Configuring Two-Factor Client Certificate Authentication
You can configure a client certificate to authenticate users first and then require users to log on with a secondary authentication type, such as LDAP or RADIUS. In this scenario, the client certificate authenticates users first. Then, a logon page appears where they can enter their user name and password. When the Secure Sockets Layer (SSL) handshake is complete, the logon sequence can take one of the following two paths:
- Neither the user name nor the group is extracted from the certificate. The logon page appears to the user with a prompt to enter valid logon credentials. Citrix Gateway authenticates the user credentials as in the case of normal password authentication.
- The user name and group name are extracted from the client certificate. If only the user name is extracted, a logon page appears to the user in which the logon name is present and the user cannot modify the name. Only the password field is blank.
Group information that Citrix Gateway extracts during the second round of authentication is appended to the group information, if any, that Citrix Gateway extracted from the certificate.