Microsoft Azure MFA Server in Citrix ADC Version 12

Microsoft Azure MFA Server in Citrix ADC Version 12

Update:

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

https://www.microsoft.com/en-us/download/details.aspx?id=55849

During one of my current projects, I launched a PoC for two-factor authentication based on Microsoft Azure MFA. Azure multi-factor authentication requires users to verify and confirm their signups using a mobile app, phone call, or text message. You can use it with Azure AD or the local AD.

It is important that all my information has the status of March 2019 and because it is the cloud, quite quickly become obsolete again.

Microsoft Azure MFA Server in Citrix ADC Version 12

Multi-Factor Authentication

The safety of the two-stage check is at level approach. The multiple authentication factors poses a major challenge for attackers. Even if an attacker can find out the user’s password, this is useless unless he or she is also proficient in the additional authentication method. This works by requesting at least two of the following authentication methods:

  • Something you know (usually a password)
  • Something you have (a familiar device that can not be easily duplicated, like a phone)
  • Something that you are (biometrically)

Microsoft Azure MFA

There are three ways to use Microsoft Azure Multi-Factor Authentication:

Multi-factor authentication for Office 365 / Microsoft 365 Business

This version works exclusively with Office 365 applications and is managed through the Office 365 or Microsoft 365 Portal. Administrators can back up their Office 365 resources with two-step verification. This release is part of an Office 365 or Microsoft 365 Business subscription.

Multi-Factor Authentication for Azure AD administrators

Users assigned to the Global Administrator for Azure AD tenant role can enable two-step verification with no additional cost.

Azure Multi-Factor Authentication

Azure Multi-Factor Authentication is often referred as the full version and offers the widest range of features of all MFA versions. Additional configuration options are available through the Azure Portal. It also provides advanced reporting capabilities and supports a variety of local applications and cloud applications. Azure Multi-Factor Authentication is a feature of Azure Active Directory Premium and can be deployed in the cloud or locally.

Microsoft Azure MFA Local or Cloud?

To determine the correct MFA version, you must first answer the question of where your organization’s users are to be secured using the additional authentication step.

User Location

Azure Active Directory

Azure AD & Local AD connected via AD FS

Cloud / Local MFA

Cloud

Cloud / Local

Azure AD & Local AD connected through Azure AD Connect (without password hash or passthrough authentication)

Cloud / Local

Azure AD & Local AD connected through Azure AD Connect (with password hash or passthrough authentication)

Cloud

Local Active Directory

Local

And what features of the MFA server you need.

Feature

Notification in the mobile app as a second level

Cloud / Local MFA

Cloud / Local

Verification code in the mobile app as a second level

Cloud / Local

Phone call as a second level

Cloud / Local

Unidirectional SMS as a second level

Cloud / Local

Hardware Token as a second level

Cloud (Public preview) / Local

App passwords for Office 365 clients that do not support MFA

Cloud

Administrative control over authentication methods

Cloud / Local

PIN mode

Local

Fraud Warning

Cloud / Local

MFA-Reports

Cloud / Local

Once bypass

Local

Custom greetings for phone calls

Cloud / Local

Custom caller ID for phone calls

Cloud / Local

Trusted IP addresses

Cloud / Local

Store the MFA for trusted devices

Cloud

Conditional access

Cloud / Local

Cache

Local

Sequence of a Microsoft Azure MFA Authentication

  1. The user calls the Unified Gateway page via URL (e.g., https://citrix.deyda.net) & enters his credentials (username & password)
  2. The credentials are forwarded to the local MFA server via the Citrix ADC (RADIUS Request)
  3. The MFA server passes the credentials to the Active Directory Controller (AD Proxy)
  4. After successful verification, a confirmation is sent to the MFA server
  5. The MFA server requests the second factor from the cloud via the multi-factor authentication service (Azure MFA Service)
  6. Push notification with the preferred method (MFA app, call or SMS) to the mobile phone
  7. Confirmation of the second factor on the mobile device
  8. The Azure MFA Service hands over the acknowledgment of the second factor to the local MFA server
  9. The local MFA server passes the acknowledgment to the Citrix ADC (RADIUS Response)
  10. The user is authenticated and gets access to the resources
MFA Auth Ablauf

Set up MFA server as a second factor

In my guide, I assume a two-factor authentication in the Unified Gateway. The Citrix ADC (formerly NetScaler) version 12 uses the local MFA server for this purpose.

