Native One Time Password (OTP) – Citrix (Netscaler) Gateway - workaround for manageotp security and admin controls

Most of the time I follow "Carl Stalhood" and if you want to configure Native One Time Password for Citrix Gateway please visit Carl's site (https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/)

When I was proposing this to customers, I observed that the limitations on securing /manageotp page is quite challenging for some use cases. What I'm about to explain here is, how not to allow users to register their own OTP authenticator but let admin to give control. It's a workaround I used and it's a manual method.

I'm not going to explain how to configure Citrix ADC for native OTP here (please follow https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/ ) for the deployment.

With my workaround users don't need to access /manageotp page at all. So restrict it for only admin's subnet on otp page login schema rule by setting it as follows; (if you want to access it for any reason)

http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(192.168.100.0/24)

or completely disable it.

If I explain the method in brief, its as follows; i will explain them in details later.

1. Citrix admin to manually generate a secret key for the user (we can use simple excel function for this)
2. Citrix admin to share the secret key to AD admin to configure the attribute of the users ldap profile
3. Citrix admin to share the secret key with the end user to manually enroll their mobile device (or admin can do it by himself on users device without sharing the key)
4. Citrix admin update his database (ex. excel) manually for future references

1. Citrix admin to manually generate a secret key for the user - this will help you to create a secret key for users (with MS excel)

1a. Open MS excel and paste "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" on a cell and name it as "Source"
1b. for a secret of 26 characters use following function to randomly generate a string.

=MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)
& MID(Source,RANDBETWEEN(1,LEN(Source)),1)

it will randomly give you an out put similar to VLVLQJTETW2Z3O4UW5S4QQQCBT

2. Citrix admin to share the secret key to AD admin to configure the attribute of the users ldap profile

2a. Citrix admin can share the generated secret with AD admin in following format (shedev is the device name we provide for the user)

#@shedev=VLVLQJTETW2Z3O4UW5S4QQQCBT&,

2b. AD admin can insert the given value to the selected attribute of the user ldap profile (in our case its userParameters)


3. Citrix admin to share the secret key with the end user to manually enroll their mobile device (or admin can do it by himself on users device without sharing the key)

3a. we can now share the generated secret key to the user

secret - VLVLQJTETW2Z3O4UW5S4QQQCBT
device name - shedev

3b. user or the admin by him self can configure the OTP Authenticator as follows; and save it


c. now you dont need to access /manageotp page and directly go to the gateway login page to enter dual factors



Notes;
1. make sure you you store secret keys in a secure place. I use a password protected excel to store them for the time being. something similar to following (they are some sample data set :) )

2. To automatically get the AD attribute value i use following function for E column of the above image

="#@"&D2&"="&C2&"&,"

3. To remove an OTP authenticator of a user, just clear the attribute value

=================================================

My next target is to write a small web page to get this task automated with maybe following functionality. if anyone smart enough to write it, let me also know. (unfortunately I'm not a web developer)

Add a user
1. Search a user from AD ldap
2. Generate a key for user (about 27 characters long random string)
3. Enter a device name
4. Store the key on a predefined attribute of AD ldap profile of the user
5. Store data to a local sql db (in a storefront environment we can use the same IIS and DB)
6. Send and email to the user with the key in it

Delete a user
1. Select user from the local db
2. Clear users attribute from the AD ldap profile
3. Delete user from the local db

Edit an existing user - (regenerate key)
1. Select a user from local db
2. Regenerate a new key
3. Clear existing attribute value and write new value on AD attribute of ldap profile of the user
4. Update local db

Share key with the user
1. Select a user from local db
2. A button to send an email to the user with the key in it

Good to have
1. A page to track changes done for users (all tasks listed above) - reporting
2. Encrypt local db
3. A login page to the site from an AD ldap user (admin user)
4. A page to list all the users in local db

Hope you enjoy my blog and helped someone. Any modifications or changes are always welcome :)




XenApp 5 on Server 2003 R2 SP2 - Installation Guide - PoC

Today I successfully deployed a XenApp 5 on a Server 2003 R2 SP2. It was a Proof of Concept (PoC) to one of customer in Sri Lanka and their requirement was to publish one of their application (which is only run on Windows XP) to publish on Windows 7 users.

After gathering information we realized that the client application supports to run on terminal sessions and also can be hosted on server 2003 R2 SP2 machine.

