Update:

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

https://www.microsoft.com/en-us/download/details.aspx?id=55849

During one of my current projects, I launched a PoC for two-factor authentication based on Microsoft Azure MFA. Azure multi-factor authentication requires users to verify and confirm their signups using a mobile app, phone call, or text message. You can use it with Azure AD or the local AD.

It is important that all my information has the status of March 2019 and because it is the cloud, quite quickly become obsolete again.

Multi-Factor Authentication

The safety of the two-stage check is at level approach. The multiple authentication factors poses a major challenge for attackers. Even if an attacker can find out the user’s password, this is useless unless he or she is also proficient in the additional authentication method. This works by requesting at least two of the following authentication methods:

• Something you know (usually a password)
• Something you have (a familiar device that can not be easily duplicated, like a phone)
• Something that you are (biometrically)

Microsoft Azure MFA

There are three ways to use Microsoft Azure Multi-Factor Authentication:

Multi-factor authentication for Office 365 / Microsoft 365 Business

This version works exclusively with Office 365 applications and is managed through the Office 365 or Microsoft 365 Portal. Administrators can back up their Office 365 resources with two-step verification. This release is part of an Office 365 or Microsoft 365 Business subscription.

Multi-Factor Authentication for Azure AD administrators

Users assigned to the Global Administrator for Azure AD tenant role can enable two-step verification with no additional cost.

Azure Multi-Factor Authentication

Azure Multi-Factor Authentication is often referred as the full version and offers the widest range of features of all MFA versions. Additional configuration options are available through the Azure Portal. It also provides advanced reporting capabilities and supports a variety of local applications and cloud applications. Azure Multi-Factor Authentication is a feature of Azure Active Directory Premium and can be deployed in the cloud or locally.

Microsoft Azure MFA Local or Cloud?

To determine the correct MFA version, you must first answer the question of where your organization’s users are to be secured using the additional authentication step.

And what features of the MFA server you need.

Sequence of a Microsoft Azure MFA Authentication

1. The user calls the Unified Gateway page via URL (e.g., https://citrix.deyda.net) & enters his credentials (username & password)
2. The credentials are forwarded to the local MFA server via the Citrix ADC (RADIUS Request)
3. The MFA server passes the credentials to the Active Directory Controller (AD Proxy)
4. After successful verification, a confirmation is sent to the MFA server
5. The MFA server requests the second factor from the cloud via the multi-factor authentication service (Azure MFA Service)
6. Push notification with the preferred method (MFA app, call or SMS) to the mobile phone
7. Confirmation of the second factor on the mobile device
8. The Azure MFA Service hands over the acknowledgment of the second factor to the local MFA server
9. The local MFA server passes the acknowledgment to the Citrix ADC (RADIUS Response)
10. The user is authenticated and gets access to the resources

Set up MFA server as a second factor

In my guide, I assume a two-factor authentication in the Unified Gateway. The Citrix ADC (formerly NetScaler) version 12 uses the local MFA server for this purpose.

Requirements

I assume the following things and do not go into detail about them:

• Citrix ADC with successful base configuration
• Internal and external DNS entries for Unified Gateway vServer (e.g., citrix.deyda.net)
• Certificates for the DNS entry
• Configured Unified Gateway vServer
• Existing Azure subscription with base configuration
• Enabled Azure Active Directory Premium License
• Firewall rule for phonefactor.com on port 443
• Installed Authenticator App on Test User Mobile Phone

Azure Portal

First, we sign in to the Azure Portal (https://portal.azure.com) to download the required installers for the MFA server and generate the activation credentials.

• In the Azure Portal Navigation Panel click on Azure Active Directory > MFA > Server Settings
• Under MFA Server download click on Download to get the MFA Installer
• At point 2. press Generate to get the later required activation credentials
• Open Notepad and save the e-mail address as well as the password there between

MFA-Server

Now, switch to the internal server that will later serve as the MFA server to install and configure the required programs.

• To do this, start the installer and simply click on Next and Finish

It is possible that he still wants to install several programs (Microsoft Visual C ++ 2017 Redistributable etc.).

• When there are requests to install more programs, confirm them

Once all required programs have been installed, we can activate the software using the credential previously noted on the Azure portal.

