Azure Multi-Factor Authentication with NetScaler Unified Gateway

MFA/Azure Multi Factor Authentication (previously PhoneFactor) is a multi-factor authentication technology that can be used with IIS, VPNs, OWA, ADFS, Office 365 and NetScaler to name a few using either the LDAP or RADIUS protocols from Azure cloud or on-premise. MFA has the ability to verify a users identity by calling their phone, texting their phone or using an app for verification. Using a phone for the second factor allows you to make use of something everyone will likely already have without additional bits of hardware whilst making it a great deal harder for attackers to break into accounts.

MFA can be deployed on-permise using the cloud service for second factor authentication which I will show today or fully served from the Azure public cloud. Azure Multi-Factor Authentication is available free of charge for Office 365 users and Azure administrators to protect log ons to the Azure management portal. MFA itself can be purchased as a standalone license which contains the most features and is bundled with Azure Active Directory Premium or the Enterprise Mobility Suite.

Two deployment methods for MFA:

  • On premise – Use on-premise if your users are located on-permise in Active Directory and you want to use MFA for on-permise VPN, NetScaler Gateway, Remote Desktop Gateway etc.
  • Azure cloud – Use cloud if your users are in Azure Active Directory and only have to protect services in the cloud.

MFA System Requirements:

  • 200MB hard disk space.
  • 1GB RAM or more.
  • Windows Server 2008 or greater server OS
  • Windows 7 or greater client OS
  • .NET 4.0.
  • IIS 7.0 or greater if installing MFA User Portal or web service SDK.
  • ASP.NET & IIS 6 metabase compatibility IIS 7.0+ features if installing MFA User Portal.
  • Port 443 outbound to, and

♣ Download MFA
♣ Install MFA
♣ Configure MFA for two-factor with NetScaler
♣ Configure NetScaler for two-factor with MFA
♣ MFA Secure LDAP
♣ Add Second MFA Server
♣ NetScaler MFA vServer Configuration
♣ Deploying the MFA User Portal
♣ One Time Bypass
♣ Deploying the MFA Mobile App

Downloading MFA

You can download the MFA software for an on-premise install either via service settings or by clicking manage on an MFA Authentication Provider. To download via service settings in the Azure portal you can navigate to your Active Directory instance and click on Try it now under Get Azure AD Premium if you do not already have a license and want to trial the software.

