Skip navigation
Documentation

Duo for NetScaler - FAQ

Last Updated: October 17th, 2024

Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to any NetScaler Gateway login. Some Duo solutions for NetScaler offer inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

Do any of Duo's configurations for NetScaler support the Duo Universal Prompt?

Yes. Both Duo for NetScaler Web - OAuth and Duo Single Sign-on for NetScaler provide Universal Prompt support.

RADIUS configurations for NetScaler that feature the traditional Duo Prompt with radius_server_iframe will reach end of support on December 31, 2024. Customers must migrate NetScaler deployments to Duo via OAuth or Duo Single Sign-On, or to a RADIUS configuration that does not use the iframe (such as Duo RADIUS Challenge Text Prompt for NetScaler nFactor or RADIUS with Automatic Push) before December 31, 2024 for continued support.

Learn more about options for out-of-scope applications in the Universal Prompt update guide, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.

When does support for Duo NetScaler RADIUS iframe configurations end?

Extended support for traditional Duo prompt delivery via RADIUS iframe for NetScaler ends December 31, 2024. A separate end-of-life date for the traditional Duo prompt and iframe will be announced in the future with 90 days of notice.

Instructions for new deployments of Duo RADIUS iframe for NetScaler were removed on September 30, 2024. Please deploy a Duo Universal Prompt solution if your NetScaler device supports it, or deploy RADIUS challenge if not.

Customers who created NetScaler RADIUS iframe applications before September 30, 2024 who need to refer to the original instructions may contact Duo Support for assistance.

What are the NetScaler product requirements for Duo Universal Prompt via OAuth?

Use of Duo as an OIDC/OAuth provider for NetScaler requires the following:

  • NetScaler Advanced or Premium licensing. Duo as an OIDC/OAuth provider for NetScaler requires creation of an OAuth server action and a login schema on the authentication virtual server. These features rely on Advanced/Premium licensing.
  • NetScaler firmware 14.1-29.63 or newer.
    • This is the first NetScaler release fully compatible with Duo's OAuth endpoints.

Why might I receive the error "Unable to connect to Authorization server. Please contact your administrator." when authenticating to Duo with OAuth?

The NetScaler failed to validate the authorization code against your Duo deployment's token endpoint. Verify the following:

  • Ensure the NetScaler network interface(s) have outbound connectivity to Duo's cloud service via HTTPS/443 and can resolve your Duo API hostname via DNS lookup.

  • Ensure your NetScaler device's time is correct. We recommend using NTP to update your device's time and keep it current.

  • Ensure that you disabled PKCE when you created the OAuth action in the NetScaler CLI with this command (substituting the actual name of your OAuth action for duo_oauth_server if you called it something different):

    show authentication OAuthAction duo_oauth_server

    If you need to disable PKCE after creating the Duo OAuth action, use this command (again replacing duo_oauth_server with your OAuth action's actual name if different):

    set authentication OAuthAction duo_oauth_server -PKCE disabled -tokenEndpointAuthMethod client_secret_jwt

Why do I see the error "api-xxxxxxxx.duosecurity.com refused to connect" when trying to log into a NetScaler configured with Duo's RADIUS iframe integration after a firmware update to 14.1-29.63 or newer?

Reminder: Support for Duo's traditional prompt and prompt deliver via RADIUS iframe ends December 31, 2024.

NetScaler release 14.1-29.63 introduced additional security protections that prevent iframes from loading on the NetScaler sign-in page.

To restore Duo authentication to your NetScaler device, perform one of the following:

  • Option 1 (RECOMMENDED): Migrate to a different Duo configuration that does not use iframes.

  • Option 2: Update existing NetScaler configuration to restore the Duo RADIUS iframe prompt.

