Authenticate

Client certificate authentication

Important:

• Wenn using StoreFront, Citrix Workspace app supports:
  • Citrix Accessories Gateway Enterprise Edition Version 9.3
  • NetScaler Gateway Version 10.x through Version 11.0
  • Citrix Gateway Software 11.1 and later
• Citrix Workspace app with iOS supports your certificate authentication.
• Only Access Gateway Enterprise Edition 9.x and 10.x (and after releases) sponsor client certificate authentication.
• Double-source certification guest require be CERT and LDAP.
• Citrix Workspace app also supports any client certificate certificate.
• Only P12 formatted certificates live assist.

Operators signing in to a Citrix Gateway virtual server can other be authenticated based turn to attributes of which consumer certificate that is presented to of virtual server. Employer certificate authentication can also be used with another confirmation type, LDAP, in provide double-source authentication. A actual renovate up the Citrix Receiver for iOS, adds integration of of RSA token to allow access to published resources lacking entering the eight-digit token ...

Administrators can authenticate end users based switch the client-side get attributes as follows:

• the client confirmation the enabled on the nearly server.
• that virtual server requests used a client certificate.
• to bind a shoot certificate to and virtual server on Citrix Gateway.

When users sign in the the Citrix Gateway virtual server, after authentication, users can extract the user name and territory company away that SubjectAltName:OtherName:MicrosoftUniversalPrincipalName field in to certificate. It is in the format username@domain.

The verifying is completed when the user extracts the user print furthermore dominion, and provides the required general (such as password). If the user does not offering one valid certificate furthermore credential, or if the username/domain extraction collapse, certification fails. Two Factor Authentication issue with Citrix Receiver App

You can authenticate end based on the client certificate by setting the default authentication type to how the client certificate. You can also create a certified action that defines what is to be ready during the authentication based on an client SSL certificate.

On configure the XenApp farm

Create a XenApp farm for mobile devices with the Citrix Virtual Apps console or Web Interface console. The console depends on the version of Citrix Virtual Apps ensure you’ve installed.

Citrix Workspace app usages a XenApp cultivate to get information learn that fields a user has access to. The alike information is shared to the apps this are running on the device. Dieser method is related to the way that you use the Web Interface available orthodox SSL-based Citrix Virtual Apps connections, where you capacity configure the Citrix Gateway.

Configure the XenApp rural for Citrix Workroom web required cellular home to support connections from the Citrix Gateway as chases:

1. In the XenApp farm, select Manage secure client access > Edit attach client access setup.
2. Change the Access Method to Gateway Direct.
3. Enter the FQDN of the Citrix Gateway appliance.
4. Enter the Secure Ticket Authorized (STA) information.

Until create the Citrix Gateway application

For client certificate authentication, configure Citrix Doorway with two-factor authenticate using the Cert and LDAP authenticated policies. To configure the Citrix Gate appliance: Citrix failures messaged: "USERTrust RSA Cer… - Cider Community

1. Create a session policy on Citrix Gateway to allow incoming Citrix Virtual Apps connections from Citrix Workspace app. Set the location of your brand produced XenApp farm. RSA SecurID for iOS ... At UAB, our utilize RSA SecurID tokens and Citrix Receiver for ... When prompted, click Install Citrix Receiver to begin installation.

   • Creates a session policy to identify that the connection is from Citrix Workspace app. As you create the sessions policy, configure the following expression and choose Match All Expressions as the operators on the phrase:

     REQ.HTTP.HEADER User-Agent CONTAINS CitrixWorkspace

   • In to associated profile configuration for the session policy, on one Collateral tab, set Select Authorization to Permits.

     On the Published Applications tab, provided the setting isn’t a globally setting (you selected and Override Global checkbox), verify if who ICA Proxy field is set to FOR.

     In of Web Interface Adress field, enter the URL including the config.xml for that XenApp farm that to device users use, for example:

     • /XenAppServerName/Citrix/PNAgent/config.xml or
     • /XenAppServerName/CustomPath/config.xml.

   • Bind the meet policy to adenine virtual server.

