biometric authentication 2FA citrix netscaler

Adding Biometric Authentication to Citrix NetScaler for 2FA

Adding Veridium’s biometric authentication to Citrix NetScaler Unified Gateway and replacing any kind of two-factor token-based authentication is easy. Veridium uses push notification technology to request biometric authentication from the user’s mobile device, therefore there’s nothing for the user to enter in the second password dialog box, i.e. a token code, which normally appears when you enable two-factor authentication (2FA) on the NetScaler.

A great way remove that second password dialog box is to use a NetScaler function called Rewrite. With Rewrite, you can manipulate the HTML code sent from the web server, in this case, the Unified Gateway, before it displays in the browser. This Citrix forum post describes how to create a response Rewrite policy to remove the second password dialog box, which is great if all your users are using a browser to access the NetScaler Unified Gateway.

But here’s the problem, what about those users that want to use the native Citrix Receiver instead of a web browser to access their applications and desktops? The native Citrix Receiver doesn’t use HTML to render the login dialog. Instead, it gets its configuration directly from NetScaler. Therefore, when 2FA is enabled it will show both password dialog boxes.

biometric authentication 2FA citrix netscaler

Instead of using the Rewrite function on the NetScaler we can use the nFactor function. This enables us to make the initial login page single factor and display a single Citrix Receiver password dialog box, but still add biometric authentication as the second factor. NetScaler nFactor is a multi factor flow-based authentication mechanism and is part of the AAA feature. The AAA feature is only available as part of the Enterprise or Platinum editions of NetScaler ADC. More information about nFactor can be found on the Citrix website.

The following instructions assume you already have a working NetScaler Gateway configuration with 2FA providing single sign-on to StoreFront and with RADIUS configured as your second factor to a fully configured VeridiumID server.

These instructions assume you already have a working NetScaler Gateway configuration with dual factor authentication providing single sign-on to Storefront and with RADIUS configured as your second factor to a fully configured VeridiumID server.

Create the login schema

The login schema (stored in an XML file) defines how the receiver for the web login page will look. The native receivers can’t currently utilize the features of multiple login pages created with nFactor and login schemas, but the native client will understand that only one login box is required when the login page is queried and therefore only display a single credential entry.

The updated login schema will look like the code below. Notice that it only contains one ‘login’ reference and, more importantly, only one ‘passwd’ reference.

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<AuthenticateResponse xmlns=”“>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>During Login you will be prompted to perform a biometric authentication…</Text><Type>heading</Type></Label><Input/></Requirement>
<Requirement><Credential><ID>login</ID><SaveID>login</SaveID><Type>username</Type></Credential><Label><Text>User name:</Text><Type>plain</Type></Label><Input><Text><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>

After you have created the new login schema you’ll need to import it into NetScaler. You’ll create a new Login Schema profile and policy. Then, you’ll move on to create new authentication policies.

Advanced Authentication with RADIUS

The first authentication method will be RADIUS via the VeridiumID server. This, combined with the login schema above, will determine the credentials for the login page. Only if this authentication succeeds will the login process be allowed to continue to the next factor.

A policy label is also used for any form of authentication after the initial authentication policy that is used in conjunction with the login schema and bound to the login page. Credentials entered on the initial login schema are then passed to these additional policy labels. In this scenario, we use LDAP for the new label.

Generating a New Form of Authentication

Now we need to create an Authentication Virtual Server with a non-addressable IP and bind the first authentication policy, login schema, and certificate to it. This will provide the login page credential section. The Authentication Virtual Server will be used to provide the nFactor authentication process when the user is accessing the NetScaler Gateway Virtual Server.

Once this is in place, we need a new Authentication Profile that will reference our AAA Virtual Server. This profile is used instead of the authentication policies used on the NetScaler Gateway Virtual Server. The Authentication Profile is created from the NetScaler command line to avoid having to enter the Authentication Host parameter which is mandatory when using the GUI.

Finally, we force the new virtual server to use the new profile for 2FA. Now that all the pieces are in place we can remove any authentication policies from our Gateway Virtual Server and replace them with the Authentication Profile created above. This resets the NetScaler Gateway to ask for biometric authentication instead of a token or other form of authentication.


While this process may sound complicated, it really only takes a few minutes to setup and replace after the VeridiumID server software is installed. Opting to use biometrics for multi factor authentication instead of tokens has a number of benefits, from reducing costs to simplifying the login process for your end users.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

The Largest Internet Company in Mexico Taps Tec360 and Veridium for Trusted Phishing Resistant Passwordless Authentication and to secure Okta SSO A top provider of


Veridium The True Passwordless Enterprise

Veridium The True Password-less Enterprise In February 2017 when I joined Veridium as CPO, I recognised and appreciated one of the biggest challenges for Enterprise