A user’s primary identity authorizes access to the Workspace. A username and password is not a strong authentication policy. Passwords are problematic. We know we need to provide multi-factor authentication. And within Citrix Workspace, the options continue to expand. So far, I’ve been able to demonstrate how to integrate the following with Citrix Workspace:
- Citrix Workspace Asking For Passcode Protection
- Citrix Workspace Password
- Citrix Workspace Asking For Passcode Password
- Citrix Workspace Asking For Passcode
It’s finally here! Full Windows SSO (single sign-on) with Windows virtual apps and virtual desktops through Citrix Workspace when using modern web authentication like Azure AD and modern access management like password-less phone sign-in with Microsoft Authenticator over the HDX remoting protocol! I know that’s a mouthful so an easier way to say it, ultra-secure. Using the above created policy, edit the setting Computer Configuration - Policies - Administrative Templates - Citrix - Components - Citrix Receiver - Local User Name and Password enabling Enable pass-through authentication.
Citrix Workspace Asking For Passcode Protection
When I’m connecting from WAN with Workspace App, the first time I need to create an account. I’m asked for loginname, password and after the a new field for sms token is presented. Login works fine!When I then logoff Citrix Workspace, or reboot my laptop and login into the Workspace App, online loginname and password is asked.
Citrix Gateway is an interesting option. With Citrix Gateway, we have many options for our primary identity. So far, I’ve shown how you can use Gateway with an on-prem TOTP solution as well as extending the deployment to support push authentication. With the RADIUS support within Citrix Gateway, we can use Duo to provide stronger authentication to a user’s primary identity.
This works by means of a Duo proxy server, which is based on RADIUS.
Citrix Workspace Password
The user will provide Active Directory credentials and the Duo code.
When the user connects to Citrix Workspace, the authentication request is redirected to an on-premises Citrix Gateway authentication virtual server, which is based on the configured OAuth IdP Policy within the Gateway.
Citrix Workspace Asking For Passcode Password
Gateway presents the user with the first part of the authentication, which is based on the LDAP policy. This links Gateway to the organization’s Active Directory domain.
Citrix Workspace Asking For Passcode
If the Active Directory authentication succeeds, authentication flows to the next factor, which is a RADIUS policy. The RADIUS policy uses a shared secret to communicate with an on-premises Duo proxy server. That proxy server relays the second factor authentication to the organization’s Duo cloud subscription.
What’s interesting about this configuration is the way Duo integrates with Citrix Gateway. Take a look at the latest Tech Insight video to see for yourself.
Daniel (Follow on Twitter @djfeller)