Citrix Risk-Based

Authentication

Deployment Guide

Step-by-step RBA deployment for

NetScaler, StoreFront and RSA Adaptive

Authentication Connector.

Citrix Risk-Based Authentication Deployment Guide

Contents

1 Introduction .................................................................................................................................................................... 3

2 Software used ................................................................................................................................................................. 3

3 Environment .................................................................................................................................................................... 4

4 StoreFront (DFA Server) .................................................................................................................................................. 4

4.1 Installation .............................................................................................................................................................. 4

4.1.1 Installation recommendations ........................................................................................................................ 5

4.1.2 StoreFront Cluster Installation Considerations ............................................................................................... 5

4.2 Uninstallation .......................................................................................................................................................... 5

5 RSA Authentication Bridge Installation and Configuration ............................................................................................. 5

5.1 Installation .............................................................................................................................................................. 5

5.1.1 Installation considerations .............................................................................................................................. 5

5.1.2 Installing RSA Authentication Bridge .............................................................................................................. 5

5.2 Uninstalling RSA Authentication Bridge .................................................................................................................. 5

5.3 Configure RSA Authentication Bridge via the StoreFront Admin Console .............................................................. 5

5.3.1 Configure RSA Adaptive Authentication Connector URL ................................................................................ 6

5.3.2 Allow Users to Change Their Password ........................................................................................................... 7

5.3.3 Configure Trusted Domains ............................................................................................................................ 7

6 RSA Adaptive Authentication Connector ........................................................................................................................ 8

6.1 Customizing Disclaimer Text for Worx Home ......................................................................................................... 8

7 NetScaler Upgrade/Configuration .................................................................................................................................. 9

7.1 Load Balancing StoreFront (DFA server) ................................................................................................................. 9

7.1.1 Create Servers ............................................................................................................................................... 10

7.1.2 Create Custom DFA Monitor ......................................................................................................................... 10

7.1.3 Create Services .............................................................................................................................................. 10

7.1.4 Create LB VServer .......................................................................................................................................... 10

8 Citrix Pre-Shared Key Configuration ............................................................................................................................. 11

8.1 Configuration Checklist ......................................................................................................................................... 11

8.2 NetScaler ............................................................................................................................................................... 11

8.2.1 Create Delegated Form Authentication Action ............................................................................................. 11

8.2.2 Create Delegated Form Authentication (DFA) Policy .................................................................................... 12

8.2.3 Bind With a VPN Vserver ............................................................................................................................... 12

8.3 StoreFront ............................................................................................................................................................. 13

9 Troubleshooting and FAQ ............................................................................................................................................. 14

9.1 Worx Home ........................................................................................................................................................... 14

9.2 StoreFront and RSA Adaptive Bridge .................................................................................................................... 15

9.3 NetScaler ............................................................................................................................................................... 15

9.4 RSA Adaptive Authentication Connector .............................................................................................................. 16

9.5 Miscellaneous ....................................................................................................................................................... 16

10 Appendix ................................................................................................................................................................... 17

10.1 Appendix A: Netscaler and StoreFront Delegated Form Authentication KeyExchange Workflow ....................... 17

1 Introduction

Risk-based authentication (RBA) provides a means of determining the information required from a user and their

endpoint device depending upon the security posture or “fingerprint” of the device. When the device contacts the

authentication service, information about the device’s characteristics — and perhaps the location — along with user

credentials are passed to the service. This information is then used to determine whether the user is authenticated or

whether additional information is needed from the user to confirm their identity.

Third-party vendors, such as RSA, can integrate its Adaptive Authentication (or known as RBA in Citrix’s context) solution

within Citrix products using StoreFront Authentication SDK. This allows RSA-customized authentication flow to be

executed via the StoreFront Authentication Service.

In order for NetScaler to deliver RSA’s customized authentication flow, a new protocol named Delegated Form

Authentication (DFA) protocol was created. Its purpose is to allow generation and processing of authentication forms,

including credential validation, to be delegated to another component. In this example, NetScaler will delegate

authentication to StoreFront via DFA.