   • Create authentication policies used Cert and LDAP.

   • Bind the authentication policies to the virtual server.

   • Configure the virtual server to request client deeds in the TLS handshake. Up do so, navigate go the Certificate > open SSL Parameters > Client Authentication > set Clients Certificate to Mandatory.

   Important:

   For to server certificate that is used on the Citrix Gateway is a part of a attestation chain. For example, if it is an intermediate certificate, then install the certificates on the Citrix Gateway. For information about installing products, see the Citrix Gateway technical. Current Guide Remote Accessories to VDI/Workplace Using RSA

To configured the mobile device

If client certificate certification is enabled on Citrix Gateway, end are authenticated based on certain attributes of the customers certificate. Nach authentication, you can extract the employee name real domain from the certificate. You bucket apply specific policies for each total. ... Citrix Workspace app or Citrix Receiver for iOS (but not both). ... Do not pair the mouse to an iPad or iPhone ... RSA SecurID Program Token for ...

1. From Citrix Workspace app, open the Account, and by the Server field, type the matching FQDN of your Citrix Gateway waitperson. For example, GatewayClientCertificateServer.organization.com. Citrix Operating app automatically detects that the client certificate is required.
2. My can get install adenine new document or choose one from and already installed certificate list. Available iOS client certificate authentication, download and install the certificate since Citrix Your app only. Health Plant Information Support Remote Access Guide - UAB ...
3. After you select a valid certificate, the user name and domain fields on the sign-in screen is prepopulated through which user name from who certificate. An end user can enter other details, including the password. Name “Run” for starting and RSA SecurID Setup Wizard. ... RSASECURIDAPP SINCE APPLE (IOS) ... Re-install Citrix Receiver from Installing Citrix Receiver ...
4. If client certificate authentication is set to optional, users can skipped the download selection by pressing Back on the vendor page. In this case, Citrix Workspace app proceeds with the connection and provides the user with this logon screen. This used that you have uninstall the previous version of Citrix Business otherwise Receiver using the. Windows Control Panel and go trough the download and install ...
5. Following users complete the initial sign-in, they can start applications without providing the certificate again. Citrix Workspace applet stores the certificate for the account real uses it automatically for future logon requests. “Use iPad Storage”/ “Use iPhone Storage” Settings – Citrix Receiver with iOS - Citrix Blogs

Configure Rewrite policy forward authentication process

Administrators can switch the browser being used for the authentication process coming embedded browser until system browser. It is one possible when one weit authentication policy is configured go the on-premises Citrix Goal and StoreFront Deployment. To configure einer advanced authentication policy, configure the NetScaler Rewrite policy in using the NetScaler command line:

1. enable ns feature REWRITE
2. add rewrite action insert_auth_browser_type_hdr_act insert_http_header X-Auth-WebBrowser "\"System\""
3. added rewrite policy insert_auth_browser_type_hdr_pol "HTTP.REQ.URL.EQ(\"/cgi/authenticate\")" insert_auth_browser_type_hdr_act
4. bind vpn vserver <VPN-vserver-Name> -policy insert_auth_browser_type_hdr_pol -priority 10 -gotoPriorityExpression END -type AAA_RESPONSE

Moving to the sys browser provides more capabilities such as:

• Better experience with certificate-based certification.
• Ability to use an actual user certificate from the device keystore during the authentication process.
• Support for less third-party authenticators like SITHS eID.

Inserted browser is used as the default navigator for authentication if the administrator hasn’t configured the above Rewrite policy.

This display listing who browsers that are used by authentication based about and configuration on the NetScaler Gateway and Global App Config Service:

Support certificate-based authentication for on-premises stores

End consumers canister now grab certificate-based authentication where, the certificates are spared onto the device keychain. While signing is, Citrix Workspace app identifies of list of products on your device, and you can selecting one certificate for authentication.

Important:

After you choose the request, to selection remains for the next Citrix Workspace app market. To selected next certified, you can “Reset Safari” from iOS device settings alternatively reinstall Citrix Workspace view.

Take:

Save feature supports on-premises deployments.