    If you are not ready to make any integration changes, or your current license doesn't support the migration options, follow the below steps to restore iframe functionality:

    1. Connect to the NetScaler command-line interface (CLI) as an administrator.

    2. Enter these commands:

      
       add rewrite action delete_cors_header_1_act delete_http_header Cross-Origin-Opener-Policy
       add rewrite action delete_cors_header_2_act delete_http_header Cross-Origin-Embedder-Policy
       add rewrite action delete_cors_header_3_act delete_http_header Cross-Origin-Resource-Policy
       add rewrite policy delete_cors_header_1_pol true delete_cors_header_1_act
       add rewrite policy delete_cors_header_2_pol true delete_cors_header_2_act
       add rewrite policy delete_cors_header_3_pol true delete_cors_header_3_act
    3. Unbind the policies from the authentication virtual server (vserver). Replace <authentication-vs-name> with the name of the existing virtual server where you use Duo RADIUS authentication:

      
       bind authentication vserver <authentication-vs-name> -policy delete_cors_header_1_pol -priority 1 -gotoPriorityExpression NEXT -type RESPONSE
       bind authentication vserver <authentication-vs-name> -policy delete_cors_header_2_pol -priority 2 -gotoPriorityExpression NEXT -type RESPONSE
       bind authentication vserver <authentication-vs-name> -policy delete_cors_header_3_pol -priority 3 -gotoPriorityExpression NEXT -type RESPONSE

      If your device does not accept the bind authentication vserver CORS commands, you can try editing the file /etc/httpd.conf or /nsconfig/httpd.conf (whichever is present on your device) to comment out the following lines as shown:

      #Header set Cross-Origin-Opener-Policy "same-origin" //Allows embedding of cross-origin resources without credentials or cookies.
      #Header set Cross-Origin-Embedder-Policy "credentialless" //Isolates the document from interactions with documents from other origins.
      #Header set Cross-Origin-Resource-Policy "same-site" //Restricts resource sharing to the same site.

    4. Reboot your NetScaler appliance for changes to take effect.

    If you have multiple NetScalers, you may need to repeat these steps on multiple appliances.

    Please see the Duo article Why do I see the error "api-xxxxxxxx.duosecurity.com refused to connect" when trying to log into a NetScaler configured with Duo's RADIUS iframe integration after a firmware update to 14.1-29.63 or newer? for additional information.

What is the difference between NetScaler Gateway and Citrix Gateway?

NetScaler Gateway and Citrix Gateway are essentially the same product. Citrix renamed NetScaler Access Gateway to Citrix Gateway in version 12.1. The product was renamed back to NetScaler in 2023. Firmware versions may reflect either branding depending on the release date.

Citrix Access Gateway is a distinct product from NetScaler Gateway and Citrix Gateway. Citrix Access Gateway is an end-of-life product, superseded by NetScaler.

Is Citrix ADC supported?

Citrix Application Delivery Controller or ADC (also known as NetScaler ADC) has a similar login page to NetScaler Gateway. Although we expressly test with NetScaler Gateway, the same instructions should work for Citrix ADC. Be aware of licensing differences between NetScaler Gateway and Citrix ADC for nFactor. As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN, while Citrix ADC requires an "Advanced" or "Premium" license to use nFactor.

Is the RFWebUI theme supported?

Duo Authentication Proxy version 3.1.0 added support for showing the Duo browser prompt in the NetScaler RFWebUI theme when using advanced authentication policies and nFactor and when using a basic RADIUS policy and the Duo proxy performs both primary and secondary authentication or secondary authentication only with rewrite rules to hide the second password field. You must specify this theme in your authproxy.cfg file's [radius_server_iframe] section using the syntax type=citrix_netscaler_rfwebui.

Note that Citrix retired all themes other than RFWebUI in a v13 release.

Is nFactor supported?

Yes. Duo support for nFactor authentication is available starting with Duo Authentication Proxy v3.1.0 and later, when used with Gateway builds 12.1-51.16 or later.

As of Citrix Gateway release 13.0-67.x, the "Standard" license also includes nFactor for Gateway/VPN. Citrix ADC requires an "Advanced" or "Premium" license to use nFactor. Learn more about nFactor licensing in the Citrix documentation and follow the Duo nFactor instructions.