The diagram below shows how DFA fits into the RBA context:

This document is intended to be a simple guide that explains how to configure NetScaler and StoreFront to perform the

DFA protocol. While it is not a complete guide, it contains all the necessary information to set up a working DFA

connection.

We assume that the readers of this document will have the following knowledge:

NetScaler configuration, especially load balancing and session policy

StoreFront installation and configuration

RSA Adaptive Authentication workflow

XenMobile configuration

2 Software used

The following table displays the software used in this guide:

Server Type Version Extension

Ns1.citrix.lab NetScaler NS10.5 Build 54.9008.e.nc only

Tar-gzip

Sfdfa.citrix.lab StoreFront 2.6. or above Exe

Sfdfa.citrix.lab (RSA Authentication Bridge)*

RSA Authentication Bridge

1.0.0.31944 Msi

iOS Worx Home iOS Worx Home 10.0.0.59 or above ipa

RSA Adaptive Authentication Connector

RSA Adaptive Authentication Connector

1.0.0.119 Exe

iOS WorxHome

NSGRSA Adaptive

Authentication Connector

RSA Adaptive Authentication

Server

DFA Protocol

RSA Proprietary

RSA Proprietary

SF Auth Service

RSA Authentication

Bridge

Auth SDK

StoreFront

The RSA Authentication Bridge has to be installed with StoreFront.

3 Environment

This guide is created to deploy the environment shown below:

Worx Home IOS

Ns1.citrix.lab

StoreFront DFA Services

DFA SF cluster

RSA Adaptive Authentication

Connector

RSA Adaptive Authentication Server

Firewall

Firewall

XenMobile

StoreFront Services

Citrix XenDesktop

XenApp Services

Existing Deployment

New RBA Deployment

RSAAuth

Bridge

RSAAuth

Bridge

The following components need to be setup prior to configuring the DFA protocol:

StoreFront: Existing StoreFront to enumerate all the apps and desktops

XenMobile: Existing XenMobile to deliver mobile apps

XenApp/XenDesktop

RSA Adaptive Authentication Server

NetScaler: Configured with appropriate authentication and session policies to accommodate

XenApp/XenDesktop/XenMobile access

4 StoreFront (DFA Server)

4.1 Installation Please refer to the Citrix product documentation site for information on how to install and configure StoreFront.

4.1.1 Installation recommendations To ensure communication between NetScaler and StoreFront is protected, it is recommended to have HTTPS instead of

HTTP protocol. For cluster deployment, ensure all the nodes will have the same server certificate installed and

configured in IIS HTTPS binding prior to configuration steps.

Ensure that NetScaler will issue the certificate for the StoreFront server and is configured as a trusted certificate

authority when HTTPS is configured in StoreFront.

4.1.2 StoreFront Cluster Installation Considerations For a StoreFront cluster installation, you need to install the third-party RSA Authentication Bridge authentication plug-in

on all the nodes prior to joining them up together.

Configure all the DFA-related settings (see this configuration’s PowerShell-related commands in the Citrix Pre-Shared

Key Configuration section) on one node and propagate the changes to others.

4.2 Uninstallation Before you uninstall StoreFront, first uninstall the RSA Authentication Bridge because it will impact the functionality of

StoreFront. (See Uninstalling RSA Authentication Bridge for more details).

5 RSA Authentication Bridge Installation and Configuration

5.1 Installation

5.1.1 Installation considerations Install StoreFront prior to installing the RSA Authentication Bridge. This feature pack only supports StoreFront 2.6 or

later.

5.1.2 Installing RSA Authentication Bridge Install the RSA Authentication Bridge by clicking on RSA-StoreFront-Bridge-x64-1.0.0.15164.msi. Because it is a simple

plug-in installation, you should not be prompted to configure anything.