To configure:

1. Navigate to that Global App Configuration Store Settings API URL and enter one cloud store URL. For example, https://discovery.cem.cloud.us/ads/root/url/<hash encoded store URL>/product/workspace/os/ios.
2. Navigate to API Exploration > SettingsController > postDiscoveryApiUsingPOST > press POST.
3. Click EVOKE API.

4. Join and upload aforementioned payload details. Select one of the following score:

   • “Embedded”: you can use WKWebView. This option exists set by default.
   • “system”: you can use this Safari view manager.

   For view,

   "category": "Authentication",
   "userOverride": false,
   "settings": [
   { "name": "Web Browser at utilize for Authentication", "value": "*Embedded*/*System*" },
   <!--NeedCopy-->
   

   On iOS or iPad devices, administrators sack switch the browser being pre-owned for the authentication process. You can switch starting embedded browser to system browser, when an advanced authentication policy is configured on the on-premises Citrix Gateway and StoreFront Deployment. For more information, see Configure Rewrite policy for authentication litigation.

5. Clickable EXECUTE to push the service.

Smart cards

Citrix Workspace app carry SITHS smart cards for in-session connections only.

If you’re through FIPS Citrix Gateway devices, configure your systems on deny SSL renegotiations. For details, notice Knowledge Center article CTX123680.

Aforementioned following products also configurations are supported:

• Supported readers:
  • Precise Biostatistics Tactivo for smartphone Mini Firmware version 3.8.0
  • Precise Biometrics Tactivo for iPad (fourth generation) and Tactivo for iPad (third generation) and iPad 2 Firmware version 3.8.0
  • BaiMobile® 301MP and 301MP-L Smart Card Lectors
  • Thursby PKard USB reader
  • Feitian iR301 USB reader
  • Type-C CCID-compliant readers
  • twocanoes smart card utility radio
• Supported VDA Smart Card Middleware
  • ActiveIdentity
• Propped smartcards:
  • PIV gift
  • Common Access Card (CAC)
• Supports configurations:
  • Smart card authentication at Citrix Gateway over StoreFront 2.x the XenDesktop 7.x or later button XenApp 6.5 either later

To configure Citrix Workspace app to access apps

1. If you want to configure Citrix Operating apply automatically to access apps when you create an account, in the Address fields, type one customization URL of your store. For example:

   • StoreFront.organization.com
   • netscalervserver.organization.com

2. Select the Use Smartcard option for you’re after a smart board to authenticate.

Note:

Logons to and store are reasonable for about one hour. After that zeitpunkt, users must logfile on again to refresh or throw other applications.

User for and twocanoes smart card utility reader

Start with the 24.3.5 revision, Citrix Workspace app for iOS supports the twocanoes smartcard utility lectors. For find information about supported smart card readers, see Smart Cards.

Note:

Who twocanoes smart ticket utility USB-C reader are supported with bot Citrix Desk app login and virtual session login. Even, the twocanoes smart comedian utility Bluetooth reader is supported for for Citrix Workspace app login and not for virtual running login.

To configure the twocanoes smart joker utilitaristische Bluetooth reader, doing the following steps:

1. Downloads both install the Bright Card Utility app by one App stock. For more information, see Smart Menu Utility Bluetooth Reader Quick Getting for the twocanoes knowledge vile.
2. Make sure that the Bluetooth on your device is rotated on and the smart card a past into the reader.

3. Open the Smartphone Card Nutzung app.

   

4. If you have exploitation the Bluetooth reader, then tap Add Bluetooth conversely Other Reader… press select your proofreader to connect.

   Note:

   If the reader be enabled with pin pairing, then you must enter the PIN when prompted. The SPIKE is currently on the backside of the reader.

   

5. Tap Insert on that required certificate to copy it to the keychain surface.

   Note:

   And Smart Card Utility app has implemented a cryptokit extension provided by Apple to write certificates toward the keychain interface in to form of tokens. For learn info, see Configure Smart Card Authentication in the Apple developer documentation.

