Share Posted October 13, 2015 http://support.citrix.com/article/CTX125364 Link to comment Share on other sites More sharing options...
Kevin Halstead1709153093 Posted October 14, 2015 Author Share Posted October 14, 2015 Hi, Thanks for pointing me to the Article. I have created the policies exactly how it describes but it still isn't working right. Why are users allowed to connect to the Citrix App with only LDAP details and completely ignore the RSA code. this is driving me nuts :( Link to comment Share on other sites More sharing options...
Eric Nettles1709153049 Posted July 8, 2016 Share Posted July 8, 2016 Seeing this as well, NS 11.x, Receiver for IOS 7. 2Factor only works on first logon. Second logon doesn't request token so can't connect. Link to comment Share on other sites More sharing options...
Eric Nettles1709153049 Posted July 8, 2016 Share Posted July 8, 2016 Addendum: 2Factor works in Android on second login. Link to comment Share on other sites More sharing options...
Retief Zietsman1709155641 Posted October 6, 2016 Share Posted October 6, 2016 We've got the same issue on NS11, but the reverse of what the OP is experiencing. We've configured all policies as per: http://support.citrix.com/article/CTX125364, with the addition of a rewrite policy to hide the second password field (https://discussions.citrix.com/topic/369016-netscaler-11-two-factor-authentication/) When we setup the receiver on an iPhone it logs into the receiver and prompts for the SMS token, so the 1st logon works fine. However, as soon as the user is logged off, the second logon fails. At the second logon the user is prompted for a password and token at the same time, even with the rewrite policy in place. We can also see hits on the rewrite policy but the second password field is still displayed. Link to comment Share on other sites More sharing options...
Sascha Matter1709156668 Posted November 4, 2016 Share Posted November 4, 2016 We have quite the same problem in our PoC environment with NS 11.1 Build 49.16 nc and XenDesktop 7.11 The login via browser works without a problem, also when I use Citrix Receiver directly and setup the connection for the first time it works as it supposed to do. Means I got the login prompt with username, password (AD) and passcode (RSA pin) and it connects successfully. But when I log off and I try to relogin, I got a different login prompt (namings arent the same like the first time) and the login are reversed. Means now the password 1 has to be the RSA pin and password 2 is the AD-password. But the login works acutally, when I enter the credentials the right way. I used the article, which are mentioned earlier in this thread -> http://support.citrix.com/article/CTX125364 It gets stranger when I try to login via Receiver on my Android phone. Adding the address of the netscaler server worked without a problem. When I try to login now, a pop-up comes up with the request for my password and below is my AD-account. But the password isnt the AD-password, it wants the RSA-pin. If I enter the RSA pin and the sms token, the cycle spins and I got an error message "could not log in, try again". If I try again, the app doesnt ask for the RSA pin, it directly asks for the SMS token :S Is that the normal behaviour of the Android Receiver app? I also checked the saved account and there is written "savings disabled" where the password should be. Thanks for any help Link to comment Share on other sites More sharing options...
CarlStalhood Posted November 4, 2016 Share Posted November 4, 2016 In StoreFront console, edit the Gateway object. On the Authentication page, is it set to Domain + Token? 2 Link to comment Share on other sites More sharing options...
Sascha Matter1709156668 Posted November 4, 2016 Share Posted November 4, 2016 @Carl, you're my hero :) It was set to Domain only, so I changed it now to domain+token and now it works with as it supposed to do. Thank you so much. Link to comment Share on other sites More sharing options...
Ahmad Irffan1709156583 Posted February 20, 2017 Share Posted February 20, 2017 You are the Champ Carl, CTX KBs are not that valued as your articles written with clarity. Thank you for being there. Resolved my receiver issue with your suggestion. 1 Link to comment Share on other sites More sharing options...
Malyaj Kumar Das Posted April 3, 2020 Share Posted April 3, 2020 I have something similar issue - in Storefront > GATEWAY > authetication is set to domain+security tokens. It works fine in 1st logon and asks for ldap+rsa token but once i disconnect the desktop and launch desktop again from receiver it doesn't ask for any authentication. any suggestion if anything to so at NS OR SF? once external site is configure account name is showing store name configured on storefront server, Link to comment Share on other sites More sharing options...
Michael Gurtner Posted December 10, 2021 Share Posted December 10, 2021 I know this is an old thread but I have the exact same problem as @Malyaj. @Malyaj Could you solve the problem? @Carl do you have any advice on how I can solve the problem? Thanks in advance Edit: something that I forgot.in the webinterface everything works fine. Only in the WorkspaceApp, the request for username/password comes without token. I have done everything according to the instructions from Carl.(https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/) Link to comment Share on other sites More sharing options...
IT Dept1709151254 Posted March 3, 2022 Share Posted March 3, 2022 We get exactly the same issue here with the Windows Workspace app, while running a POC. Initial connection to the NetScaler Virtual Server address results in Username, Password and Password2 boxes (with the AD password required in the second box). Setup works fine and logs in with the MFA code. It correctly fails if code is wrong or approval denied. Any subsequent logins using that setup only ever prompt with Username and Password and log straight in. Even after completely closing the app and/or rebooting the machine. Oddly, on an iOS device using the Workspace app, it works as expected, requesting the MFA code each time. Again, AD password in the second box and MFA code in the first. Web works perfectly every time and all the policy bindings and Credential index for the Receiver/Workspace session policies have all been completed as per Carl's article, including enabling 'Domain and token' on our StoreFronts' Gateway setup. Argh! Link to comment Share on other sites More sharing options...
IT Dept1709151254 Posted March 4, 2022 Share Posted March 4, 2022 So, I've found the issue after a bit of rummaging around. With our test environment we have one regular Virtual Server for regular username/password access. We now have the additional Virtual Server for username/password/token. So: They both point to the same StoreFront/Store. This got me thinking. We obviously had to populate a new NetScaler Gateway in the list on our StoreFront/Store so that it would authorise the new external inbound connections as well as the existing ones. To save any potential risk to existing test users who were not part of the MFA pilot, we set the old/original NetScaler as the 'default' NetScaler on the StoreFront setup. Next, I went into the Workspace advanced settings and hey presto, saw that the standard option is to connect via the 'Default' gateway, which in our case was the non-MFA gateway. This explains why when initially setting up connection via the MFA gateway address it worked perfectly for the first attempt. Any further login attempts only required username/password because the Workspace app is reverting back to the 'default' Gateway, which in our case is the non-MFA gateway. Manually setting the gateway in Workspace to the MFA version see it work perfectly every time. When we go live this won't be an issue as we'll revert back to a single gateway but it will make our pilot a bit trickier. One way to work round this would be to setup a completely new Store on the existing StoreFronts (or even new StoreFront groups, if you're that way inclined) and have your new Virtual Server point to this new store and only have the one gateway configured, then leave your original one alone. It's a lot more effort and documentation to complete though, so we're going to muddle through. Hope this helps someone! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now