5.2 Uninstalling RSA Authentication Bridge To uninstall the bridge, you first need to clear the RSA Authentication Bridge check box under the Authentication tab in

the StoreFront admin console. If you do not, the bridge will not uninstall.

5.3 Configure RSA Authentication Bridge via the StoreFront Admin Console You must install the RSA Authentication Bridge before configuring it (please refer to previous section 5.1.2 before

starting this). Once the RSA Authentication Bridge is installed properly, you can enable it via the StoreFront admin

console as shown in the screenshot below:

5.3.1 Configure RSA Adaptive Authentication Connector URL You will be required to configure the RSA Adaptive Authentication Connector URL in the StoreFront DFA server. Please

note that this is essential step. You can configure it by selecting Manage RSA Authentication Bridge.

You can test the RSA Connector URL in a browser. You should see the following:

This shows that StoreFront is able to communicate with the RSA Adaptive Authentication Connector server.

5.3.2 Allow Users to Change Their Password You can allow users to change expired passwords via Worx Home by selecting Manage Password Options and then

selecting either “When expired” or “At any time.” Please note that this Worx Home iOS version does not support

changing passwords at any time.

In this example, we set it to “At any time” to accommodate Receiver for Web as it supports it. However, this Worx Home

iOS version will behave as if “When expired” is selected.

5.3.3 Configure Trusted Domains You can restrict which domain the users can log on to by selecting Configure Trusted Domains.

6 RSA Adaptive Authentication Connector

This section assumes that you have a working Tomcat server deployed as per RSA’s installation requirements. The

StoreFront DFA server relies on the correct configuration on RSA Adaptive Authentication Connector to work properly.

We will cover the basic installation and configuration on the RSA Adaptive Authentication Connector, with which the

StoreFront DFA server will be integrated.

In the RSA installation wizard, fill in the necessary information in accordance to your RSA Adaptive Authentication Server.

You need to configure the necessary authentication methods supported by your RSA Adaptive Authentication Server; for

example, do not put in SMS out of Band Authentication if you do not have the authentication configured on RSA

Adaptive Authentication Server. Mismatched configurations on the connector and RSA Adaptive Authentication Server

will break the Worx Home authentication flow.

After successful configuration, copy the WAR file generated by the installer to your Tomcat webapps folder. It should

take Tomcat a few minutes to deploy it (given that you have Tomcat configured to do auto WAR file deployment):

For more information about how to manually deploy the WAR file, see http://tomcat.apache.org/tomcat-7.0-

doc/deployer-howto.html.

Check the deployment via Tomcat’s app manager (http://localhost:8080/manager), and you will see something like this:

6.1 Customizing Disclaimer Text for Worx Home The RSA Adaptive Authentication Connector allows administrators to customize the content of the disclaimer text shown

on Worx Home. Modify the message properties in the RSA Adaptive Authentication Connector webapp’s location:

C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\adapters-sf-aaconnector-webapp\WEB-

INF\i18n\messages.properties.

Change the value as shown in the screenshot below:

7 NetScaler Upgrade/Configuration

Before configuring the NetScaler appliance for this deployment, install the appropriate software version for DFA support.

For this guide, we used the following installation bundle:

build_tagma_54_9008_e_nc.tgz

Upgrade via secure shell:

1. Copy the installation bundle to the directory /var/nsinstall via a secure copy client such as SCP.

2. After the file is copied, launch a secure shell client, and log on to the NetScaler appliance at the NetScaler IP

address.

3. Enter shell at the prompt.

4. Move to the directory where you copied the installation bundle with cd /var/nsinstall.

5. Extract the installation file by entering tar -zxvf build_tagma_54_9008_e_nc.tgz.

6. Enter./installns to begin the installation.

7. Follow the prompts, and allow the NetScaler appliance to reboot when prompted.

Note: This guide assumes you have a preconfigured NetScaler appliance; therefore, basic configuration information

is not provided.

