Instructions for using AuthLite to add two-factor security to Citrix through the Citrix Web Interface.
You can use the Citrix W.I.'s built-in ability to use 2 factor authentication, with AuthLite Split-mode users.Citrix will authenticate the username/password combo the same way you have it set currently, and then it will send the username and OTP over RADIUS to AuthLite for the second factor authentication.
You may either use the AuthLite RADIUS service, or the IAS/NPS plugin if you require the flexibility of using IAS/NPS for your RADIUS server.
Configuring to use IAS/NPS for RADIUS
On each DC you want to use for authenticating Citrix users:
- Install the Internet Authentication Service (called Network Policy Server on 2008 and higher)
- In AuthLite config, go to Service Configuration -> IAS/NPS plugin
- Enable IAS/NPS support on this server
- Apply changes
- Restart the AuthLite and IAS/NPS services to pick up those changes
- In the IAS or NPS configuration panel on this server, set up the Citrix WI as a RADIUS client
- Set the shared secret
- Set up a connection policy that will use PAP authentication
Citrix WI configuration
An overview of settings you need in the Citrix Web Interface site:
- Authentication method: explicit
- Authentication type: windows
- Credential format: Domain user name only
- Display your domain name pre-populated, for convenience of users
- Two-factor authentication
- Two-factor setting: RADIUS
- Define radius servers and ports to AuthLite DC's with their RADIUS service configured (see above)
- Make a text file (seriously) called "radius_secret.txt" containing only the shared secret text string you want to use for RADIUS.
- Put that text file in the Inetpub\Citrix\XenApp (or path to your W.I. site) \ conf folder.
- On the firewall between W.I. server and the DC's, you'll need to allow UDP 1812 so the RADIUS traffic can pass.
When you have all this done, loading the W.I. logon screen should display an additional field "passcode", into which the AuthLite OTP key can be tapped.