Microsoft Azure MFA Cloud Service in Citrix ADC Version 12

MFA Service Auth

To complete my previous article, I also directly implemented and tested Microsoft Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for implementation. For more information on MFA and the differences between Local and Cloud, please read my previous post.

It is important that all my information has the status of March 2019 and since it is the cloud, it will soon be obsolete again.

Microsoft Azure MFA Cloud in Citrix ADC Version 12

Sequence of a Microsoft Azure MFA Cloud Authentication

  1. The user calls the Unified Gateway page via URL (e.g., https://citrix.deyda.net) & enters his credentials (username & password)
  2. The credentials are forwarded to the local NPS (Network Policy Server) via the Citrix ADC (RADIUS Request)
  3. The Network Policy Server passes the credentials to the Active Directory Controller (AD Proxy)
  4. After successful verification, a confirmation is sent to the NPS
  5. The NPS is requesting the second factor through the NPS Extension for Azure MFA in the Multi-Factor Authentication Service (Azure MFA Service)
  6. Via push notification, the second factor is transmitted to the mobile phone via the preferred method (MFA app, call or SMS)
  7. Confirmation of the second factor on the mobile device by the user
  8. The Azure MFA service passes the confirmation of the second factor via the NPS extension to the local NPS
  9. The local Network Policy Server passes the acknowledgment to the Citrix ADC (RADIUS Response)
  10. The user is authenticated and gets access to the resources
MFA Service Auth

Set up MFA cloud service as a second factor

In my guide, I assume a two-factor authentication in the Unified Gateway. The Citrix ADC (formerly NetScaler) version 12 uses the Cloud MFA service for this purpose.

Requirements

I assume the following things and do not go into detail about them:

  • Citrix ADC with successful base configuration
  • Internal and external DNS entries for Unified Gateway vServer (e.g., citrix.deyda.net)
  • Certificates for the DNS entry
  • Configured Unified Gateway vServer
  • Existing Azure subscription with base configuration
  • Enabled Azure Active Directory Premium License
  • Installed Authenticator App on Test User Mobile Phone
Microsoft Authenticator App

Microsoft/Office 365 Admin Center

First, we sign up with an administrative account in Office 365 Portal (https://portal.office.com) and click on Admin to get into the Admin Center.

Microsoft 365 admin center
  • In the Admin Center Navigation Panel, click Users> Active Users
  • In the following view, click on the user to be configured
Aktive Benutzer
  • Click Manage Multi-Level Authentication in the user’s pop-up menu
Mehrstufige Authentifizierung verwalten
  • In the new window, select and open the user to be configured again
  • Then use Quick Steps to Activate the user for MFA
quick steps
  • In the following window click on multi-factor auth activate
multi-factor auth aktivieren

Network Policy Server

Now, switch to the internal server that will later serve as Network Policy Server to install and configure the required role and programs.

  • To do this, start the Server-Manager and click on Add roles and features
Server-Manager Dashboard
  • In the following window click through to the selection of the server roles, there select the role Network Policy and Access Services and click on Next
Server Rollen Network Policy and Access Services
  • In the following window click on Add Features and start the installation via Install
Add features that are required for Network Policy and Access Services
Installation Progress

Now download the NPS Extension for Azure MFA and install / configure the local environment.

NPS Extension for Azure MFA
  • You go to the following link and download the NPS Extension for Azure MFA
  • After the download you start the installer and click on Install
NPS Extension for Azure MFA Installer
NPS Extension for Azure MFA
  • Now you open a PowerShell session as administrator
  • Navigate to the path C:\Program Files\Microsoft\AzureMfa\Config and start the following command
.\AzureMfaNpsExtnConfigSetup.ps1
  • Then you have to sign in with your administrative Office365 / Azure account
PowerShell Administrator Office365 Connect

For the next step we need the directory ID of the Azure AD. Please keep the PowerShell window open.