7.1 Load Balancing StoreFront (DFA server) This section is applicable only to deployments that have two or more DFA servers installed. NetScaler can load-balance

these servers by having a load balancer virtual server (lb vserver) configured.

The following sub-sections explain how to create the following in NetScaler:

Servers

o This is the representation of the actual server in NetScaler. We will be inserting the IP address of the

StoreFront DFA cluster node.

Custom DFA Monitor

o Mechanism to check whether a particular server (in this case, StoreFront DFA cluster node) is online.

Services

o The role of the server. This is the instance to where the monitor and server are linked.

LB Vserver

o Representation of the load-balancer server with the services.

7.1.1 Create Servers add server [server name] [server fqdn or ip address]

Example:

> add server sfdfa1 sfdfa1.citrix.lab

Done

> add server sfdfa2 sfdfa2.citrix.lab

Done

7.1.2 Create Custom DFA Monitor This is simple monitor that expects the DFA server to return a 400 Bad Request when the monitor does a GET request

without the proper HTTP headers.

add lb monitor DFA HTTP -respCode 400 -httpRequest "GET

/Citrix/Authentication/DFAServer/Start" -secure YES

Be sure to set it to “Secure” if the backend is HTTPS.

7.1.3 Create Services > add service <service name> <server> <type> <port>

> bind service <service name> –monitorName <monitor name>

Example:

> add service sfdfa1.citrix.lab sfdfa1 SSL 443

> bind service sfdfa1.citrix.lab –monitorName DFA

Done

> add service sfdfa2.citrix.lab sfdfa2 SSL 443

> bind service sfdfa2.citrix.lab –monitorName DFA

Done

7.1.4 Create LB VServer add lb vserver sfdfa.citrix.lab SSL 172.30.200.123 443 -persistenceType SOURCEIP

bind lb vserver sfdfa.citrix.lab sfdfa1.citrix.lab -weight 1

bind lb vserver sfdfa.citrix.lab sfdfa2.citrix.lab -weight 1

# Server certificate

bind ssl vserver sfdfa.citrix.lab -priority 0 -certkeyName Citrix.lab_Wildcard

# Trusted Root Certificate

bind ssl vserver sfdfa.citrix.lab -priority 0 -certkeyName AD1_CA -CA

8 Citrix Pre-Shared Key Configuration

A Citrix pre-shared key is intended for the exchange of a user’s credentials securely between NetScaler and StoreFront

after a successful logon. The mechanism relies on an identical pre-shared key to be configured between NetScaler and

StoreFront so the content can be encrypted and decrypted accordingly.

Note: You only need to configure this if you have NetScaler in the deployment and intend to allow NetScaler to delegate

its form auth flow to StoreFront.

8.1 Configuration Checklist This section explains how the key needs to be configured in NetScaler and StoreFront’s context. Before you configure

them, take extreme care about the following parameters:

Client ID

o The ID can be the FQDN of the NSG server, such as netscaler.server.com, for example.

o It’s vital that the client ID lowercase and identical for both NetScaler and StoreFront.

Key

o Has to be identical for both NetScaler and StoreFront.

Server URL

o It is always in the format of http(s)://[StoreFront fqdn]/Citrix/Authentication/DFAServer/Start/

o It is not case-sensitive — /citrix/authentication/dfaserver/start will work, too.

o If StoreFront is using HTTPS, make sure you have the issuer of StoreFront’s server certificates as a

trusted Certificate Authority in Netscaler.

8.2 NetScaler

8.2.1 Create Delegated Form Authentication Action You will need to configure a DFA action via SSH:

add dfaaction [dfa action name] –clientID [client id] –passPhrase [passphrase] –

serverURL [URL to StoreFront DFA]

Example:

> add dfaaction sfdfa_rsa_sample_action -clientID netscaler.fqdn.com -passPhrase secret

–serverURL http://sfdfa.citrix.lab/Citrix/Authentication/DFAServer/Start

If you created it successfully, you should see this:

> show dfaaction sfdfa_rsa_sample_action

1) Name: sfdfa_rsa_sample_action

ClientID: netscaler.fqdn.com

ServerURL: http://sfdfa.citrix.lab/Citrix/Authentication/DFAServer/Start

Success: 0

Failures: 0

Done

Notes:

The client IDs and passphrases have to match the ones configured in StoreFront. They are case-sensitive.

