Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

This post has already been read 18865 times!

Previous Articles in this series

Part 1 – ADFS

Part 2 – Citrix FAS and StoreFront

Part 3 – NetScaler Unified Gateway and NetScaler ADFS Proxy

In Part 4 – Microsoft Azure Multi Factor Authentication I am going to walk you through setting up Microsoft Azure MFA and integrating it with your ADFS infrastructure to provide secure 2 factor authentication to your apps and desktops.

Lets get going..

First thing you will need to do is log into your “old” Microsoft Azure Portal: https://manage.windowsazure.com

On the left navigate down to Active Directory


At the top click on Multi Factor Auth Providers


Then on the bottom of the screen click to create a new provider if one does not already exist


Give it a name, pick your licensing method and select not to link a directory unless you have one you are wanting to link in


Once created you should see your provider listed and active


At the bottom you can now click on Manage – this will open up the MFA management portal


Once in the new portal click on Downloads


Then download the MFA Server software and save it to a central location you can access from your ADFS Server


NOTE: The MFA Server software is being installed on the ADFS Server we built earlier in this series.  We can push it onto a seperate server but for the purpose of this blog series and simplicity I will put it on the same server as ADFS

Log into the ADFS Server and launch the installer you downloaded earlier

You will be prompted to install the pre-reqs


Let these run and make sure that they install correctly



Next pick the destination you want MFA installed to


Click next and wait for the install to complete


The setup will prompt you for the first run wizard – click Next and you will be asked for an activation e-mail address and password.


Switch back to your MFA management portal and click on Generate Credentials


Copy and paste these into the MFA First Run Wizard to activate the server


Wait for this to complete


Next you will be asked for the group you wish to add the MFA Server to.  In this example I am going to create a new group – however you may wish to add this to your existing MFA Server group


Select to enable replication between servers, this will enable config replication should you add servers to the group at a later date for high availability


Leave Active Directory and Certificates selected


Add the host MFA Server to the Phone Factor Admins group in Active Directory – you will need to be logged into the ADFS Server as a user that has the rights to perform this action


Click next to generate the self signed certificates to enable cert based replication


Select RADIUS as a MFA Provider


Enter the SNIP for your NetScaler and put in a Complex Shared Key


Select Windows Domain as the RADIUS Target


Click Next


Then reboot to complete the first run configuration


Once the server is back up and running open up the Azure MFA Server Config Client and if you select the status option on the right you should see your new server Online and Running and listed as the Master


Next you will nee to add the users you want to be able to use the MFA Service – do do this head over the the users section


Click to import a user from the Active Directory – find the users you wish to use and select import

NOTE: If the user does not have a phone number present in their Active Directory account MFA will import the user but they will be disabled and not able to use MFA


Click to edit the user


Make sure the user has a phone number and that they are enabled


Once enablked click the user and click on test user


Enter the password


Check your phone and follow the voice prompts to complete your authentication


Check for a successful authentication


Next we need to install the ADFS Connector for Azure MFA.  Head over to the ADFS section and click on install ADFS Adapter once you have selected the options you want available for your users.  I normally disable allow self enrolment (although not shown below as I forgot in this occasion!)


Click Next to start the install


Wait for it to complete successfully


Next we need to enable this within the ADFS Console – open it up and navigate to Authentication Policies


On the right you will see the Multi Factor Authentication Options.  Click on Edit


Enable MFA for BOTH internal and External connections and select the Azure Multi Factor Authentication Server

NOTE: Will will be looking at disabling this for internal users and enabling SSO in the next post in this series


That’s it – our ADFS Service should now use Azure MFA for ALL authentications

Lets test internally

Navigate to your Unified Gateway

Enter Credentials


Answer Phone Call and complete authentication


Apps and Desktops Available


Now for External Testing

Nagivate to your Unified Gateway and enter Credentials (NOTE the different login prompts)


Complete the authentication using the phone


Apps and Desktop available!


So, that’s it.  Next we will be looking at providing content aware login for internal and external access as well as providing SSO for internal resources.

Part 5 – Context Aware Logins – Single Factor Internal and MFA External




2 thoughts on “Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

  1. Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4

  2. RKast

    We currently have MFA Server configured with RADIUS with our NetScaler. This is working great and user get MFA challenge when logging into Citrix.

    Now we want to intergrate MFA Server with our ADFS server, by installing the ADFS adapter.

    Question I have is, do users het 2 MFA challenges ? One when logging into Citrix (radius) and when they go Office 365 via ADFS (with ADFS MFA Adapeter) do they get a second MFA challenge?

    So does MFA Server issue one MFA token that can be used across RADIUS and ADFS (adapter) MFA authentication?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.