1-minClick Try Azure Active Directory Premium Now. 2-minClick the tick icon. 3-minNow click on Microsoft Azure Active Directory Premium. 4-minClick Enable directory features. 5-minClick Manage service settings. 6-minClick Go to the portal. 7-minClick Downloads. 47-min Click Download. 9-minAlternatively to download MFA by managing an Azure MFA Authentication Provider navigate to Active Directory -> Multi-Factor Auth Providers -> Create a new multi-factor authentication provider if you do not currently have one created.43-minEnter a name and choose your usage model. License usage can be either per enabled user or per authentication. 44-minLink the Authentication Provider to a directory if you use Azure to manage user accounts. Otherwise, select Do not link a directory -> Create. 45-minNow click Manage. 46-minClick Downloads. 47-minThe installation media is 121MB in size. 10-minOn the MFA designated on-premise server launch the installation media. 12-minFor Server 2012 R2 KB2919355 is a prerequisite. KB2919442 should be installed before installing KB2919355. Once installed click OK.13-minDownload update KB2919355 if required. 14-minBack over on the install wizard click Install to install Visual C++ software. 15-minAgree to the license terms and click Install.16-minClick Close. 17-minAgree to the license terms and click Install. 18-minClick Close. 19-minSpecify an installation folder for MFA or accept the default location. Click Next. 20-minClick Finish. 21-minShortly after clicking finish the MFA configuration wizard appears. Click Next. 22-minNow to subscribe to MFA you need to enter activation credentials that can be generated from the Azure MFA portal. 23-minNavigate back to the downloads section for MFA and click Generate New Activation Credentials. Take a copy of the email and password. Passwords expire after 10 minutes however new credentials can be generated. Enter the credentials (email/password) in to the MFA configuration wizard and click Next. 24-minUse the existing default group or create a new one. Servers in the same group replicate and peform failover which I will show later. Click Next. 25-minSelect Enable replication between servers if you are going to have multiple MFA on-premise servers for redundancy which I will. 26-minKeep the default boxes checked to enable secure communications between MFA servers and click Next. Now for replication the requirements will be that MFA Servers are placed in a PhoneFactor Admins Active Directory Security Group and certificates are present on the boxes. 27-minKeep the default boxes checked and click Next. 28-minClick Next. Certificates will be generated for secure communication between MFA servers. 29-minThis is an example of the certificate created on one of the servers. 30-minSince NetScaler is not in the list we have to select some sort of deployment option to continue. Select Terminal Services -> Next.31-minClick Next. 32-minClick Finish. The MFA server will now restart. 33-minOnce the MFA server has restarted launch the MFA administration console. 34-minNavigate to Windows Authentication and delete the terminal services server we added since we don’t actually need it.35-minClick Yes. 36-minNavigate to LDAP Authentication, click Add. Enter your NetScaler NSIP (NetScaler IP) and a name. When performing load balancing through NetScaler we insert the SNIP here. By default Require Multi-Factor Authentication user match is checked and for security reasons should be left enabled. If you disable this any user not configured within MFA can potentially authenticate to NetScaler without providing two-factor authentication. If you leave this enabled, users must be imported in to MFA so the user match check can pass. 37-minNext browse to Directory Integration. Uncheck Include trusted domains to increase performance if you have multiple domain trusts but won’t be importing users from those domains. For LDAP we must specify a specific LDAP configuration. Click on Edit. 38-minEnter details as below. The Bind username should match the account used in your NetScaler Gateway LDAP authentication policy. Multiple Active Directory servers can be specified by making use of semicolons. Once the required information is entered click on Test. 39-minYou should get a success message. Click OK. 40-minClick on the Synchronization tab. Click to enable synchronization with Active Directory. You can click Add to add items you want to keep synchronized for example a Security Group. As members are added to the Security Group they are added as an MFA user providing automation or if their mobile phone number changes or user account details change those details are updated on the MFA database. You can also choose the Remove users no longer in Active Directory which is a good idea to keep the MFA users list clean. 41-minYou can specify the synchronization interval as below. 42-minClick on Company Settings. Here we can specify which type of secondary factor to use. For now I will select text message so that when users successfully enter LDAP credentials to the NetScaler they will need to respond to a one time password text message. Secondary factors can be changed for individual or groups of users so even though you are selecting the second factor here this doesn’t mean one setting for all.48-minClick on Users. We need to add users to MFA so that the can use multi-factor authentication. It is also required to add the service account used in your NetScaler LDAP policy to make bind connections to LDAP. Click on Import from LDAP. 49-minHere you can browse the directory structure and select multiple users to import. I am going to import one user account by highlighting the user and clicking Import. If you click on the Method Defaults tab you can choose which second factor of authentication that user should be prompted for, otherwise the default factor you choose earlier applies. 50-minThe mobile numer from Active Directory is read and displayed in MFA. Note that in Active Directory you must specify +44 in the mobile attribute for MFA to select the correct country code. Otherwise, the default United States +1 country code will be used.51-minTo test multi-factor authentication click on the Test button. 52-minEnter an MFA username and password. Click Test. You should receive a text message, reply with the OTP. 53-minIf all is good you will receive a success message. 54-minNow because NetScaler (the LDAP client) uses a bind account for LDAP we need to import it to MFA. You can use the search function, another way to locate and import users in to MFA. 55-minNotice that this bind account is disabled and must remain disabled.56-minThe NetScaler needs some configuration before multi-factor authentication will work. Modify the existing LDAP authentication policy. Enter the MFA server IP address (or load balanced address) and increase the time-out to something reasonable giving users time to reply to the text message or other form of authentication. Make sure the LDAP bind DN matches the user account specified within MFA and the LDAP configuration. 57-minThe next time you authenticate to NetScaler Gateway using an MFA configured user account you will receive a text message like below, respond and shortly after you should gain access to NetScaler Gateway. 1-minTo enable Secure LDAP you need to import a certificate on all MFA servers and select that certificate through the MFA console. The NetScaler also has to trust the certificate. I am going to use a self-signed certificate generated from ADCS. Navigate to LDAP Authentication and click Browse beside SSL certificate.58-minSelect the computer certificate that matches the MFA server FQDN. Click OK. 60-minTo add a second MFA server to an MFA server group launch the installation media on the second MFA server, run through the configuration and join to an existing group as below. 61-minOnce complete all configuration should replicate to the second MFA server. You can now see both servers as below including which server is the master and which one is slave. Keep in mind that servers participating in replication must either have a certificate generated for replication and/or be members of the PhoneFactor Admins Active Directory group.62-minTo promote a slave server to master simply right-click the slave and select Promote to Master. 63-minIf an MFA server goes offline your slave server will still accept LDAP authentication requests so authentication will not be affected. If you need to use the MFA administration console you launch the console via the slave MFA server. The slave server tries to contact the master (now offline) MFA server. After realising that contact cannot be made to the master you are presented with the option of promoting the slave to master. Keep in mind the warning that comes with promoting a slave to master. Click Yes.1-minClick Yes again. 2-minNow the slave server has been promoted to master. MF01 shows as Not Connected as it is offline. 3-minAuthentication requests should be directed fully to MF02. You can use a Load Balanced vServer on NetScaler to load balance authentication across both MFA servers and provide high availability with back-end service monitoring. When using Load Balancing add the SNIP address of the NetScaler to the MFA Console as a client under LDAP Authentication.4-minAs you can see MF01 is marked as down because the TCP 636 probes are failing since the server is offline. 5-minOnce MF01 is back online the probes succeed and the service state is marked UP. 6-minYou can deploy an MFA User Portal allowing users to enroll for MFA themselves and manage aspects of their account. The portal runs on IIS within a Windows Server OS and is configurable within the MFA administration console. Review the software pre-requisites for the MFA User Portal at the top of this guide. The MFA User Portal can be installed on an MFA server itself or on separate server(s).