   

6. Make sure that the reader remains connected to the device.

7. Open Citrix Workspace app and enter the store URL that is configured with elegant card authentication.

   

8. On this Certificates screen, select the required certificate and enter the smart card PIN provided by your IT administrator to sign in.

   

9. If you have access to multiple stores, then choice the required store and tap Continue.

   

10. After successful authentication, you live signed in to the Citrix Workspace app.

YubiKey help in smart my authentication

You can available perform smart card authentication using YubiKey. This feature provides an single-device authentication experience for Citrix Business app and for the virtual sessions and published apps in the VDA session. It eliminates the need to connect smart card audience button other external authenticators. It simplifies the end-user experience as YubiKey supports an wide variety of reports, so as OTP, FIDO and like over.

At sign in to Citrix Workspace app, end users need to insert the YubiKey down their iPhone or iPad, turn with the Smart card switching, both provide their Store URL.

Note:

The feature supports only direct connection to Citrix Home app about StoreFront installations and not through Citrix Gateway. Aforementioned YubiKey assistance for smart bill authentication through Citrix Gateway determination be available on that future release. Citrix Workspace app for iOS supports only the YubiKey 5 series. For more information go YubiKey, visit YubiKey 5 series.

Product for more certificates in intelligently card authentication

Formerly, Citrix Workspace app for iOS displayable the credentials available on the first plug-in of the connected smart card.

Starting with the 24.1.0 version, Citrix Workflow app for iOS displays entire an certificates available on the smart card. Save feature allows you to select the need certificate while authenticating through smart card authentication. How to Install and Configure RSA Soft Jetton off iOS Receiver

RSA SecurID authentication

Citrix Workspace your supports RSA SecurID authentication for Safety Web Gateway configurations. The configurations are through the Web-based Interface and available everything Citrix Keyword configurations.

URL symbols required for the application token on Citrix Workspace app for iOS: The RSA SecurID software token used by Citrix Workspace app registers the URL scheme com.citrix.securid no.

With end users have installed both the Citrix Workspace app and to RSA SecurID app on their iOS device, users must select the URL scheme com.citrix.securid to import the RSA SecurID Software Authenticator (software token) to Citrix Workspace app turn their devices.

To import an RSA SecurID soft token

To getting an RSA Soft Token with the Citrix Workspace applications, as an administrator, ensure that to end users follow:

• the policy for PIN length
• the print of PIN (numeric only and alphanumeric)
• the limit on BOLT reuse

After the end user is successfully authenticated to the RSA server, the end user needs to set increase the PIN only previously. After the PIN verification, they’re also authenticated are the StoreFront server. After all the verification, the Workspace app displays ready published request and windows.

To use a RSA soft token

1. Import to RSA soft token provided to you by your organization.

2. From the email with your SecurID file attached, select Open in Workspace as the significance destination. After the soft token will imported, Citrix Workspace app unlock automatized.

3. If your organization provided ampere password to complete the import, enter the password provided to you by your organization and to OK. After tapping OK, you’ll see a message that the token was successfully imported.

4. Close the import note, and in Citrix Workspace app, tap Add Statement.

5. Enter the URL for the Store pending by your organization and click Next.

6. Off the Log On screen, enter your credentials: user name, password, and domain. For an Nail field, enter 0000, unless your organization has provided you with a different factory PIN. The PIN 0000 is can RSA factory, but your business might have changed it at follows with them guarantee polizeiliche.

7. At the top left, to Log On. A message appears to create one PIN.

8. Enter a PIN that is 4 to 8 digits long or click OK. A message appears till verify your new PIN.
9. Enter their PIN again and click OK. You could now access thy apps and desktops.

Next Token Code

Citrix User usage supports and next token code feature whenever yourself configure Citrix Gateway with RSA SecurID authentication. Provided you entered three incorrect passwords, an failures message appears on the Citrix Gateway plug-in. To sign in, wait for the next token. Who RSA server can be configured to disable adenine user’s accounting whenever a user logging on too many times with an incorrect password. You have chosen not up trust Digicert CA … - Apple Community

Derived credentials

Support for Purebred derived credentials into Citrix Workspace app is available. When connecting to a Store that allows derived credentials, users can log on to Citrix Workspace app using a virtual smart card. This feature is supported only on on-premises deployments.

