You can use the Citrix W.I.'s built-in ability to use 2 factor authentication, with AuthLite users. Citrix will authenticate the username/password combo the same way you have it set currently, and then it will send the username and OTP over RADIUS to AuthLite for the second factor authentication.

Configuring to use IAS/NPS for RADIUS

On each domain member server that you want to use for authenticating Citrix users:

  • Install the IAS (Internet Authentication Service) or NPS (Network Policy Server on 2008 and higher)
  • In AuthLite config, go to Service Configuration -> IAS/NPS plugin
  • Enable IAS/NPS support on this server
  • Select "One factor PAP" and the checkbox to not require domain name.
  • Apply changes
  • Restart the AuthLite service and the IAS/NPS services to pick up those changes.  Or, restart the server.
  • In the IAS or NPS configuration panel on this server, set up the Citrix WI as a RADIUS client
  • Set the shared secret
  • Set up a connection policy that will use PAP authentication

Citrix WI configuration

An overview of settings you need in the Citrix Web Interface site:

  • Authentication method: explicit
  • Authentication type: windows
  • Credential format: Domain user name only
  • Display your domain name pre-populated, for convenience of users
  • Two-factor authentication
    • Two-factor setting: RADIUS
    • Define radius servers and ports to AuthLite DC's with their RADIUS service configured (see above)
  • Make a text file (seriously) called "radius_secret.txt" containing only the shared secret text string you want to use for RADIUS.
  • Put that text file in the Inetpub\Citrix\XenApp (or path to your W.I. site) \ conf folder.
  • On the firewall between W.I. server and the DC's, you'll need to allow UDP 1812 so the RADIUS traffic can pass.

When you have all this done, loading the W.I. logon screen should display an additional field "passcode", into which the AuthLite OTP key can be entered.