Requirements

I assume the following things and do not go into detail about them:

  • Citrix ADC with successful base configuration
  • Internal and external DNS entries for Unified Gateway vServer (e.g., citrix.deyda.net)
  • Certificates for the DNS entry
  • Configured Unified Gateway vServer
  • Existing Azure subscription with base configuration
  • Enabled Azure Active Directory Premium License
  • Firewall rule for phonefactor.com on port 443
  • Installed Authenticator App on Test User Mobile Phone

Azure Portal

First, we sign in to the Azure Portal (https://portal.azure.com) to download the required installers for the MFA server and generate the activation credentials.

Azure Portal MFA Servereinstellungen
  • In the Azure Portal Navigation Panel click on Azure Active Directory > MFA > Server Settings
  • Under MFA Server download click on Download to get the MFA Installer
  • At point 2. press Generate to get the later required activation credentials
  • Open Notepad and save the e-mail address as well as the password there between
Multi-Faktor Authentication Server Settings

MFA-Server

Now, switch to the internal server that will later serve as the MFA server to install and configure the required programs.

Multi-Factor Authentication Server
  • To do this, start the installer and simply click on Next and Finish
Multi-Factor Authentication Server Installation

It is possible that he still wants to install several programs (Microsoft Visual C ++ 2017 Redistributable etc.).

  • When there are requests to install more programs, confirm them
Multi-Factor Authentication Server Installation Process

Once all required programs have been installed, we can activate the software using the credential previously noted on the Azure portal.

Local MFA Server Activation Process
  • Start the Multi-Factor Authentication-Server Software
  • Copy E-Mail address and Password from Notepad and press Activate
Multi-Factor Authentication Server Activation
  • In the following window enter a name under New group and confirm with OK
MFA Server Group
  • In the main windows, click Tools > Authentication Configuration Wizard
Authentication Configuration Wizard
  • Under Select Applications select RADIUS
Authentication Configuration Wizard RADIUS
  • In the window RADIUS Authentication you configure the following
    • RADIUS client IP (Enter the NSIP of the Citrix ADC)
    • Shared secret (enter your own code & note, e.g. 19122011)
    • Confirm shared secret (Enter the code again)
    • Authentication port(s) (1645, 1812)
Authentication Configuration Wizard RADIUS Authentication
  • Under RADIUS Target select Windows domain and confirms the remaining windows with Next and Finish
Authentication Configuration Wizard RADIUS Target

Now you see the configuration under the menu item RADIUS Authentication

RADIUS Authentication
  • Click in RADIUS Authentication on the previously created client and then on Edit
  • Enter the following in the Edit RADIUS Client window
    • Application name (Name for client, e.g. NSIP)
    • Require Multi-Factor Authentication user match (select)
Edit RADIUS Client

Now configure the connection to your Active Directory environment under Directory Integration.

Directory Integration
  • Click on the menu item Directory Integration
  • In the Settings tab select Use specific LDAP configuration & Use attribute scope queries
  • Now click Edit to edit the LDAP configuration
  • In the following window Edit LDAP Configuration enter the following
    • Server (IP of the AD server)
    • Base DN (OU of your user accounts)
    • Bind type (both windows)
    • Bind username (FQDN of an administrative account)
    • Bind password (Password of the administrative account)
Edit LDAP Configuration
  • With the button Test you can check your configuration and then save it via OK
LDAP connection successful
  • Click on the tab Synchronization
  • To enable the automatic synchronization of the users select the option Enable synchronization with LDAP
Directory Integration Synchronization

Company Settings allows you to configure the global settings (e.g., type of MFA) for the users.

