Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

This post has already been read 7661 times!

Previous Articles in this series

Part 1 – ADFS

Part 2 – Citrix FAS and StoreFront

Part 3 – NetScaler Unified Gateway and NetScaler ADFS Proxy

In Part 4 – Microsoft Azure Multi Factor Authentication I am going to walk you through setting up Microsoft Azure MFA and integrating it with your ADFS infrastructure to provide secure 2 factor authentication to your apps and desktops.

Lets get going..

First thing you will need to do is log into your “old” Microsoft Azure Portal: https://manage.windowsazure.com

On the left navigate down to Active Directory

01-ad

At the top click on Multi Factor Auth Providers

02-mfa-providers

Then on the bottom of the screen click to create a new provider if one does not already exist

03-new-mfa

Give it a name, pick your licensing method and select not to link a directory unless you have one you are wanting to link in

04-quick-create-mfa

Once created you should see your provider listed and active

05-new-mfa

At the bottom you can now click on Manage – this will open up the MFA management portal

06-manage

Once in the new portal click on Downloads

07-downloads

Then download the MFA Server software and save it to a central location you can access from your ADFS Server

08-server-download

NOTE: The MFA Server software is being installed on the ADFS Server we built earlier in this series.  We can push it onto a seperate server but for the purpose of this blog series and simplicity I will put it on the same server as ADFS

Log into the ADFS Server and launch the installer you downloaded earlier

You will be prompted to install the pre-reqs

09-pre-reqs

Let these run and make sure that they install correctly

10-one

11-two

Next pick the destination you want MFA installed to

12-install-dir

Click next and wait for the install to complete

13-done

The setup will prompt you for the first run wizard – click Next and you will be asked for an activation e-mail address and password.

14-setup-wizard

Switch back to your MFA management portal and click on Generate Credentials

15-activation

Copy and paste these into the MFA First Run Wizard to activate the server

16-activation-creds

Wait for this to complete

17-wait-for-activation

Next you will be asked for the group you wish to add the MFA Server to.  In this example I am going to create a new group – however you may wish to add this to your existing MFA Server group

18-new-group

Select to enable replication between servers, this will enable config replication should you add servers to the group at a later date for high availability

19-enable-activation

Leave Active Directory and Certificates selected

20-leave-default

Add the host MFA Server to the Phone Factor Admins group in Active Directory – you will need to be logged into the ADFS Server as a user that has the rights to perform this action

21-add-server-to-admin-group

Click next to generate the self signed certificates to enable cert based replication

22-generate-certs

Select RADIUS as a MFA Provider

23-no-default-config

Enter the SNIP for your NetScaler and put in a Complex Shared Key

24-radius-config

Select Windows Domain as the RADIUS Target

25-windows-domain

Click Next

26-radius-complete

Then reboot to complete the first run configuration

27-reboot-now

Once the server is back up and running open up the Azure MFA Server Config Client and if you select the status option on the right you should see your new server Online and Running and listed as the Master

28-status

Next you will nee to add the users you want to be able to use the MFA Service – do do this head over the the users section

29-users

Click to import a user from the Active Directory – find the users you wish to use and select import

NOTE: If the user does not have a phone number present in their Active Directory account MFA will import the user but they will be disabled and not able to use MFA

30-import-users

Click to edit the user

31-disabled-users

Make sure the user has a phone number and that they are enabled

32-enable-and-add-number

Once enablked click the user and click on test user

33-test

Enter the password

34-test-1

Check your phone and follow the voice prompts to complete your authentication

35-mfa

Check for a successful authentication

36-test-ok

Next we need to install the ADFS Connector for Azure MFA.  Head over to the ADFS section and click on install ADFS Adapter once you have selected the options you want available for your users.  I normally disable allow self enrolment (although not shown below as I forgot in this occasion!)

37-adfs-integration

Click Next to start the install

38-install-adapter

Wait for it to complete successfully

39-mfa-adfs-install-complete

Next we need to enable this within the ADFS Console – open it up and navigate to Authentication Policies

40-authentication-policies

On the right you will see the Multi Factor Authentication Options.  Click on Edit

41-adfs-mfa-settings

Enable MFA for BOTH internal and External connections and select the Azure Multi Factor Authentication Server

NOTE: Will will be looking at disabling this for internal users and enabling SSO in the next post in this series

42-enable-mfa-for-all

That’s it – our ADFS Service should now use Azure MFA for ALL authentications

Lets test internally

Navigate to your Unified Gateway

Enter Credentials

43-internal-test

Answer Phone Call and complete authentication

44-internal-2fa

Apps and Desktops Available

45-internal-ok

Now for External Testing

Nagivate to your Unified Gateway and enter Credentials (NOTE the different login prompts)

46-external

Complete the authentication using the phone

47-external-2fa

Apps and Desktop available!

48-external-working

So, that’s it.  Next we will be looking at providing content aware login for internal and external access as well as providing SSO for internal resources.

Part 5 – Context Aware Logins – Single Factor Internal and MFA External

Laters,

b@m

 

2 thoughts on “Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

  1. Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

  2. RKast

    We currently have MFA Server configured with RADIUS with our NetScaler. This is working great and user get MFA challenge when logging into Citrix.

    Now we want to intergrate MFA Server with our ADFS server, by installing the ADFS adapter.

    Question I have is, do users het 2 MFA challenges ? One when logging into Citrix (radius) and when they go Office 365 via ADFS (with ADFS MFA Adapeter) do they get a second MFA challenge?

    So does MFA Server issue one MFA token that can be used across RADIUS and ADFS (adapter) MFA authentication?

Leave a Reply

Your email address will not be published. Required fields are marked *