  • Log in to portal.azure.com and navigate to Azure Active Directory> Properties
  • Copies the displayed ID under Directory-ID
Azure Active Directory Verzeichnis-ID
  • The Directory-ID copies it into the open PowerShell window and confirms this with Enter
Starting AzureMFA NPS Extension Configuration Script Certificate

The script does the following things:

  • Creation of a self-signed certificate
  • Allocation of the public key of the certificate to the service principal in Azure AD
  • Store the certificate in the certificate store of the local machine
  • Grant access to the certificate’s private key to Network User
  • Restart NPS services

Now the local Network Policy Server can be configured.

Network Policy Server
  • Starts the Network Policy Server Console (e.g. via Server Manager > Tools > Network Policy Server)
  • Right-click on RADIUS Clients and select New
  • Here you configure the communication with the Citrix ADC as follows:
    • Enable this RADIUS client (Selected)
    • Friendly name (e.g. CitrixADC-NSIP)
    • Address (NSIP of the Citrix ADC, e.g. 10.0.0.7)
    • Shared secret (Freely selectable, but must be saved, e.g. 191211)
    • Confirm shared secret (Again, the previously selected, e.g. 191211)
  • Confirm entry with OK
New RADIUS Client
  • Now right-click Remote RADIUS Server and click New
  • In the following window, enter a name for your ADC group (Group name) and click Add
  • Here you configure the communication with the local AD as follows
    • Server (FQDN or IP of the local ADC)
Add RADIUS Server
  • Click on the tab Authentication/Accounting
    • Authentication port (1812)
    • Shared secret (Above selected Shared secret, e.g. 191211)
    • Confirm shared secret (as above, e.g. 191211)
Add RADIUS Server Authentication/Accounting
  • Now click on the tab Load Balancing
    • Number of seconds without response before request is considered dropped (Important to set this up, so that the user has enough time to confirm the second factor (MFA app, call or SMS), e.g. 60)
    • Number of seconds between requests when server is identified as unavailable (Important as above, e.g. 60)
  • Confirm the entry with OK
Add RADIUS Server Load Balancing
  • Now right-click Policies > Connection Request Policies and select New
  • In the following window you define the communication to the Citrix ADC
    • Policy name (e.g. MFA Server Citrix ADC NSIP No Forward)
    • Policy enabled (Selected)
Connection Request Policies Overview
  • Click on the tab Conditions on Add
    • Client IPv4 Address (NSIP, e.g. 10.0.0.7)
Connection Request Policies Conditions
  • Now click on the tab Settings and there on the menu item Authentication Methods
    • Override network policy authentication settings (Selected)
    • Microsoft Encrypted Authentication version 2 (Selected)
Connection Request Policies Settings Authentication Methods
  • Next select the menu item Authentication
    • Authentication requests on this server (Selected)
  • Confirm the entry with OK
Connection Request Policies Settings Authentication
  • Right click on Policies > Connection Request Policies again and select New
  • In the following window you define
    • Policy name (e.g. MFA Server Citrix ADC Request Forward)
    • Policy enabled (Selected)
Connection Request Policies Overview
  • Click the tab Conditions and on Add
    • NAS Identifier (Freely selectable, but must be saved, e.g. MFA)
Connection Request Policies Conditions
  • Now click on the tab Settings and there on the menu item Authentication Methods
    • Override network policy authentication settings (Selected)
    • Microsoft Encrypted Authentication version 2 (Selected)
Connection Request Policies Settings
  • Now right-click Policies > Network Policies and select New
    • Policy name (e.g. NetScaler MFA)
    • Policy enabled (Selected)
    • Grant access (Selected)
Connection Request Policies Overview
  • Click Add on the Conditions tab
    • NAS Identifier (Freely selectable, but must be saved and the same as above, e.g. MFA)
Connection Request Policies Conditions
  • Now click on the tab Constraints and there on the menu item Authentication Methods
    • Microsoft Encrypted Authentication version 2 (Selected)
  • Confirm the entry with OK
Connection Request Policies Constraints

Authentication App

We now log in to Office365 (https://portal.office.com) with our test user to configure the Authentication App on the mobile device.

