Microsoft Azure Banner

Citrix ADC / Netscaler Azure MFA Authentication

In this article I would like to show you how to set up MFA Authentication on your Citrix ADC / Netscaler Azure. This article is part of the series about the different authentication methods you can use on your Citrix ADC / Netscaler.

Azure MFA? How does it work?

With Azure MFA you have the option to use an additional second factor as authentication method in addition to the standard authentication (user name + password). This allows you to increase access to data in the Micrsosoft Azure Services and Microsoft Office 365.

Azure MFA therefore uses at least two of the following methods for authentication.

  • Something they know (usually a password)
  • One part you have (a smartphone or other device that cannot be easily copied)
  • Something they are (e.g. fingerprint or face recognition
Bild konzeptioneller Authentifizierungsmethoden

Enclosed you will find more information, in the article MFA is also described in more detail:
https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks

Versions and licensing of Azure MFA

I have picked out a KB article from Microsoft, here you can find a lot of information how to license Azure MFA.

https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing

What are the requirements if you want to use Azure MFA?

Since we want to use Azure MFA on our Citrix ADC / Netscaler Azure MFA, we have some requirements that we have to fulfill first. I won’t go into all of them in detail, if you have any questions, feel free to send me a mail or contact me via LinkedIn or Twitter.

Requirements for Citrix ADC / Netscaler authentication with Azure MFA

  • Your Citrix ADC / Netscaler (I am currently using the 12.1 55.18) should be already set up. Mine was previously configured for normal Active Directory authentication
  • You should have configured a Netscaler Gateway or a Contentswitch with AAA Server. Incl. certificates and the site should be reachable via external connection
  • A functioning Microsoft Azure Tenant with basic configuration
  • Azure Active Directory Sync for the users from your Active Directory
  • In your Azure client you should have Azure AD Premium P1 or P2, I use P2 for my article
  • A MobileDevice, e.g. an iPhone with Microsoft Authenticator installed
  • A server (I use Windows Server 2019) on which we can then install and configure our NPS server

Configuration of the Network Policy Server (NPS)

Here is an overview of how authentication via the NPS server to Azure MFA works

Authentication flow diagram

To set up my NPS server, I first need a Windows server (in my case Windows Server 2019), which I have integrated into the AD domain. Here I first install the server role “Network Policy and Access Server“.

Installation of the NPS Extension for Azure MFA

If the role for the NPS server has been successfully installed, the “NPS Extension for Azure” can now be installed. We need this extension so that our Network Policy Server can also communicate with Azure.

Here you can find the download link to the NPS Extension: https://aka.ms/npsmfa

Here you can find further documentation and instructions for the NPS Extension for Azure MFA: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension

I am now installing the NPS Extension on our NPS server.

If you have installed NPS Extesion for Azure MFA, please restart the server.

Connecting the NPS Server with Azure Active Directory

In order to be able to authenticate users with Azure MFA, the NPS server must be connected to our Azure Active Directory. We will do this in the next step. This is done using the Powershell Script that comes with the installation of the NPS Extension.

Start the script under the following path with the Powershell (please set the ExecutionPolicy to “Unrestricted” before and start the Powershell as administrator.

The Script is in the following path:

cd "C:\Program Files\Microsoft\AzureMfa\Config"

.\AzureMfaNpsExtnConfigSetup.ps1

The script does the following:

  • Create a self-signed certificate.
  • Associate the public key of the certificate to the service principal on Azure AD.
  • Store the cert in the local machine cert store.
  • Grant access to the certificate’s private key to Network User.

If you are asked if you want to install the following components (NuGet Provider and the MSOnline Module” please confirm with yes.

The following information is requested when the script runs:

  • Login (admin account) for your Azure Active Directory
  • Password for the admin account in Azure Active Directory
  • the Azure Teant ID

To find the Tenant ID for your Azure Active Directory, you have to log in to the Azure Portal(https://portal.azure.com) .
The Azure Tenant ID can be found as follows:

Here you can see how it looks like when the script is executed:

If the script has run successfully, your NPS is now connected to the Azure AD and we can configure the NPS server.

Configuration Network Policy Server

Please start the NPS configuration console first.

Now we first create a Radius Client. Since our Netscaler is the Radius Client in this case, we enter this client. We also assign a Shared Key. You need this key on the Netscaler for the setup of the Radius Server.

Create a new Radius Client on the NPS server.

Create the Connection Request Policies

We now create 2 Connection Request Policies.

Netscaler Azure MFA – No Forward

Please create the Policy as follow:

  • Policy – ENABLED
  • Type of network access server: unspecified
  • Condition: Client IPv4 Adress = EURE NETSCALER NSIP
  • Authentication: Local Computer
  • Authentication Method: MS-CHAP v2
  • Override Authentication: Enabled

Netscaler Azure MFA – Forward Request

Please create the Policy as follow:

  • Policy – ENABLED
  • Type of network access server: unspecified
  • Condition: NAS Identifier: MFA
  • Authentication: Local Computer
  • Authentication Method: MS-CHAP v2
  • Override Authentication: Enabled

Create the Network Policy

Now we are going to crate the Network Policy.

