Tutorial: Configuring User Certificate 2-factor Authentication on NetScaler

4 Jun

This tutorial is about configuring 2-factor authentication on your NetScaler based on user certificates.

First a little about the certificate. You need a user certificate signed by a Root CA or Signing CA that is trusted by your NetScaler. If you use an internal CA (which is probably the case for user certs), import the Root CA cert and the Signing CA cert in the SSL section of your NetScaler.

Second you need to enroll your users with a user certificate of which the CN (Common Name) matches the accountname that the user will use to login. In my case I ran into a configuration error where my account is ‘mark’ but my certificate got enrolled with CN ‘Mark Brilman’. This will not work.


Now the configuration part. First navigate to the authentication section of your NetScaler Gateway. In that section you will find CERT. Click it and select the Servers tab (which is a strange name, cause it has nothing to do with a server). Click add to configure your certificate profile. You need to enable two factor and enter Subject:CN in the User Name Field.


After configuring the profile configure the policy, which just says ns_true.


The last part is configuring the NetScaler Gateway vServer. First configure the certificates tab. Add the Root certificate by selection the arrow next to add. Choose to add as CA. Next open the SSL parameters section.


Enable client authentication and make sure the cert is mandatory.


The last step is to make sure your certificate policy has a higher priority then your LDAP authentication policies.


If you now login to your NetScaler website you will get a certificate popup (your first factor). Users without a certificate will get a page cannot be displayed.


After the cert authentication you will notice the username is already configured and greyed out. It cannot be changed and you need that users password.


Nice huh!


  • Kari Ruissalo, is saying:

    Thanks for the article. I did this with latest versions of both NetScaler (11.63.34) and StoreFront (3.5). The NetScaler bit seems to be working perfectly but I fail to succeed in the SSO to StoreFront. I have tried using the sAMAccountName (changing the CN to match the sAMAccountName), UPN, etc… with no success.

    Any tips on getting around the issue?

    Reply this message

Leave a Reply