Office365 Anmeldung

If the test user does not yet have a configured second factor, the following message appears. The configuration can be started with Next.

Office365 Anmeldung Weitere Informationen
  • In the next window, select the type of the Second Factor (e.g, Mobile App)
  • To simplify the configuration, you select to receive notifications for verification and click Next
Office365 Zusätzliche Sicherheitsüberprüfung
  • In the following window, a QR code is displayed, with which the Authentication App can be configured
  • Open the Authenticator app on your device
  • Click on the + symbol to add another account
  • Select Business or School Account in the Accounts window
Authenticator App
  • With the following menu item Scan QR code you can scan the existing QR Code
QR-Code scannen
  • Now the test user is displayed in the account list
Authenticator App
  • In the browser you can confirm the configuration of the MFA service with Next and Finish
Office 365 MFA

Citrix ADC

Now the Citrix ADC can be set up for multi-factor authentication. To do this, a RADIUS server is created and bound to the existing Unified Gateway vServer.

System Authentication RADIUS
  • In the Citrix ADC Navigation Panel, click System > Authentication > RADIUS
  • Click on the Servers tab and create a new Authentication Server via Add
    • Name (e.g. Local-NPS)
    • IP Address (IP of the NPS)
    • Port (1812)
    • Secret Key (Shared Secret defined on the NPS, e.g. 191211)
    • Confirm Secret Key (Shared Secret)
Create RADIUS Authentication Server
  • Click Test Connection to check the data entered and the connection to the Network Policy Server
Test RADIUS Connection
  • Click on More to configure the further options
    • Time-out (Set this to 120 seconds for Phone Call or SMS)
    • NAS ID (Configured value from NPS, e.g. MFA)
    • Password Encoding (mschapv2)
    • Accounting (OFF)
    • Authentication Server Retry (3)
    • Authentication (Selected)
  • Save the configuration with Create
Authentication RADIUS Server
  • Click on the Policy tab and click Add to create a new RADIUS policy
    • Name (e.g. radius_mfa_cloud_pol)
    • Server (previously created RADIUS server, e.g. Local-NPS)
    • Expression (ns_true)
  • Click Create to save the configuration
Authentication RADIUS Policy
  • Now select the previously configured Unified Gateway vServer
  • Under Basic Authentication click on the + symbol
Bind RADIUS Policy an vServer
  • Under Choose Type configures the following
    • Choose Policy (RADIUS)
    • Choose Type (Primary)
  • Confirm the entry with Continue
Basic Authentication Choose Type
  • In the following window under Select Policy, select the previously created RADIUS Policy (radius_mfa_cloud_pol)
  • Confirms the entry with Bind
Basic Authentication bind RADIUS Policy

After saving the change, you can log in to the gateway and receive a message on the mobile device (mobile app, call or SMS) after entering the credentials.

Citrix Gateway RADIUS Auth

Troubleshooting

To give the users access to his MFA settings afterwards, pass on the following address:

https://aka.ms/mfasetup

Here the user can edit his existing settings (phone number, Authenticator App, etc.) or delete the connection to configured Authenticator Apps.

aka.ms/MFAsetup

6 thoughts on “Microsoft Azure MFA Cloud Service in Citrix ADC Version 12”

  1. Hi,
    at first: Thanks for this creat articel. It helps aus very much to have the Service up and running very soon. Do you have any best practices for have to NPS Server (Failover) with Netscaler HA (active/passive)

    1. Simply deploy multiple instances of NPS in the environment with the same configuration (by exporting the configuration from the master and import to the others) and deploying a load balancer to front the multiple NPS instances.

  2. Hello,
    I made the configuration with a Citrix Unifed Gateway and it worked perfect. However I would like if it is possible that double authentication only works for users who access from external networks to those of the company?

Leave a Reply

Your email address will not be published. Required fields are marked *

I consent to having this website store my submitted information so they can respond to my inquiry.