Netscaler Azure MFA (Network Polcy)

Please create the Network Policy as follow

Now that I have finished configuring the NPS server, I can perform the configuration on the Citrix Netscaler.

Configure the Citrix ADC / Citrix Netscaler

On my Citrix Netscaler I now create a Radius server for authentication. Please go to RADIUS in the Basic Policies.

Here I now create a server for the Radius authentication on my NPS server. Please do not forget the NAS ID. I have stored this ID further up on the NPS server.

Now I create a radius policy on the Citrix Netscaler.

Now I bind the Radius Policy to the authentication server. For the authentication with Azure MFA I only use the Radius Policy and bind it as Primary Authentication Policy.

Activate Azure MFA for users

In order for the users to be able to use Azure MFA to authenticate themselves on the Citrix Netscaler, Azure MFA must still be activated. You can activate Azure MFA for all users, groups or for individual users. To enable multi-factor authentication for individual users, please go to the Azure Portal and select User Management in the Azure Active Directory. There click on the button “Multi-Factor Authentication”.

To enable MFA for a user you can select the user in the window for multi-factor authentication and choose “Enable”.

That’s all there is to it. Now the user can log in to the Office Portal and configure MFA.

You can find the Office Portal at: https://portal.office.com

After the user has successfully logged on to the portal, the following message appears:

This must be confirmed with “Next”. Now the user can choose if he wants to log in with the second factor by “passcode” or by “push notification”.

Use Passcode for a User

In the first example I select the passcode to log on to the Citrix Netscaler with Azure MFA. Here you will also find how to change this to push notification.

The passcode must then be confirmed.

The phone number is also queried.

If all inputs were successful, you will get another password that you can use in the apps where MFA does not work. This includes Outlook App, Apple Mail and partly Microsoft Office. The password is your “app-password”. Please save it in a safe place.

With “Done” you can complete the setup of your passport code.

So, now we can test if on the Citrix ADC / Netscaler Azure MFA works.

For this purpose I select my Netscaler website, which I have secured with the authentication server.

There I get a login with username and password. As username I use the UserPrincipalName, which is the same as my Azure AD login.

When I login in, I get asked to enter my passcode.

If all credentials are correct, I will be directed to the desired website.

Now we take look at the Pushnotifications.

Use Pushnotification for Users with Azure MFA

Next, I would like to show you how the registration with Push works. Input your username and password. Now when you click on “Log in” the push notification in the Microsoft Authenticator App. Press Accept. Then you get logged in as desired.

Change the authenticationmethod for a user

If you want to change the authentication method for a user, you can do so through the Office Portal: https://portal.office.com

Go to the settings “My account”. There, go to “Security and Privacy” and select “Update your phone numbers used for account security” under “Additional security check

Here you can then select the desired option.

Click off “Save” and the “Check preferred option”.

You have to confirm the new method.

If everything works out, your method to authenticate is changed.

Troubleshooting Links

Here are some troubleshooting links that might help you in case of problems:

Frequently asked questions about Azure MFA:
https://docs.microsoft.com/azure/active-directory/authentication/multi-factor-authentication-faq

Troubleshooting Powershell Scripts for the NPS Extension for Azure MFA:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#troubleshooting

29 thoughts on “Citrix ADC / Netscaler Azure MFA Authentication”

  1. Martijn Kools

    Thanks for this this worked like a charm!

    Only thing is when you logoff the second password field is visible again, any idea how to fix that?

    1. Hi Martijn,
      nice to hear. Thanks for your comment. Can you please check your web browser. I think you mean if you logoff from storefront server.
      Maybe there is a problem with the refresh of your browser. I checked it with Google Chrome, here the session is logged off normal and no field is showing up again.

      Tom

  2. Hi Tom,

    It is great article and exactly what I have been looking for. However I got one question. We don’t have Azure AD Premium plan but we have O365 E3 subscription which comes with MFA.

    Can I set up the same with O365’s MFA only?

    Thanks in advance,
    Netlynker

  3. RENATO GUIMARAES E SILVA

    Hi, great article. It’ possible in this configuration using Radius as Secondary Authentication, with user AD as principal?

    1. yes, you can. the question is for which usecase. normaly you also can use UPN instead of SAMAccountName. You only have to delete the logindomain in the sessionprofile for SSO.

  4. Hi Thomas, great article.
    Is this the only way to implement this?
    On a Citrix article, they are referencing two other options (I might be misunderstanding the article) “Azure AD and Azure MFA” and “Azure AD pass-through authentication and Azure MFA” which seem to be modern versions as the method you reference doesn’t support the Azure AD conditional access policies.
    https://docs.citrix.com/en-us/advanced-concepts/implementation-guides/citrix-gateway-microsoft-azure.html

    1. Hi,
      normaly you can use Azure MFA as I explained to authenticate with User and Password, if user is activated for MFA, you will get asked for push or code. It´s dynamic (user configuration).
      Azure AD pass throug means, if you have a user, which is not activated for MFA, normaly the authentication is not permitted, with pass through, you can authenticate with the NPS Server, like a DC on Active Directory.