So, We started a PoC to achieve customers requirements and we just used a Desktop with 4GB RAM and 3GHz processor with Server 2003 R2 SP2 installed.

Following are the installation steps we followed;

Step 01 - Prepare the server

Install Server 2003 R2 SP2 on a machine and add it to the AD. Get a Domain user account and add it to the local machine's administrator group (Or get a domain admin account) and login to the machine using this account.

Step 02 - Install Prerequisites

Install Dotnet Framework 3.5 SP1 and KB961118 hotfix (Download the correct update file for server 2003 and make sure you downloaded the file for the correct platform. In my case its 64 bit)

Get the files downloaded from following links


Step 03 - Install Windows components

Install Windows components which is required for the XenApp installation

  • Go to "Add or Remove Programs" from the control panel.
  • Click "Add/Remove Windows Components" in the left column.
  • Check the box next to "Application Server".
  • Scroll down to "Internet Explorer Enhanced Security Configuration" and uncheck it. (This is to prevent the annoyance of its popups and if you know how to deal with it, just keep it checked).
  • Scroll down and check the boxes next to "Terminal Server" and "Terminal Server Licensing".
  • Click next again Click Next on the Terminal Server setup notice.
  • Click Next on the next "Terminal Server Setup" notice about Security. (We will not be installing any legacy software so we are fine with the default selection of Full Security).
  • Click "I will specify a license server within 120 days" and click Next
  • Click Per User licensing mode and click Next.
  • Click Next and it will start installing selected windows components. (It will ask for the server 2003 CD and keep it ready).
  • When the Windows Components Wizard is complete, click Finish.
  • Adding Terminal Server in Application Server mode requires the server to be restarted. Click Yes to restart the Machine.

Step 04 - Install XenApp 5

Download the XenApp 5 for server 2003 from the Citrix Website. You can request a trial and a trial key will be provided to you.

To activate your trial license, go to My Account on Citrix.com and login using your existing credentials if you are not already logged in. After login, go to: My tools>Choose a Toolbox>Manage Licenses>Allocate. Select the "Don't see your product?" link located at the top right corner of the Allocate web key page. Enter the trial key in the Find your license dialog box and click Continue. When the Host Name warning page displays, select Continue. It will guide you through the four-step license file generation process. And download the license file.

  • Run the XenApp and Click on "Install XenApp".
  • Click on "Install Server-Hosted Apps".
  • Accept the Agreement and Click Next.
  • Select "XenApp Platinum Edition and click Next. (Select whatever the version you want).
  • Select "License Server" along with other default selection and click Next.
  • Click next on "Product Installation Directory".
  • Enter Farm Name and click Next. (Ex- NewFarm).
  • Accept other Defaults and it may take few minutes to complete the installation.

Step 05 - Configure XenApp

Open “License Management Console”
  • Click “Step 2: Copy license file to this license server”
  • Goto “Configure License Server”
  • Upload the license file

Open “Delivery Service Console”
  • Right Click on the Farm and Select “Properties”
  • Goto “Server default” → License Server
  • Enter the license server IP → ok

Open “Citrix Web Interface Management”

  • Right click on “XenApp Web Sites” → Creat Site
  • check “Set as the default page for the IIS site” → next
  • accept other default options
  • farm name = NewFarm
  • add XenApp server by its host name → next
  • Accept other default options


Step 06 - Publish a test application

  • Open “Delivery Service Console”
  • Expand the Farm and right click on Applications and click on "Publish Application"
  • Click Next at the Welcome screen.
  • Click Next, accepting the defaults for Application Type. (We are publishing a hosted application which is already installed on this server).
  • Browse to the application executable.
  • Select which Servers/Worker Groups will run the application and click Next. (In our case it's the local machine)
  • Select which Users/Groups will be allowed to run the application – it’s best to use Domain Groups for easier management/delegation.
  • Accept all the other default options. (Change settings as necessary. I accepted defaults in my case).

Step 07 - Run Published Applications

  • Open "Internet Explorer" and enter the server IP.
  • Login using a domain credentials. (This user must have permission to run the published application. Check Step 05)
  • Install the Citrix Receiver.
  • Now you will be able to see published applications on the site and they will be accessible by simply clicking on it.


So, that was the steps I followed for the Proof of Concept for my customer and it was successful. Hope this guide will help to someone and all of your comments are welcome!!

Hi Friends,,,