Table of Contents
To complete my previous article, I also directly implemented and tested Microsoft Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for implementation. For more information on MFA and the differences between Local and Cloud, please read my previous post.
It is important that all my information has the status of March 2019 and since it is the cloud, it will soon be obsolete again.
Sequence of a Microsoft Azure MFA Cloud Authentication
- The user calls the Unified Gateway page via URL (e.g., https://citrix.deyda.net) & enters his credentials (username & password)
- The credentials are forwarded to the local NPS (Network Policy Server) via the Citrix ADC (RADIUS Request)
- The Network Policy Server passes the credentials to the Active Directory Controller (AD Proxy)
- After successful verification, a confirmation is sent to the NPS
- The NPS is requesting the second factor through the NPS Extension for Azure MFA in the Multi-Factor Authentication Service (Azure MFA Service)
- Via push notification, the second factor is transmitted to the mobile phone via the preferred method (MFA app, call or SMS)
- Confirmation of the second factor on the mobile device by the user
- The Azure MFA service passes the confirmation of the second factor via the NPS extension to the local NPS
- The local Network Policy Server passes the acknowledgment to the Citrix ADC (RADIUS Response)
- The user is authenticated and gets access to the resources
Set up MFA cloud service as a second factor
In my guide, I assume a two-factor authentication in the Unified Gateway. The Citrix ADC (formerly NetScaler) version 12 uses the Cloud MFA service for this purpose.
Requirements
I assume the following things and do not go into detail about them:
- Citrix ADC with successful base configuration
- Internal and external DNS entries for Unified Gateway vServer (e.g., citrix.deyda.net)
- Certificates for the DNS entry
- Configured Unified Gateway vServer
- Existing Azure subscription with base configuration
- Enabled Azure Active Directory Premium License
- Installed Authenticator App on Test User Mobile Phone
Microsoft/Office 365 Admin Center
First, we sign up with an administrative account in Office 365 Portal (https://portal.office.com) and click on Admin to get into the Admin Center.
- In the Admin Center Navigation Panel, click Users> Active Users
- In the following view, click on the user to be configured
- Click Manage Multi-Level Authentication in the user’s pop-up menu
- In the new window, select and open the user to be configured again
- Then use Quick Steps to Activate the user for MFA
- In the following window click on multi-factor auth activate
Network Policy Server
Now, switch to the internal server that will later serve as Network Policy Server to install and configure the required role and programs.
- To do this, start the Server-Manager and click on Add roles and features
- In the following window click through to the selection of the server roles, there select the role Network Policy and Access Services and click on Next
- In the following window click on Add Features and start the installation via Install
Now download the NPS Extension for Azure MFA and install / configure the local environment.
- You go to the following link and download the NPS Extension for Azure MFA
- After the download you start the installer and click on Install
- Now you open a PowerShell session as administrator
- Navigate to the path C:\Program Files\Microsoft\AzureMfa\Config and start the following command
1 |
.\AzureMfaNpsExtnConfigSetup.ps1 |
- Then you have to sign in with your administrative Office365 / Azure account
For the next step we need the directory ID of the Azure AD. Please keep the PowerShell window open.
- Log in to portal.azure.com and navigate to Azure Active Directory> Properties
- Copies the displayed ID under Directory-ID
- The Directory-ID copies it into the open PowerShell window and confirms this with Enter
The script does the following things:
- Creation of a self-signed certificate
- Allocation of the public key of the certificate to the service principal in Azure AD
- Store the certificate in the certificate store of the local machine
- Grant access to the certificate’s private key to Network User
- Restart NPS services
Now the local Network Policy Server can be configured.