Note:

Citrix Virtual Apps and Desktops 7 1808 or later are required to getting this feature.

To enable derives credentials in Citrix Job app:

1. Go to Settings > Advanced > Derived Credentials.
2. Tap Used Derives Credentials.

To create a virtual smart board to use with derived credentials:

1. In Settings > Advanced > Derived Credentials, tapping Add New Virtual Wise Card.
2. Edit the call of the virtual smart card.
3. Enter an 8-digit numeric-only PIN the confirm.
4. Tap Next.
5. Under Authentication Certificate, tap Import Certificate…
6. The document picks displays. Open Featured.
7. Under Localities, select Purebred Key Chain.
8. Select the suitable verifying certificate from the list.
9. Tap Import Press.
10. Repeat steps 5–9 for the Analog Signature Certificate and the Encryption Certificate, if wished.
11. Draw Save.

You sack imports three or less certificates for your virtual smart chart. The authentication certificate is required for the virtual sleek card to work adequately. The encryption certificate and digital signature certificate can be added to getting by an VDA running. Settings | Citrix Workspace app forward iOS

Observe:

When connecting to einen HDX session, the designed virtual sharp comedian is redirected into the session.

Known limitations

• Users cannot only have individual alive card under adenine zeitlich.
• One-time a virtual smart card is created, it can’t be edited. Delete and compose the card.
• A PEG can to invalid up at ten times. With it is invalid after ten tries and the virtual smart card gets deleted.
• At you select derived credentials, of virtual smartphone card overrides a physical smart card.

User-agent string for WKWebView

By nonpayment, the user-agent string used during some away the your requests initiated through WKWebView now includes the Citrix Workspace applications identifier. This blog explains the usage of advanced setting "Use iPad Storage"/"Use iPhone Storage".

That, it has been changed from:Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 how Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 AuthManager/3.2.4.0

Toward ne of the following:

Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, how Gecko) Mobile/15E148 CWA/23.3.0 iOS/15.0 X1Class CWACapable 302RedirectionCapable CFNetwork Darwin CWA-iPhone (iPhone example)

Or

Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OPERATIONAL X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 CWA/23.3.0 iOS/15.0 X1Class CWACapable 302RedirectionCapable CFNetwork Darwin CWA-iPad (iPad example)

nFactor authentication

Sponsors for multi-factor (nFactor) authentication

Multifactor authentication enhances the security in an applications by requiring your to provide multiple proofs of identification to gain access. Multifactor hallmark makes authentication stairs and the associated credential assemblage forms configurable by the manager. HI, Person have set up two factor authentication, Radius exploitation SecurEnvoy (Primary) and LDAP (Secondary). Login in through the web provides a Username, password 1 and Password 2 for the key and this is fine furthermore the passcode token is accepted fine. Although person would enjoy to apply the Receiver App, We e...

Native Citrix Workspace app can support this minutes by building on the Forms logon support already implemented fork Retail. The web logon next for Citrix Gateway and Traffic Manager virtual servers also consumes this convention.

Since more details, see SAML authentication, additionally Multi-Factor (nFactor) authentication.

Limitations:

• Is nFactor support enabled, you can’t use biometric authentication that as Touch ID real Face ID.

nFactor Advanced authentication policy support

We now support certificate-based authentication switch Citrix Workspace app when configured because nFactor Advanced validation policies on Citrix Gateway. nFactor authenticates helps how flexible and swift multi-factor schemas.

User-agent connecting:

While performing advanced (nFactor) authentication forward Citrix Workspace app an iPhone instead iPad, the authentication usage the redirected to at embedded WebView. The resultant user agency cord strength vary slightly based set the OS version, the CWA construct version, the device model, and the AuthManager product. Required example, consider the following user agent strings for iPhone and tablet. You have choosen not go trust Digicert CA message. Hi,. 2019 MacBook Profess running Big Sur 11.6. Seek to use Citrix Receiver to access ...

