making security even easier

Two-factor authentication for Citrix Storefront with self-enrolment

As previously announced, I am presenting the first version of the StoreFront modification that allows self-enrolment for two-factor authentication.

Citrix StoreFront does not allow configuring two factor authentication directly on the web interface, so you will need Citrix NetScaler (virtual or physcal) in front of StoreFront if you want strong security. There are a number of products (mostly based on FreeRADIUS) that allow you to enable two-factor authentication, but none of them provide self-enrolment feature, similar to what I have developed for Citrix Web Interface 5.4, except one, which is TOTPRadius appliance provided by Token2.

Token2 TOTPRadius is a RADIUS server designed for two-factor authentication. It provides a web based administration panel and an HTTPS REST based API service designed to enable users' self-enrollment, which I used to enable self-enrollment on Citrix StoreFront (ver 3.0 and above). You can download the appliance from here. Token2 provides appliances for VMWare (OVF) and Hyper-V, it should be possible to convert the OVF format to XenServer as well. OVF can be launched using VirtualBox as well with no conversion. Installation manual can be downloaded here.

Token2 TOTPRadius is free for 5 users, and there is no information about further pricing so far. Token2 is ready to give licenses for free if you are interested to test with more than 5 users. Contact them directly for more details. 

Configuring Citrix Netscaler Gateway to use TOTPRadius

In order to enable two-factor authentication on Netscaler gateway, we have to specify TOTPRadius as secondary authentication for XenApp/XenDesktop site. 

Login to Netscaler admin panel with nsroot and click on Configuration->XenApp and Xendesktop sites->Configured Virtual Servers… . Click on Edit button next to the site you want to configure two-factor authentication for.

Click on edit icon on the  Authentication box.

Set “Secondary Authentication Method” to RADIUS and enter the TOTPRadius appliance settings in the form below. Leave port as 1812. Radius secret is as specified in Admin Panel of TOTPRadius web interface.

Click on “Continue”, then “Done”. Once done, Netscaler interface will ask for two passwords (Password 2 is the field for OTP).

Enabling user self-enrolment via Citrix StoreFront interface

TOTPRadius provides a RESTful API service to allow StoreFront integration. You have to install StoreFront integration package (described below) on all StoreFront servers in the cluster. Once installed and configured, users will see an additional status bar in the header prompting users to enable TOTP.

Note! You should set “Allow initial login” to at least “1” in TOTPRadius Admin Panel to allow users to login and enrol second factor authentication.

Enrolment process

Storefront will use API calls to check if the current user has a TOTP profile enabled on the TOTPRadius server. 

To enable TOTP, users should click on “enable”, then on OK button on the next popup.

After clicking OK, StoreFront will send an API call to TOTPRadius and enable second-factor authentication for the user immediately. QR code will be shown, and user should scan it with a TOTP mobile application (Google Authenticator, Token2 Mobile OTP etc.)
On the next login, the user should provide OTP generated by the mobile app in order to login.
Users that enrolled themselves will still appear on TOTPRadius web interface and can be edited, banned or deleted by administrators.


Installing integration package

Download the TOTPRadius Storefront integration package and run the installer as administrator on the StoreFront server.

- Specify the folder where your Reciever for Web Website is located. Make sure you include a trailing slash at the end.
- Enter the IP address of the TOTPRadius appliance. You can use FQDN if DNS is properly configured on all 3 components (Netscaler, TOTPRadius and StoreFront)
- API key (you can view/change it in TOTPRadius admin panel)


Note! Netscaler pass-through configuration should be done correctly in order for this customization to work. You can test it by accessing <YOUR_WEB_URL>/DomainPassthroughAuth/test.aspx . The page should show current user's domain, username and authentication type.

Network diagram

If you have a firewall between Netscaler, TOTPRadius and/or StoreFront, please refer to the network diagram below for firewall configuration.



Both TOTPRadius and the integration package I am releasing are in beta, please feel free to contact me (emin at ) for any questions, bug reports or assistance.


<< Go back to the previous page

G+ profile

follow me : github, habrahabr , linkedin
Feel free to contact me directly :
emin --at huseynov --dot com

Other projects

Google authenticator for Citrix StoreFront
Google authenticator for Citrix Web Interface 5.4
MOTP App with QR based enrolment

Not security related