To deploy the MFA User Portal on an existing MFA server simply launch the console, navigate to User Portal and click Install User Portal…1-minClick Next. If you do not have IIS installed, you will be prompted to do so before continuing. 2-minClick Next. This step creates an Active Directory user account and adds that acount to the PhoneFactor Admins group. 3-minClick Next. 4-minChoose the default Site, Virtual Directory name and Application Pool or choose your own. Click Next. 5-minClick Close. 6-minLaunching the User Portal with HTTP gives the following 403.4 – Forbidden error because we need to configure and enable an HTTPS binding against the site. 7-minMake sure an HTTPS binding exists for the site and a certificate is installed that will match the MFA User Portal URL. 8-minNow we can browse to the MFA User Portal over HTTPS. 9-minNavigate back to the MFA Administration Console. There are a number of different options you can configure such as allowing users to select a method of secondary authentication when they log on to the User Portal. By default, Automatically trigger user’s default method is selected which will result in the user being challenged with the default secondary authentication method when they log on to the User Portal. In our case, this is text message verification. You can allow users to select their own method of secondary authentication so that when they log on to the User Portal options are given based on allowed authentication methods.10-minTick Allow user enrollment so that users can log on to the User Portal and enrol themselves for muti-factor authentication. 11-minAs a user logs on to the User Portal for the first time with text message verification selected as default and they do not have a phone number associated with their account they are prompted to specify one and to authenticate using a text message to confirm the phone number they enter is owned by them. Enter a phone number and click Text Me Now to Authenticate.  12-minNext you will be asked for a number of security questions. Security questions are used as a fallback if you fail authentication to the User Portal. Again security questions can be turned on or off. The user must specify answers to four security questions by default. Click Continue when ready.1-minYou can use the drop down on any of the four questions to change them. 2-minOnce security questions have been answered you are brought to the welcome screen. Your account is now configured to use multi-factor authentication. The below message can change based on what multi-factor authentication method the user is using e i.e. text message/phone call. Click on the Change Phone icon if you want to change your mobile number. 3-minClick on Change Security Questions if you want to change any of your security questions. 4-minIf you fail secondary authentication when logging on to the User Portal you are given the choice to log on by correctly answering your security questions. 5-minThis can be turned off by unticking Use security questions for fallback in the MFA console. You can also specify how many questions a user must correctly answer (minimum 1, maximum 4). 6-minYou can add, edit, remove and change the order of questions by using the Security Questions tab within the MFA console. 7-minOn the Trusted IPs tab click Add. 8-minYou can add single IPs, ranges or subnets meaning that IPs connecting to the User Portal are not challenged by a secondary authentication method as they are trusted. Instead these users only need to enter their Active Directory credentials. 9-minYou can allow users to initiate One-Time Bypass by checking Allow users to initiate One-Time Bypass.10-minNow users, within the User Portal, can initiate a one-time multi-factor authentication bypass and specify the number of seconds the bypass it valid for. If the user signs in to NetScaler Gateway for example within the next 300 seconds they will not be challenged with a second factor for authentication. 11-minAnother authentication method which I have not talked about is achieved by using the MFA mobile app. Using the app you can simply tap an authenticate button or enter a pin along with tapping the button.