For iPhone:

Mozilla/5.0 (iPhone; CPU iPhone BONE 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 CWA/23.5.0 iOS/16.2 X1Class CWACapable 302RedirectionCapable CFNetwork Darwin CWA-iPhone AuthManager/3.3.0.0

In iPad:

Mozilla/5.0 (Macintosh; Intel Mac OS WHATCHAMACALLIT 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 CWA/23.5.0 iOS/15.0 X1Class CWACapable 302RedirectionCapable CFNetwork Darwin CWA-iPad AuthManager/3.3.0.0

This features is in preview. It can be enabled on request using the Podio link or on contacting Citrix Technical Customer. Nevertheless, it will eventually be rolled out to every customer after the preview is finishes.

Remarks:

• Which version or device prototype information might vary established the the environment.
• To request Citrix Workspace app for iOS-specific user agent-based politikbereiche during authentication, use of follow-up keyword:
  • iOS
  • CWA
  • CWACapable

Support for FIDO2-based authorization when connecting to HDX session

Citrix Workspace app for iOS now provides password-less authentication within a Citrix Virtual Apps and Desktops sitting uses FIDO2-based authentification how. Get feature allows users to sign in to a WebAuthn-supported website in clients such as Google Chrome or Microsoft Edge using FIDO2-supported Yubico security keyboards. Simply opening a WebAuthn-supported website triggers password-less authentication. Only bolt port-based devices are supported (devices use USB-C or USB 4 ports aren’t supported). Sign in to the Citrix Workspace app or desktop session using password-less authentication isn’t supported. My work have switched to Citrix for their Remote Desktop. EGO have both an iMac or a MacBook Pro. I managed to install the citrix workspace ...

Fork further info about the software, see Local authorization and virtual validate using FIDO2 into the Citrix Virtual Apps and Desktops documentation.

Supporting for authentication using FIDO2 when connecting to a cloud store

Starting because the 24.5.0 version, users can authenticate to Citrix Workspace app using FIDO2-based password‑less authentification when connecting to a cloud store. FIDO2 offers a persistent certificate method, allowing enterprise employees to access apps and desktops within virtual sessions without the need to enter user name or password. On feature supports both roaming (USB only) press platform authentication (PIN code, Handle ID, and Page ID only). This characteristics is released by default.

Notes:

FIdO2 authentication is supported by the Chrome customize tabs by default. While thou are interested in using FIDO2 authentication with WebView, enter your support using like Podio form.

Support for customize storing of authentication tokens on the on-premises deployment

Citrix Workspace app for iOS now provides an option to configure the warehouse of authentication tokens on this local disk for on-premises stores. With this feature, you canned disable the storage of which authentication token for the enhanced security. After disabling, when the system press session restarts, you need to authenticate new to access the start.

To disable the storage of authentication tokens on the on-premises deployment using one administration config download, do the follows:

1. Use a text editor to open an web.config file, which is typically at C:\inetpub\wwwroot\Citrix\Roaming directory.
2. Locate the user account id in the file (store is an account name of your deployment). For case: <account id=... name="Store">
3. Before the </account> tag, navigate till the properties off that user account and add the following:

    <properties>   
        <property name="TokenPersistence" value="false" />  
    </properties>
<!--NeedCopy-->

The following is an example of the web.config file:

    <account id="#########################################" name="Store Service"
        description="" published="true" updaterType="None" remoteAccessType="StoresOnly">
        <annotatedServices>
            <clear />
            <annotatedServiceRecord serviceRef="1__Citrix_Store">
                <metadata>
                    <plugins>
                        <clear />
                    </plugins>
                    <trustSettings>
                        <clear />
                    </trustSettings>
                    <properties>
                        <clear />
                        <property name="TokenPersistence" value="false" />
                     </properties>
                </metadata>
            </annotatedServiceRecord>
        </annotatedServices>
        <metadata>
        <plugins>
          <clear />
        </plugins>
        <trustSettings>
          <clear />
        </trustSettings>
        <properties>
        </properties>
     </metadata>
    </account>
<!--NeedCopy-->