- Starts the Network Policy Server Console (e.g. via Server Manager > Tools > Network Policy Server)
- Right-click on RADIUS Clients and select New
- Here you configure the communication with the Citrix ADC as follows:
- Enable this RADIUS client (Selected)
- Friendly name (e.g. CitrixADC-NSIP)
- Address (NSIP of the Citrix ADC, e.g. 10.0.0.7)
- Shared secret (Freely selectable, but must be saved, e.g. 191211)
- Confirm shared secret (Again, the previously selected, e.g. 191211)
- Confirm entry with OK
- Now right-click Remote RADIUS Server and click New
- In the following window, enter a name for your DC group (Group name) and click Add
- Here you configure the communication with the local AD as follows
- Server (FQDN or IP of the local DC)
- Click on the tab Authentication/Accounting
- Authentication port (1812)
- Shared secret (Above selected Shared secret, e.g. 191211)
- Confirm shared secret (as above, e.g. 191211)
- Now click on the tab Load Balancing
- Number of seconds without response before request is considered dropped (Important to set this up, so that the user has enough time to confirm the second factor (MFA app, call or SMS), e.g. 60)
- Number of seconds between requests when server is identified as unavailable (Important as above, e.g. 60)
- Confirm the entry with OK
- Now right-click Policies > Connection Request Policies and select New
- In the following window you define the communication to the Citrix ADC
- Policy name (e.g. MFA Server Citrix ADC NSIP No Forward)
- Policy enabled (Selected)
- Click on the tab Conditions on Add
- Client IPv4 Address (NSIP, e.g. 10.0.0.7)
- Now click on the tab Settings and there on the menu item Authentication Methods
- Override network policy authentication settings (Selected)
- Microsoft Encrypted Authentication version 2 (Selected)
- Next select the menu item Authentication
- Authentication requests on this server (Selected)
- Confirm the entry with OK
- Right click on Policies > Connection Request Policies again and select New
- In the following window you define
- Policy name (e.g. MFA Server Citrix ADC Request Forward)
- Policy enabled (Selected)
- Click the tab Conditions and on Add
- NAS Identifier (Freely selectable, but must be saved, e.g. MFA)
- Now click on the tab Settings and there on the menu item Authentication Methods
- Override network policy authentication settings (Selected)
- Microsoft Encrypted Authentication version 2 (Selected)
- Now right-click Policies > Network Policies and select New
- Policy name (e.g. NetScaler MFA)
- Policy enabled (Selected)
- Grant access (Selected)
- Click Add on the Conditions tab
- NAS Identifier (Freely selectable, but must be saved and the same as above, e.g. MFA)
- Now click on the tab Constraints and there on the menu item Authentication Methods
- Microsoft Encrypted Authentication version 2 (Selected)
- Confirm the entry with OK
Authentication App
We now log in to Office365 (https://portal.office.com) with our test user to configure the Authentication App on the mobile device.
If the test user does not yet have a configured second factor, the following message appears. The configuration can be started with Next.
- In the next window, select the type of the Second Factor (e.g, Mobile App)
- To simplify the configuration, you select to receive notifications for verification and click Next
- In the following window, a QR code is displayed, with which the Authentication App can be configured
- Open the Authenticator app on your device
- Click on the + symbol to add another account
- Select Business or School Account in the Accounts window
- With the following menu item Scan QR code you can scan the existing QR Code
- Now the test user is displayed in the account list
- In the browser you can confirm the configuration of the MFA service with Next and Finish
Citrix ADC
Now the Citrix ADC can be set up for multi-factor authentication. To do this, a RADIUS server is created and bound to the existing Unified Gateway vServer.
- In the Citrix ADC Navigation Panel, click System > Authentication > RADIUS
- Click on the Servers tab and create a new Authentication Server via Add
- Name (e.g. Local-NPS)
- IP Address (IP of the NPS)
- Port (1812)
- Secret Key (Shared Secret defined on the NPS, e.g. 191211)
- Confirm Secret Key (Shared Secret)
- Click Test Connection to check the data entered and the connection to the Network Policy Server
- Click on More to configure the further options
- Time-out (Set this to 120 seconds for Phone Call or SMS)
- NAS ID (Configured value from NPS, e.g. MFA)
- Password Encoding (mschapv2)
- Accounting (OFF)
- Authentication Server Retry (3)
- Authentication (Selected)
- Save the configuration with Create
- Click on the Policy tab and click Add to create a new RADIUS policy
- Name (e.g. radius_mfa_cloud_pol)
- Server (previously created RADIUS server, e.g. Local-NPS)
- Expression (ns_true)
- Click Create to save the configuration
- Now select the previously configured Unified Gateway vServer
- Under Basic Authentication click on the + symbol
- Under Choose Type configures the following
- Choose Policy (RADIUS)
- Choose Type (Primary)
- Confirm the entry with Continue
- In the following window under Select Policy, select the previously created RADIUS Policy (radius_mfa_cloud_pol)
- Confirms the entry with Bind
After saving the change, you can log in to the gateway and receive a message on the mobile device (mobile app, call or SMS) after entering the credentials.
Troubleshooting
To give the users access to his MFA settings afterwards, pass on the following address:
https://aka.ms/mfasetup
Here the user can edit his existing settings (phone number, Authenticator App, etc.) or delete the connection to configured Authenticator Apps.