MFA mobile app system requirements:

  • MFA v6.0+ used in your environment.
  • MFA Mobile App web service installed on IIS 7 or higher and internet facing.
  • ASP.NET v4.0.30319 installed, registered and set to allowed.
  • IIS6 Metabase Compatibility IIS feature installed.
  • MFA Mobile App web service accessible via public URL and secured with SSL certificate.
  • The Mobile App portal must be able to communicate with the web service SDK using SSL meaning it must trust the certificate issued to the SDK server.

The MFA web service SDK must also be installed on your MFA server(s) to ensure communication between MFA servers and the Mobile Web app service is possible.

MFA web service SDK system requirements:

  • Basic Authentication for Web Service SDK
  • IIS6 Metabase Compatibility IIS feature installed.
  • Web service SDK must be installed on IIS 7+ and secured with SSL certificate.

To get started install the Web Service SDK on all participating MFA servers. Launch the MFA console, navigate to Web Service SDK -> Install Web Service SDK.42-minClick Next if you are happy with the default settings. 12-minClick Close. 13-min

You must secure the SDK Web Service with an SSL certificate. This can be an internally issued certificate. The Web Portal front-end server must trust this certificate as both services will communicate over HTTPS. Both of my MFA servers that have the SDK Web Service installed will use an existing computer certificate, matching the FQDN of each respective server name.14-minOn one of the MFA servers navigate to C:\Program Files\Multi-Factor Authentication Server and copy MultiFactorAuthenticationMobileAppWebServiceSetup64.msi. This file must be copied to your Mobile App Web Service server. 15-minLaunch the Mobile App installation media from the Mobile App Web Service server. 16-minClick Yes to download Visual C++ 64bit media. Download and run the installer. 17-minClick Close. You will have to run the Mobile Web App installer again. 18-minClick Yes to download the Visual C++ 32bit media.  19-minClick Close. 20-minNow the installation wizard allows you to configure IIS settings. You will want to trim the virtual directory name as potentially users may have to type this in as part of the URL when configuring the Microsoft Authenticator app. 21-minTrim the Virtual Directory to something simple. Click Next. 22-minClick Close. 23-minOn the Web App Service server, navigate to C:\inetpub\wwwroot\AWS and edit web.config. 24-minLook for the section containing SDK_AUTHENTICATION_USERNAME and SDK_AUTHENTICATION_PASSWORD. These fields should be completed to include the username and password of an Active Directory service account used to communicate back to the SDK web service. 25-minInsert DOMAIN\username and password as below inside the quotation marks. 26-minNext find the section containing PfWsSdk. 27-minRemove replacing it with the server name hosting your Web Service SDK. This may be a load balanced address if you have this configuration. Now save web.config. 28-minSecure the Web App Service with a public certificate. 29-minMake sure you can browse to the publicly accessible URL without any certificate warnings. 30-minNow on your MFA server navigate to the MFA console and under User Portal -> Allow users to select method you can select Mobile app which allows users to enrol their mobile phone for mobile app authentication. The mobile app authentication can also be a mandatory authentication method by changing the secondary authentication default in Company Settings or within the users own properties. Users can also select their own authentication method within the User Portal. 31-minSelect Allow users to activate mobile app. You can limit the amount of devices a user can activate using Device limit. 32-minIn the MFA console, navigate to Mobile App. Complete the Mobile App Web Service URL and specify an Account Name. Account Names are those that appear within the users Authenticator application to make identification between different accounts easier. 33-minThe next time a user logs on to the User Portal they can activate their own mobile app. Navigate to Activate Mobile App -> Generate Activation Code. 34-minYou can now add the MFA account to your mobile either by manually typing the activation code and URL (notice why it was important to shorten the virtual directory name) or by scanning the QR code. Activation codes expire after 10 minutes. 35-minCompleting either method adds the company MFA account to your app. 36-minNext time you sign in to NetScaler Gateway and your method is mobile app authentication, the Authenticator app pushes a notification to your phone asking you to approve or deny sign-in. Click approve and authentication to NetScaler Gateway will be granted. Note that push notifications should be allowed on your phone. 37-minAs previously mentioned you can also secure mobile app authentication with a PIN. Edit a users account using the MFA console, and select PIN using the dropdown box. 38-minClicking Generate provides you with a 4-digit PIN. Select User must change PIN and click Apply. You can generate your own PIN for users. You can also generate and assign PINs to multiple user accounts at once. 39-minNow as the user logs in and clicks Approve they must enter the 4 digit PIN. 40-minOnce that PIN is entered correctly you are prompted to change your PIN to something different. Going forward this will be the PIN you use for authentication. 41-minPIN settings including minimum length can be changed in the MFA console by navigating to Company Settings.43-min