  • Click on the menu item Company Settings
  • In the General tab, under User Defaults, select the MFA type (Phone Call, SMS, Mobile App or OATH token) and the language
Company Settings
  • Click on the tab User Resolution
  • Select the Use LDAP unique identifier attribute for matching usernames option
Company Settings User Resolution

Now you can check the interaction of the MFA server with the Active Directory environment and the user end device. To do this, check the settings (mobile phone number) via the menu item Users and activate the mobile apps of the indivdual users.

In this context, it is important not to enable the MFA for the sync user (e.g. manuel@deyda.local).

  • Click on the Users tab
  • If no users are visible, click Import from LDAP
Import from LDAP
  • Select the user and click Edit
    • Activates the user about the point Enabled
    • Configured for Phone Call or SMS
      • Country code (The country code, e.g. +49)
      • Phone (Your Phone Number)
      • Phone call or Text message (Select)
    • Configuration for using the mobile app
      • Mobile app (Select)
Users Edit
  • Click on the tab Mobile App Devices to register the app
  • Generate Activation Code generates an code for the Authenticator App
Mobile app devices

Configuration & Activation on the test user mobile device.

  • Open the Authenticator app on your device
  • Click on the + symbol to add another account
  • Select Business or School Account in the Accounts window
Authenticator App
  • In the following menu item Scan QR code click on Or enter code manually
QR-Code scannen
  • In the Add Account window, enter the activation data from the MFA server
Konto hinzufügen

Now you can do a test login with the Authenticator app.

  • In the menu item Users, select your test user and click on Test
Users Test
  • In the following window, enter the password of the test user and click Test
Test User
  • Now confirm the query on the test user phone with Approve
Authenticator Pop Up
Authenticator Request
  • The MFA server software will then give you a Successful message
Authentication successful

Citrix ADC

Now the Citrix ADC can be set up for multi-factor authentication. To do this, a RADIUS server is created and bound to the existing Unified Gateway vServer.

System Authentication RADIUS
  • In the Citrix ADC Navigation Panel, click System > Authentication > RADIUS
  • Click on the Servers tab and create a new Authentication Server via Add
    • Name (e.g. radius_mfa_server)
    • IP Address (IP of the MFA server)
    • Port (1812)
    • Secret Key (Shared Secret from MFA server, e.g. 191211)
    • Confirm Secret Key (Shared Secret)
Create Authentication RADIUS Server
  • Click Test Connection to check the data entered and the connection to the MFA server
Test RADIUS Connection
  • Click on More to configure the further options
    • Time-out (Set this to 120 seconds for Phone Calls or SMS)
    • Password Encoding (pap)
    • Accounting (OFF)
    • Authentication Server Retry (3)
    • Authentication (Select)
  • Save the configuration with Create
Authentication RADIUS Server
  • Click on the Policy tab and click Add to create a new RADIUS policy
    • Name (e.g. radius_mfa_pol)
    • Server (previously created RADIUS server, e.g. radius_mfa_server)
    • Expression (ns_true)
  • Click Create to save the configuration
Authentication RADIUS Policy
  • Now select the previously configured Unified Gateway vServer
  • Under Basic Authentication click on the + symbol
Bind RADIUS Policy an vServer
  • Under Choose Type configures the following
    • Choose Policy (RADIUS)
    • Choose Type (Primary)
  • Confirm the entry with Continue
Basic Authentication Choose Type
  • In the following window under Select Policy, select the previously created RADIUS Policy (radius_mfa_pol)
  • Confirms the entry with Bind
Basic Authentication bind RADIUS Policy

After saving the change, you can log in to the gateway and receive a message on the mobile device (mobile app, call or SMS) after entering the credentials.

Citrix Gateway RADIUS Auth

Leave a Reply

Your email address will not be published. Required fields are marked *

I consent to having this website store my submitted information so they can respond to my inquiry.