The server URL is always in the format of: http(s)://[your StoreFront

fqdn]/Citrix/Authentication/DFAServer/Start

o If the server URL is HTTPS, ensure you install the StoreFront server certificates issuer as trusted root CA

in NetScaler.

o Recommended deployment will be HTTPS. However, you can start with HTTP for initial testing.

o Your server URL has to be reachable by NSG. The easiest way to test it is the following: cURL <server url>

cURL http://sfdfa.citrix.lab

8.2.2 Create Delegated Form Authentication (DFA) Policy Create a DFA policy, and bind the action to it:

add dfaPolicy [dfa policy name] –rule [how the policy should be matched] –action [action

to execute]

Example:

> add dfaPolicy sfdfa_rsa_sample_policy -rule ns_true -action sfdfa_rsa_sample_action

Once successfully created, you should able to see this when typing the following command:

> show dfaPolicy sfdfa_rsa_sample_policy

1) Name: sfdfa_rsa_sample_policy Rule: ns_true

Request action: dfa_rsa_sample_action

Done

iOS WorxHome and Receiver For Web DFA Policies

The above example only to illustrate how DFA policy can be applied. The following policy rules will ensure only DFA

feature will be applied to appropriate client.

For iOS WorxHome, the policy will be as such:

add dfaPolicy dfa_ios_pol -rule "REQ.HTTP.HEADER User-Agent CONTAINS Worx%20Home

&& REQ.HTTP.HEADER User-Agent CONTAINS Darwin" -action dfa_action

For browser, the policy will be as such:

add dfaPolicy dfa_browser_pol -rule "REQ.HTTP.HEADER User-Agent CONTAINS Mozilla

|| REQ.HTTP.HEADER User-Agent CONTAINS AppleWebKit || REQ.HTTP.HEADER User-Agent

CONTAINS Chrome || REQ.HTTP.HEADER User-Agent CONTAINS Safari" -action

dfa_action

8.2.3 Bind DFA Policy to a VPN Vserver Bind it with a vpn vserver.

bind vpn vserver [dfa vserver name] -policy [dfa policy]

Example:

> bind vpn vserver sfdfa_vserver -policy sfdfa_rsa_sample_policy

If it is successful, you should able to see something like this:

> show vpn vserver sfdfa_vserver

dfa_vserver (10.x.x.x.x:443) - SSL Type: CONTENT

State: UP Nodegroup: ???

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: DISABLED

Authentication : ON

Device Certificate Check: OFF

Advanced EPA: OFF

CGInfra Homepage Redirect : ENABLED

Current AAA Users: 0

Icaonlylicense : OFF IcaProxySessionMigration : OFF

DoubleHop : DISABLED

Max Login Attempts: 0 Failed Login Timeout 0

IcmpResponse: PASSIVE

TD: 0

1) VPN Session Policy Name: AppController2-Policy Priority: 0

1) Primary DFA policy name: sfdfa_rsa_sample_policy Priority: 0

Note:

DFA policy has to be primary; you don’t need a secondary authentication.

You can applies multiple DFA policies to the same VServer – iOS WorxHome and browser policies can be bound

to the same VServer.

8.3 StoreFront There is no GUI to set up Citrix pre-shared key settings in StoreFront. Everything has to be configured in the PowerShell

console. Follow the steps below:

1) Install DFAFeature

The DFA feature is not installed by default. You need to install it in the PowerShell console.

