How to hide passcode field on Citrix Receiver when connecting to Netscaler Gateway

[vipin sharma1709153607]

Hello Team,

 

In our Infrastructure we have 2 factor authentication setup for external users where  LDAP is primary and MFA (Radius) is configured as secondary method. External uses login to first page with their AD credentials and when verified move to next page where they are prompted to enter MFA code (Sent to them in the form of text/SMS). In existing configuration for page 1, we have only two fields (Username and password) showing up and 3rd field is hidden using a rewrite policy/Action.  This is working perfectly fine from browsers perspective. Now we have to apply same solution for users who want to connect to Gateway using Receiver/Workspace app but the issue is during authentication they are seeing 3 fields on first prompt (Username, Password and passcode). We would like to hide this passcode field here too so that they can move to next page for MFA authentication. Any suggestions or advise would be highly appreciated. We are running Netscaler 12.1 with Storefront 18.11. 

[Jim Grimm1709160134]

Good afternoon,

 

Please see the following Citrix Support article, as it appears to outline your specific issue:

 

https://support.citrix.com/article/CTX203775 - Dual Password Field wrongly shows in First Authentication Prompt when connecting to NetScaler Gateway using Receiver

 

[vipin sharma1709153607]

Hi Jim, Thanks for reply. I just checked this article but my query is if i go with fix 2, Do i need to create a new rewrite action/policy or can amend to the existing one. We just have information about action there but details about its implementation is missing.

 

Also is there any implications of updating index.html file highlighted in fix 3 like reboots or connection drop. Actually it's our prod setup so i am bit hesitant.

[Jim Grimm1709160134]

I am still researching this - really, trying to locate an example in an environment where I have access that closely resembles your specific scenario.

 

Could you provide your policy binding information for this (Primary and Secondary, priorities, and policies bound)?

 

Since this is something that seems fairly common, I was hoping someone else might have chimed in with how they are able to achieve this behavior.

 

Most of the sites I regularly work in or have access to all utilize MFA similar to DUO where once the first factor (LDAP) succeeds, users are either redirected to the DUO MFA screen where they choose their next factor method or are just automatically sent a push notification that needs to be acknowledged in order to proceed.

 

In some of those sites I noticed the same behavior you are asking about and it appears that they just don't advertise the option of using Receiver/Workspace externally to initiate connectivity into their environment from The Internet (making the problem not really a problem that needs addressed).

[vipin sharma1709153607]

Hi Jim,

 

Thanks for your advice. I won't be able to share policy information due to security constraints but i agree with you that configuring Apps via Receiver for external user is not commonly accepted term. Not sure if this is not as per best practice from Citrix but if it can bring any challenges to users (Browser or Apps based) then i have to highlight to our client. Do you have any view on it?

[Jim Grimm1709160134]

After having a conversation with a colleague (and rereading the Citrix Support article I originally posted), I believe (and apparently didn't understand) that this behavior you are looking to achieve isn't supported/possible with Receiver through NetScaler Gateway.

 

Quote

Solution

This is a limitation, and you have to use RADIUS server and have authentication on RADIUS be done using Active Directory (LDAP).

 

That would explain why I have never encountered having Receiver connect through a NetScaler Gateway with MFA in the mix in the manner that you are seeking.

 

20 hours ago, Jim Grimm1709160134 said:

Most of the sites I regularly work in or have access to all utilize MFA similar to DUO where once the first factor (LDAP) succeeds, users are either redirected to the DUO MFA screen where they choose their next factor method or are just automatically sent a push notification that needs to be acknowledged in order to proceed.

 

In some of those sites I noticed the same behavior you are asking about and it appears that they just don't advertise the option of using Receiver/Workspace externally to initiate connectivity into their environment from The Internet (making the problem not really a problem that needs addressed).

 

[vipin sharma1709153607]

That information can be of great help Jim. Thanks again. So do you mean that this limitation stands true to Receiver as well as for workspace app. If yes,  Could you please share me link of article which your originally posted ? I can then consolidate data and share it with our client. 

[Jim Grimm1709160134]

I believe that limitation is true for Workspace as well as Receiver.

 

The original article I posted is: https://support.citrix.com/article/CTX203775 - Dual Password Field wrongly shows in First Authentication Prompt when connecting to NetScaler Gateway using Receiver

 

The article doesn't explicitly name Workspace as being affected by this limitation, but since it is technically Citrix Receiver on the inside it would still be applicable.

[vipin sharma1709153607]

Thanks Jim. I am able to track on article now that it's a limitation and we can only implement workarounds to have this done.  You have been a great help. Cheers !!