  5. Hi thomas

    We are facing a problem has already one week. no good yet.
    we did all the steps, but we have an error on the NPS server:

    “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User xxxxxx with response state AccessReject, ignoring request”

    At netscaler side, we just need only primary authentication (Radius) even we are using desktop (web) and mobile receiver? how about LDAP? we didnt anyumore?

    i´m very confused.

    Thanks a lot!

      1. Yes. It´s ok in Azure ad.

        yesterday we able to connect at netscaler with just primary (Radius). Phone app request to aprove and so on.
        I dont know wy, but we had to set “Accept users without validating credentials” on Authentication at Connection Request Policy (Foward Request). Before set this step, for some reason, Netscaler was saying “Wrong username or password”.
        But with this set, any type password is accept.

        Today we gonna try put LDAP (primary) + Radius (Secondary) and add a Rewrite policy to hide token filed. (netscaler).

        its seems NPS is not validating the LDAP windows credential from netscaler with just Radius on Primary Authen.

        1. Hi Rodrigo,
          I think there is a problem with your NPS configuration. That normaly should work. You only need a primary authentication for this scenario. Please check your Certificates which are created during the setup of mfa plugin. There only should be one (delete the others). Please also check the permissions on the private key of the certificate. If you need further assistance, feel free to reach me over the contact form on my website or via Twitter PN @thomaspreischl

          1. Hi I see the same problem. Looks like AD authentication does not work. When I check the accept users without validation it works. It can’t be a certificate problem otherwise the mfa would not work at that point. I am not sure how in the configuration AD authentication is triggered towards on prem AD. We don’t have our passwords synced to AAD but I’m not sure what that would have for impact on this. I would expect none.

          2. Hi, I have the same problem. I have to set “Accept users without validating credentials” to get it working. I see a reject on the audit log on the DC that password is incorrect, but its not because when i do above setting authentication works. It also works fine with ldap as primary and radius as secondary but then i have a problem with my workspace app wanting a second passcode

          3. You only have to use NPS(MFA) as primary authentication. It is not required and the setup is sending all requests to NPS. If you want to use LDAP. You have to configure nFactor.

  6. This work great for us too, thank you very much!

    My question is is there a way to create MFA exception for certain IP ranges? We’d like to exclude internal network and partner network to MFA for user experience and license cost reasons. We have not figure out a way to successfully configure MFA bypass with this setup.

    1. Hi Tom,
      Thank you :).

      Yes, you can use nFactor to check your IP Ranges and forward to NPS or not. I am working on a blog post over this scenario. Came back next weeks and you will get mor information or follow me on twitter and you will also get the link for the post.

  7. Hi Thomas,

    Is there a way to whitelist a security group for authentication instead of accepting all accounts?

    1. Hi,
      you can use nfactor to check the security group first. After that you can choose the action for the group, block, forward to NPS with MFA or another 2nd factor.

      I hope this will help you, if not, we also can talk or you can mail me directly

  8. Hi Thomas,
    first of all I want to thank you for your easy to understand explanations.
    Unfortunately I have a problem for which I have not yet found a solution. I have a small group of users who are not MFA enabled yet. With MFA the login as secondary authentication via the NPS server works without any problems. Users who do not yet have MFA cannot log in. In this case Microsoft suggests setting the registry entry REQUIRE_USER_MATCH on the NPPS server to false so that users without MFA can also log in. However, this does not work. Do you have an idea what could be the reason for this?
    Thanks a lot

  9. Saleem AMBALATHVEETTIL THAZ

    This document is so helpful. We have installed the NPS server and MFA is not getting triggered. We have a specific use case where we want to bypass the MFA requirements for people who comes specific Internet IP address ranges. Do we have an option to configure it this way as our NPS servers are placed in the domain.

  10. Why is AAA needed?

    Has this something todo with the two separate logins screens? One for username & password and the second one for the MFA.

    Is your LDAP authentication also done via RADIUS?

  11. Hi Thomas,
    Thank you for your efforts, I have a scenario to integrate Azure MFA with Palo Alto Global Protect client, can I use the same procedures above, or may the configurations differ from vendor to vendor.

  12. Do you know if there is a way to change the messaging if the user is not registered yet? I get the 4001 message i could change that but that would change for all 4001. I just want to send a message with a link to office.com to register if the user hasn’t resisted yet.

    1. Hi Kevin, I would do the mail sending with microsoft flow. There you can check if MFA is allready active for the user. You also can authenticate users which are not using a second factor (only Password) with NPS.

Leave a Comment

Your email address will not be published. Required fields are marked *