PS C:\Users\administrator.PTD.000> cd 'C:\Program Files\Citrix\Receiver

StoreFront\Scripts'

PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> & .\ImportModules.ps1

Adding snapins

Importing modules

Loading 'C:\Program Files\Citrix\Receiver

StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll'

Loading 'C:\Program Files\Citrix\Receiver

StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll'

PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Install-DSDFAServer

Id : bf694fbc-ae0a-4d56-8749-c945559e897a

ClassType : e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc

FrameworkController :

Citrix.DeliveryServices.Framework.FileBased.FrameworkController

ParentInstance : 8dd182c7-f970-466c-ad4c-27a5980f716c

RootInstance : 5d0cdc75-1dee-4df7-8069-7375d79634b3

TenantId : 860e9401-39c8-4f2c-928d-34251102b840

Data : {}

ReadOnlyData : {[Name, DelegatedFormsServer], [Cmdlet, Add-

DSWebFeature], [Snapin, Citrix.DeliverySer

vices.Web.Commands], [Tenant, 860e9401-39c8-4f2c-928d-

34251102b840]}

ParameterData : {[FeatureClassId, e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc],

[ParentInstanceId, 8dd182c7-f

970-466c-ad4c-27a5980f716c], [TenantId, 860e9401-39c8-

4f2c-928d-34251102b840]}

AdditionalInstanceDependencies : {b1e48ef0-b9e5-4697-af9b-0910062aa2a3}

IsDeployed : True

FeatureClass : Citrix.DeliveryServices.Framework.Feature.FeatureClass

2) Add Citrix Trusted Client

This section, we configure the shared secret key (passphrase) between StoreFront and NetScaler. The passphrases

and client IDs must be identical to what you have configured in NetScaler (See Configuration for NetScaler.).

PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Add-DSCitrixPSKTrustedClient -

clientId netscaler.fqdn.com -passphrase secret

3) Set DFA Conversation Factory

This step will route all the traffic to the custom form (the RSA Authentication Bridge). Currently, the only way to find

the conversation factory is by checking the content of the web.config of C:\inetpub\wwwroot\Citrix\Authentication.

Look for “ConversationFactory” and you should see something like this:

<RSABridge connectorURL="http://RSA.connector.url:8080/adapters-sf-aaconnector-webapp"> <routeTable order="1000"> <routes> <route name="StartRSABridgeAuthentication" url="RSA-Bridge-Forms/Start"> <defaults> <add param="controller" value="ExplicitFormsAuthentication" /> <add param="action" value="AuthenticateStart" /> <add param="postbackAction" value="Authenticate" /> <add param="cancelAction" value="CancelAuthenticate" /> <add param="conversationFactory" value="RSABridgeAuthentication" /> <add param="changePasswordAction" value="StartChangePassword" /> <add param="changePasswordController" value="ChangePassword" /> <add param="protocol" value="CustomForms" /> </defaults>

</route>

In the PowerShell concole, set the DFA conversation factory to “RSABridgeAuthentication”:

PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Set-DSDFAProperty -

ConversationFactory RSABridgeAuthentication

Please note that PowerShell’s argument is not case-sensitive; ConversationFactory is identical to

conversationfactory.

9 Troubleshooting and FAQ

9.1 Worx Home Q1 Authentication error when I launch Worx Home It may be because of the following:

Delegated Form Authentication between NetScaler and StoreFront is misconfigured. o Make sure the client ID and passphrase are identical. o If the client ID and passphrase are not identical, you can view the Event Viewer log to see the

error.

StoreFront servers are offline.

The RSA Authentication Bridge is not installed and configured on StoreFront.

Q2 After logging on with my user name and password successfully, Worx Home does not authenticate.

If you can log on with your user credentials, this indicates the communication between NetScaler and StoreFront is working. Here is list of possible checks you can do:

Misconfigured RSA Adaptive Authentication Connector URL in StoreFront. o Check if the RSA Adaptive Authentication Connector is correct in StoreFront. You can view the

Event Viewer log to see if there is any error reporting about the RSA Adaptive Authentication Connector server.