​​​​​​​Gateway appliances with standard licensing may need to enable the "Show unlicensed features" option under System → Licenses to expose the Advanced Authentication Policy items in the configuration menu.

Why am I receiving a blank authentication page with Internet Explorer 11?

A change to IE 11 resulted in incompatibility with some versions of NetScaler. The issue is addressed by NetScaler Gateway versions 9.3.66.x and 10.1.123.x and later. For additional information about the incompatibility, or to see the workaround for NetScaler Gateway versions that do not include the fix, please read IE11 Compatibility got you down? at the Citrix site.

If your NetScaler version is 10.1.123.x or later and IE 11 is displaying a blank authentication page, you may need to force the browser out of "quirks" mode. To do this, add the following line to the beginning of the NetScaler's /netscaler/ns_gui/vpn/index.html file (it may be at /var/ns_gui_custom/ns_gui/vpn/index.html if you're using a custom theme), immediately under the <HEAD> tag.

<META http-equiv="X-UA-Compatible" content="IE=edge">

Finally, ensure that IE is not showing the site in Compatibility View

Does Duo Security support Citrix Receiver or Workspace clients?

Yes, when the NetScaler Gateway is configured with RADIUS listeners for both Citrix Receiver or Workspace clients and Gateway browser access on different ports. This configuration is described in detail in the NetScaler Gateway primary and alternate instructions.

Why might mobile Receiver or Workspace clients have issues authenticating with Duo?

If you deploy Duo using our alternate configuration, iOS and Android Receiver or Workspace users may not authenticate successfully. Per Citrix, it is necessary to perform RADIUS authentication before LDAP in Receiver or Workspace mobile connections. You will need to configure the ordering of your authentication policies as follows:

Primary Authentication:

  1. Receiver/Workspace - RADIUS
  2. Browser - LDAP

Secondary Authentication:

  1. Receiver/Workspace - LDAP
  2. Browser - RADIUS

Please see the Citrix article for more information and configuration instructions.

Does Duo Security support Citrix Storefront?

Yes, when delivered via NetScaler Gateway or Citrix Gateway. You cannot add Duo RADIUS two-factor authentication directly to Storefront logins.

Why do I receive an HTTP Internal Server Error from the NetScaler if I take four minutes or longer to complete Duo authentication?

NetScaler and Citrix Gateway devices have a hard-coded timeout of about three minutes, which closes the login session when the timeout is reached. This timeout is not currently a configurable option, but that may change in a future NetScaler firmware release.

This is a separate setting from the configurable RADIUS timeout within a NetScaler Gateway device. This issue can happen during authentication or if a user is performing in-line self-enrollment and they exceed the timeout.

When this issue occurs, the following error may be displayed by the Netscaler Gateway:

HTTP/1.1 Internal Server Error 43549

Refer to Radius Challenge Response Timeout Between NetScaler Gateway and Radius Server for more information.

Can you use password concatenation to log on to Storefront via NetScaler using Receiver or Workspace clients?

Password concatenation is when you append a comma followed by a Duo passcode or the name of a Duo factor to the end of your Active Directory password, like "mypass123,123456". If you have configured your Gateway to pass primary authentication on to Storefront, and then enter a concatenated password and passcode in Receiver or Workspace, the login fails. This is because the Gateway is passing the entire password + passcode string to Storefront as your AD password.

If you need to support logins to Storefront from Receiver or Workspace using a passcode we recommend you deploy our alternate NetScaler Gateway configuration. This will add an additional "Passcode" field to the Receiver or Workspace login prompt, where you can enter a passcode or the name of a Duo factor. See our guide for Receiver for more.

Does Duo work with Citrix Web Interface or Citrix Access Gateway?

You may be able to add Duo authentication with our generic RADIUS application and Duo Authentication Proxy. While Duo fully supports the Duo Authentication Proxy, Web Interface and CAG themselves are EOL Citrix products.

Additional Troubleshooting

Need more help? Try searching our Citrix Knowledge Base articles or Community discussions. For further assistance, contact Support.