This guide describes how to integrate a Citrix XenApp (Web Interface) with Celestix HOTPin two-factor Authentication solution.
The Citrix XenApp (Web Interface) provides – Secure Remote Access to the virtual apps or desktops in the internal corporate network.
Celestix HOTPin provides two-factor, strong authentication for remote Access solutions (such as Microsoft Unified Access Gateway, Juniper SSL VPN and etc.), without the complication of deploying hardware tokens or smartcards.
Two-Factor authentication is provided by the use of your Smart Phone to receive the onetime passcode.
HOTPin is designed as an easy to deploy and use technology. It integrates directly into Microsoft‟s Active Directory and negates the need for additional User Security databases. HOTPin consists of two core elements: a Radius Server and Authentication server. The Authentication server is directly integrated with Active Directory in real time. HOTPin Server can be configured in such a way that allows the User to enter their user name, password and One Time 6 numbers Passcode received upon their mobile phone. This authentication request is passed via the Radius protocol to the HOTPin Radius server where it carries out a Two-Factor authentication. HOTPin utilizes a user-friendly web GUI for configuration. All notes within this integration guide refer to this type of approach. The equipment used for the integration process is listed below:
- Citrix XenApp (Web Interface) ver. 6.x
- Windows 2008 server R2 64bit
- Active Directory installed or connection to Active Directory via LDAP protocol.
- HOTPin Software v3.5 or higher
Integration Overview Celestix HOTPin enables two-factor strong authentication for Citrix XenApp Web Interface.
Pre-Requisites It is assumed that the following servers are setup and operational.
- Citrix XenApp Server
- HOTPin Server (HOTPin server can be installed on one of the Servers in XenApp environment)
Configuring RADIUS in HOTPin Server
- From a client computer on your network, login to the HOTPin web UI via https://ServerName IP Address:8098
- Click on HOTPin at the top of the menu and select NPS RADIUS.
- Click on RADIUS Clients.
- Add a new RADIUS and check “Enable this RADIUS client”.
- Key in the following information: – Friendly name – IP address
- Generate a Shared Secret Key.
- Cut and paste this Key using a text editor and save it as radius_secret.txt.
- Click Save.
Configuring Citrix XenApp Web Interface
- Login to the Server that runs Citrix XenApp Web Interface Management.
- On the Windows Start menu, click All Programs > Citrix > Management Consoles > Citrix Web Interface Management.
- In the left pane of the Citrix Web Interface Management console, click XenApp Web Sites and select your site in the results pane.
- In the Action pane, click Authentication Methods and select the Explicit check box.
- Click Properties and select Two-Factor Authentication.
- In the drop-down Two-factor setting, select RADIUS.
- Click on Add…
- Enter the IP address of the HOTPin server. Set the RADIUS port used by the HOTPin server. (default value is 1812 or 1645).
- Press Ok to save configuration.
- Go to c:\\Inetpub\wwwroot\Citrix\XenApp\conf.
- Copy or move the file radius_secret.txt that created earler into this foler.
- Restart IIS.
- Go to c:\\Inetpub\wwwroot\Citrix\XenApp\Web.xml
- Add IP Address as follow:
<add key=”RADIUS_NAS_IP_ADDRESS” value=”Radius IP Address” />
- Go to c:\\Inetpub\wwwroot\Citrix\XenApp\conf\WebInterface
- Add these lines:
RadiusServers=Radius IP Address
Testing the Citrix Web Interface It is assumed that the HOTPin client has been installed on a smart phone like iPhone.
2. Enter the exiting Username and Password. On your smart phone, open the HOTPin client and press Next code to obtain a one-time code. Key in your One-Time-Password.
3. If the login is successful, your integration is complete.
NOTE: If you enable New Pin in HOTPin Server, you have to key in [Your password] followed by [OTP] in the password field.