• Start the Multi-Factor Authentication-Server Software
• Copy E-Mail address and Password from Notepad and press Activate

• In the following window enter a name under New group and confirm with OK

• In the main windows, click Tools > Authentication Configuration Wizard

• Under Select Applications select RADIUS

• In the window RADIUS Authentication you configure the following
  • RADIUS client IP (Enter the NSIP of the Citrix ADC)
  • Shared secret (enter your own code & note, e.g. 19122011)
  • Confirm shared secret (Enter the code again)
  • Authentication port(s) (1645, 1812)

• Under RADIUS Target select Windows domain and confirms the remaining windows with Next and Finish

Now you see the configuration under the menu item RADIUS Authentication

• Click in RADIUS Authentication on the previously created client and then on Edit
• Enter the following in the Edit RADIUS Client window
  • Application name (Name for client, e.g. NSIP)
  • Require Multi-Factor Authentication user match (select)

Now configure the connection to your Active Directory environment under Directory Integration.

• Click on the menu item Directory Integration
  
• In the Settings tab select Use specific LDAP configuration & Use attribute scope queries
• Now click Edit to edit the LDAP configuration
• In the following window Edit LDAP Configuration enter the following
  • Server (IP of the AD server)
  • Base DN (OU of your user accounts)
  • Bind type (both windows)
  • Bind username (FQDN of an administrative account)
  • Bind password (Password of the administrative account)

• With the button Test you can check your configuration and then save it via OK

• Click on the tab Synchronization
• To enable the automatic synchronization of the users select the option Enable synchronization with LDAP

Company Settings allows you to configure the global settings (e.g., type of MFA) for the users.

• Click on the menu item Company Settings
• In the General tab, under User Defaults, select the MFA type (Phone Call, SMS, Mobile App or OATH token) and the language

• Click on the tab User Resolution
• Select the Use LDAP unique identifier attribute for matching usernames option

Now you can check the interaction of the MFA server with the Active Directory environment and the user end device. To do this, check the settings (mobile phone number) via the menu item Users and activate the mobile apps of the indivdual users.

In this context, it is important not to enable the MFA for the sync user (e.g. manuel@deyda.local).

• Click on the Users tab
• If no users are visible, click Import from LDAP

• Select the user and click Edit
  • Activates the user about the point Enabled
  • Configured for Phone Call or SMS
    • Country code (The country code, e.g. +49)
    • Phone (Your Phone Number)
    • Phone call or Text message (Select)
  • Configuration for using the mobile app
    • Mobile app (Select)

• Click on the tab Mobile App Devices to register the app
• Generate Activation Code generates an code for the Authenticator App

Configuration & Activation on the test user mobile device.

• Open the Authenticator app on your device
• Click on the + symbol to add another account
• Select Business or School Account in the Accounts window

• In the following menu item Scan QR code click on Or enter code manually

• In the Add Account window, enter the activation data from the MFA server

Now you can do a test login with the Authenticator app.

• In the menu item Users, select your test user and click on Test

• In the following window, enter the password of the test user and click Test

• Now confirm the query on the test user phone with Approve

• The MFA server software will then give you a Successful message

Citrix ADC

Now the Citrix ADC can be set up for multi-factor authentication. To do this, a RADIUS server is created and bound to the existing Unified Gateway vServer.

• In the Citrix ADC Navigation Panel, click System > Authentication > RADIUS
  
• Click on the Servers tab and create a new Authentication Server via Add
  
  • Name (e.g. radius_mfa_server)
  • IP Address (IP of the MFA server)
  • Port (1812)
  • Secret Key (Shared Secret from MFA server, e.g. 191211)
  • Confirm Secret Key (Shared Secret)

• Click Test Connection to check the data entered and the connection to the MFA server

• Click on More to configure the further options
  • Time-out (Set this to 120 seconds for Phone Calls or SMS)
  • Password Encoding (pap)
  • Accounting (OFF)
  • Authentication Server Retry (3)
  • Authentication (Select)
• Save the configuration with Create

• Click on the Policy tab and click Add to create a new RADIUS policy
  • Name (e.g. radius_mfa_pol)
  • Server (previously created RADIUS server, e.g. radius_mfa_server)
  • Expression (ns_true)
• Click Create to save the configuration

• Now select the previously configured Unified Gateway vServer
• Under Basic Authentication click on the + symbol

• Under Choose Type configures the following
  • Choose Policy (RADIUS)
  • Choose Type (Primary)
• Confirm the entry with Continue

• In the following window under Select Policy, select the previously created RADIUS Policy (radius_mfa_pol)
• Confirms the entry with Bind

After saving the change, you can log in to the gateway and receive a message on the mobile device (mobile app, call or SMS) after entering the credentials.