Ronnie Hamilton, Principal Technical Consultant at DataSolutions, has provided an in depth and simple step-by-step process on how easy it is to enable 2FA (Two Factor Authentication) when you are using Citrix Cloud as the control plane for your Citrix environment.

When using Citrix gateway on premise it was necessary to implement a third-party service to provide the second factor using Gateway Service in Citrix Cloud. It is possible to use any OTP (One-Time Password) app to provide the second factor making it a very compelling proposition for customers who already use Citrix Gateway Service or are making the decision to move to Citrix Cloud.

In this blog, I will provide an easy-to-follow, step-by-step procedure detailing how easy it is to enable 2FA for your users. One thing to note though is that it is all or nothing setting i.e. we cannot say that some users need 2FA and others do not.

This will change in the not to distant future as there is already a tech preview to give us some control over which users are required to use 2FA to log in.

Step 1

You need to ensure you have enabled Citrix Gateway Service.

Step 2

Select “Workspace Configuration”.

Step 3

Select “Access”.

This will be the Base URL that you use to connect to your Citrix Gateway Service.  You can change the base URL before cloud.com if the name has not already been taken.

Citrix have recognised that this is not acceptable to everyone, and companies prefer to use their own company brand in the URL.  There is a tech preview out now that allows companies to use DNS to configure their own base URL and have it redirected to the original, allowing the branding required without the need for an on premise ADC.

We then need to pick our method of authentication and there are several available as can be seen in the screenshot below.  In this example we are dealing with OTP auth and we will pick Active Directory + Token.

Step 4

Select “Authentication” and pick “Active Directory + Token”.

This is the critical piece and needs to be planned as when this is enabled the next time a user wants to connect, they need to go through the on-boarding process to enable the OTP access from a mobile app on their phone.

We can check it has been connected from Identity and Access Management.

Step 5

Select “Identify and Access Management”.

Step 6

Select “Authentication” and check “Active Directory + Token” is connected.

 Now that this is all configured, it’s time to on-board a user.

Step 7

Open Workspace App or use the browser to connect to your gateway service URL.

As we don’t have the token yet, select “Don’t have a token?” as highlighted below.

Step 8

Enter your domain/username OR username@domain.

Select Next.

An email will then be sent to your account so you need to ensure you have an email address associated with the user account.  If not you cannot complete the process. You can not send to another email address.

The email will have the authentication code needed to complete the next step.

Step 9

Enter the verification code from the email and your password.

Select “Next”.

It is at this point you need to have the OTP app on your phone as you will now be asked to scan the QR code to enable the token in your app for use.

Step 10

Open your Authenticator App of choice, I’m using the Microsoft one in this example.

Select “Other (Google, Facebook, etc.)”

Step 11

Scan the QR Code that appears on screen.

You now have your second factor ready to go and you can rename this if you have multiple others connected already.

So that’s 2FA using Citrix Gateway Service all set up and ready for your users to access and you can sleep a little better knowing at least you have secured your entry point into your workspace and provided a single identity for your users.

This can also be leveraged to enable SSO to various other Web applications from your Citrix Workspace.