making security even easier

Implementing two factor authentication with Citrix XenApp (Web Interface 5.x) using Mobile-OTP and MOTP-AS server at zero cost

[UPDATE] - MOTP-AS website is not available, the project appears to be dead. I can create and support a similar system (with Motp and Totp support), but not sure if it is indeed needed. Express your opinion in the comments below


Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.

You can configure the following two-factor authentication methods for XenApp Web sites:

- Aladdin SafeWord for Citrix
- RSA SecurID
- RADIUS server

First two options are secure but not free. Third option , RADIUS server, can be implemented with no additional cost, but if it is a "classic" RADIUS, it brings no more additional security: if the main password can be compromised, the second password can be compromised as well. Of course, it is harder to crack it using techniques like brute-force etc., but if the passwords are being stolen by a trojan or hw/sw keylogger, the risk is still there.

The whole idea is to use OTP (one time password) for 2nd factor, as it is implemented with Safeword and SecurId.

To implement this at no cost, I suggest the solution below, which is based on mOTP (Mobile-OTP).

Mobile-OTP is a free "strong authentication" solution for java capable mobile devices like phones or PDAs. The solution is based on time synchronous one time passwords. It consists of a client component (a J2ME MIDlet) and a server component (a unix shell script). The server component can easily be plugged into free RADIUS servers like XTRadius to authenticate users at routers, firewalls, web servers, access points, unix machines, etc.
The shell script should run without modification on any BSD-Unix or Linux.

The MIDlet and RADIUS server are freely available under the terms of GPL.

To implement mOTP-based 2factor authentication for your Citrix XenApp WebInterface, you should have following:

- All users should have mOTP compatible device. In addition any java enabled mobile phone (Nokia, Siemens, Motorola, Sony, BlackBerry, etc.) there are applications for iPhone/iPad and Android as well.

- You should be able to set-up and additional server (to install RADIUS Server) in the same segment as your web interface server.

- Each user's mOTP midlet should be manually added/allowed to be able to log in.

installing/configuring RADIUS server

You can modify any existing RADIUS server to be used as MOTP Authentification service. However, it is easier to use a ready solution. I recommend MOTP-AS.

Mobile-OTP Authentication Server (MOTP-AS)

MOTP-AS is a RADIUS server for Mobile-OTP. Features include:

authenticating users by RADIUS
SQL database for user/device configuration
Administration Web Interface (for admins and users)

You can download it at

The easiest would be to download the VMware image and use it with a VMWare workstation/player installed on the server where Web Interface is installed. Or if your infrastructure is virtual, you can upload the image and connect to the same network. In any case, the machine running MOTP-AS should be visible from WI Server and should not be visible from public Internet.

MOTP-AS has an easy to use admin. web interface, once the server is ready, navigate to the web interface to start the configuration.
Default password (system root account and admin account on Web interface) is "motp" (remember to change it).

Do the following to get it ready to integrate:

1. Add RADIUS client => "System" => "RADIUS" => "Add new RADIUS client"
Name: Citrix Web Interface
Secret: RADsecret -- Radius secret (will be added later to WI)
IP: -- IP of the server where WI is installed

2. Add user

=> "Administration" => "Users" => "Add new User"

User: john
Name: John Doe
Role: user

3. Add Device

=> "Administration" => "Devices" => "Add new Device"

Name: nokia 6310i
Secret: 1234567812345678

Follow the instructions below to generate Secret on your mobile device:

Client-Installation (token)
Load the MIDlet on the devices you plan to use. Installation of the .jar and .jad file is vendor specific. Usually java enabled phones come with some kind of application installer for PCs that allows to install MIDlets over IrDA or serial cable.
When the MIDlet is installed, run it. You can enter PINs to generate one time passwords, but to use them you will need to initialize the device first and write the Init-Secret into the appropriate user-record on the authentication server.
To initialize the token, press 0000. Enter an arbitrary sequence of 25 keys as a random seed. The Init-Secret that will be shown is not to be written down anywhere else but the server itself. You cannot display it again. If you press 0000 any time later, the initialization string will change, i.e. the device will be re-initialized. The initialization of a device should always be done by the administrator of the authentication server, not the user himself. A user does not need to know the Init-Secret.

Configuring Citrix Web Interfact to use MOTP-AS for 2F Authentification

1. Creating a Shared Secret for RADIUS

The RADIUS protocol requires the use of a shared secret—data that is available only to the RADIUS client (that is, the Web Interface) and the RADIUS server against which it authenticates. The Web Interface stores the shared secret in a text file on the local file system. On IIS, the location for this file is given by the RADIUS_SECRET_PATH configuration value in the web.config file. The location given is relative to the conf folder for the site. On Java application servers, the location for the shared secret file is indicated by the radius_secret_path parameter in the web.xml file. The location given is relative to the /WEB_INF directory for the site.

To create the shared secret, create a text file called radius_secret.txt containing the string you specified in MOTP-AS when adding WI as a RADIUS client. Move this file to the location specified in the relevant configuration file and ensure that it is locked down and can be accessed only by the appropriate users or processes.

2. Enable RADIUS authentication for XenApp Website

- in Citrix Web Interface management console, right click on your website and choose "authentication methods"
- Click on Properties and go to Two-Factor authentication
- Choose RADIUS in the list of available Two-Factor settings
- Add the IP of your MOTP-AS Server (keep port as 1812)
- Click OK to apply changes

This in theory should be all, follow the instructions on this page for troubleshooting.

I have successfully implemented this with WI for XenApp, should work for XenDesktop as well.

<< Go back to the previous page

G+ profile

follow me : github, habrahabr , linkedin
Feel free to contact me directly :
emin --at huseynov --dot com

Other projects

Google authenticator for Citrix StoreFront
Google authenticator for Citrix Web Interface 5.4
MOTP App with QR based enrolment

Not security related