Communication issue between RSA Adaptive Authentication Connector and RSA Adaptive Authentication Server.

o Check the log under ${user.home} of the user who runs Tomcat.

Q3 I don’t see any RSA-related extended authentication challenges after I log on with my user name and password.

It may be because of the following:

RSA Adaptive Authentication Connector’s policy is set to “Allow” when the RSA Adaptive Authentication Server is unreachable.

The “Remember Device” option is set during enrolment or logon.

Q4 Does iOS Worx Home support user enrollment? Yes.

9.2 StoreFront and RSA Adaptive Bridge Q1 How do I check if Delegated Form Authentication (DFA) protocol communication with NetScaler is having an

issue? DFA generates three event log entries for Task Category 1100 in the Event Viewer:

Event ID 2: Failed to create the transport cipher object, which generally means the key exchange failed. There will probably be an exception stack trace.

Event ID 3: This is a developer error and should not occur.

Event ID 4: Failed to decrypt a message; again, there will be stack trace.

Q2 How do I check if there are communication issues between the RSA Authentication Bridge and the RSA Adaptive Authentication Connector?

The RSA Authentication Bridge will generate one event log entry for Task Category 30000 in Event Viewer:

Event ID 1: Error calling RSA Adaptive Authentication Connector: Unable to connect to the remote server. There will be an exception stack trace.

9.3 NetScaler Q1 How do I debug the Delegated Form Authentication protocol communication between NetScaler and

StoreFront? Please do the following:

1. Log on to NetScaler via SSH. 2. Go to Shell mode by typing “shell” in the prompt. 3. Type in the following: nsapimgr -ys call=enable_dfa_debug 4. Monitor the debug trace by typing this: nsconmsg 5. Use iOS Worx Home to test it end to end.

Note: You will be able to see user credentials in plain-text format in the trace. It is only recommended only if it is necessary to do so; for example, in the development environment to troubleshoot DFA communication issues.

You can disable it by typing the following: nsapimgr -ys call=disable_dfa_debug

9.4 RSA Adaptive Authentication Connector Q1 How do I debug communication between the RSA Adaptive Authentication Connector and RSA Adaptive

Authentication Server? 1. Go to Tomcat webapp for RSA StoreFront Adapter folder: C:\Program Files\Apache Software

Foundation\Tomcat 7.0\webapps\adapters-sf-aaconnector-webapp\WEB-INF\classes\log4j.properties 2. Change the value of log4j.logger.com.rsa.adapters.soap=INFO to

log4j.logger.com.rsa.adapters.soap=DEBUG 3. Reload the adapters-sf-aaconnector-webapp application 4. The log file should be under ${user.home} of the user who runs Tomcat.

Note: By changing the value to “debug,” the credential of the caller is exposed in the log.

9.5 Miscellaneous Q1 Does it support non-English authentication challenges? The authentication challenge text is sent by a third party — in this case, RSA. Please refer to the third party’s

documentation for non-English language support.

Q2 Will other receivers work with risk-based authentication? No. iOS Worx Home is the only fully supported receiver.

10 Appendix

10.1 Appendix A: Netscaler and StoreFront Delegated Form Authentication KeyExchange Workflow

About Citrix

Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management,

networking and cloud services to enable new ways to work better. Citrix solutions power business mobility

through secure, personal workspaces that provide people with instant access to apps, desktops, data and

communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of

innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix

solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at

www.citrix.com.

Copyright © 2015 Citrix Systems, Inc. All rights reserved. The following are trademarks of Citrix, Inc. and/or

one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in

other countries:

Citrix®, Citrix Access Gateway™, Citrix NetScaler™, Citrix NetScaler Gateway™, Citrix Provisioning

Services™, Citrix Receiver™, Citrix XenApp™, NetScaler®, XenApp™, XenDesktop™, XenMobile™,

XenServer™