I think any consultant at some time encountered the scenario of username / password authentication being the only authentication on the Citrix Gateway setup of Citrix CEM / XenMobile.
Afterwards advising the customer to use Certificate Based Authentication (CBA) and then also the sad news okay we need to reenroll all your devices for this to work.
But…. What if I told you there is a middle way for those customers that cannot afford a reenrollment of all their devices and enable the dual-factor situation after enrollment. (little bit of a side note that Citrix Support kind of / sort of well doesn’t support this regarding expected behavior etc. etc.)
You can easily build your test setup for this and stage everything until you will have the correct flow and actions to enable it.
Basic setup working with Citrix Gateway integration and username / password for authentication
Test devices enrolled and fully working
Microsoft ADCS server with web-enrollment installed and configured for certificate requests handling
Note: Tiered setup will not work for issuing certificates so a dedicated root or subordinate will be needed with the ADCS Web Enrollment installed on it
Note: Only v2 templates are visible in ADCS Web Enrollment so do not upgrade the template and keep the default Certification Authority / Certificate recipient see the following articles for reference:
Version 3 (CNG) templates won’t appear in certificate web enrollment – Windows Server | Microsoft Docs
Windows Server 2012: Certificate Template Versions and Options – TechNet Articles – United States (English) – TechNet Wiki (microsoft.com)
Note: Validate a working web enrollment request before going any further
Note: And I cannot stress this enough make sure you have a valid working CRL/OCSP as HTTP URL location in ADCS CDP/AIA
Citrix CEM / XenMobile configured with a PKI Entity and used as a Credential Provider see the following configuration articles for reference:
Client certificate or certificate plus domain authentication (citrix.com)
Certificate Based Authentication : Troubleshooting Tips (citrix.com)
Note: Test delivery of a certificate by using an credential policy to your test devices and validate that the certificate is installed correctly
After a valid working test policy you can enable the Deliver user certificate for authentication at the Citrix Gateway integration part:
Now certificates for Citrix Gateway authentication will be generated and delivered after a period of time. You can speed this up a bit by forcing a deploy of the basic delivery group but normally you would need to wait for everyone to get a certificate. Schedule in some time with the customer for this. The delivery can be validated at the device under certificates, there it should give you a NetScaler Gateway Credentials entry:
So at this point Citrix CEM / XenMobile is ready and we need to configure Citrix Gateway. This step will need to be in conjunction with the Citrix Gateway change in Citrix CEM / XenMobile with the following:
Root/Intermediate certificate(s) linked and configured at the VPN Virtual Server with CRL mandatory or OCSP mandatory
LDAP and Cert Policy enabled as cascading primary authentication
Client authentication enabled and Client certificate mandatory
Note: Make sure to attend your certificate policy for UPN or sAMAccountName
Note: The CRL or OCSP mandatory is important because in the way Secure Hub requests certificates and that the certificate itself isn’t revocation aware in Citrix CEM / XenMobile. This way it will trigger a new certificate request and not present the cached older certificate present in Citrix CEM / XenMobile
Note: This change will effectively break access to the Citrix Gateway if you don’t have a valid certificate, so there is also an option to set the client certificate as optional in the migration phase or just do the hard cutover
Now we will change the authentication part in Citrix CEM / XenMobile:
After this change devices will be able to use Certificate based authentication to the VPN virtual server and devices that won’t have the certificate will either be presented with a store error message that will be resolved by either closing the app and reopening or logging off and logging on again in the store.
Note: In some cases there might be devices which do need a reenrollment to work, no point in sugar coating it this is a big change which normally is done at the start of a Citrix CEM / XenMobile deployment
I would say try it out in your lab environment, have done this multiple times and works pretty flawless. This might in turn help you with your customers.
Hope it helps!