  • Sam

    December 21, 2016

    Thanks for such a great write up. I am struggling to get the mobile app web url working. so lets say I have a server name with an internal CA ssl issued to I can browse to this with no issues. How do create an external url like you have e.g . I have a public CA ssl cert issued to Do I need to do anything within DNS?

    I have a couple of questions. How did you create the external url for the mobile app web since the initial server name was Did you have do anything within Dns?. I am assuming your public ssl cert is issued to, if that is the case wouldn’t you be having a certificate mismatch since the mobile app web was installed on

    • George Spiers

      December 21, 2016

      Hi Sam

      You create an external DNS record for and then configure routing so that HTTPS to that URL can reach the server. You also replace the internal CA SSL on with your public SSL certificate issued to

      There is no certificate mismatch because when I browse to I receive the public CA certificate from the server. This confirms the server I am connecting to is authentic.

  • Mike

    March 13, 2017

    Great Article! Do you know if there is an options for people without a phone?
    Perhaps a way to send the PIN to a personal email address?

    • George Spiers

      March 13, 2017

      An option to auhenticate via NetScaler? You must use a phone to authenticate. Regarding the PIN that is an optional authentication step, you would generate a PIN for the user and then set the option that they must change the PIN to something of their choice.

      • Mike

        March 13, 2017

        I think I found what I was looking for. The situation I am faced with was for users who need citrix access but do not have a phone. Looks like there is a 3rd Party OATH token which should address my issues by providing those users with a key fob. I was wondering if there was a way to email the activation code and save on having to use a key fob.

        • George Spiers

          March 13, 2017

          I see what you mean now. I’m sure there will be a few OATH MFA compliant soft-token solutions out there so you do not need to use a physical keyfob.

          • Adi

            September 7, 2017

            Really a Great Article.

            In current environment we have NetScaler 10.5 with two factor authentication ( AD + C-Pass tokent). Client wants to remove C-Pass authentication and implement MFA as secondary authentication (Phone Call)

            Now my client implemented on-premise MFA.

            What are all the details I need to collect from MFA team to configure MFA on NetScaler so that I can remove C-Pass tokent authentication.

            Thanks in Advance.

            Aditya Kumara

          • George Spiers

            September 7, 2017

            First ask the team if they are using RADIUS or LDAP for MFA authentication. Taking LDAP for example, you would need to obtain the MFA server IP from them and port (389/636 if secure). You’ll also need a service account which is referenced in the NetScaler LDAP profile and on the MFA server as a user (disabled) which performs the LDAP bind and lookups. You’ll need to provide the MFA team with your NetScaler SNIP so that they can add it to the MFA configuration as an LDAP client.

  • Ray

    October 10, 2017

    does Citrix Receiver for Windows (External users) able to use this MFA?
    I see it working for Reciver for web.

    • George Spiers

      October 10, 2017

      Yes it can work, so long as you are not using nFactor authentication to power MFA. Just use MFA in your primary LDAP policy attached to NetScaler.


Leave a Reply