Using Azure MFA as Citrix ADC – NetScaler RADIUS using the new NPS Extension

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Share on RedditEmail this to someone
Share Button

Last week, Alex Simons (Director of PM) from the Microsoft Identity Division team did a great Azure Active Directory – MFA feature announcement on Twitter.

The big news that came out was that Azure MFA won’t require a fully on-premises MFA server installation anymore, what is great news! Microsoft says that this new feature was one of the top requests that they received from many customers, what improves that Microsoft definitely listens to their customers these days! Read the official Microsoft announcement here

The new feature will give us more flexibility, and makes it easier to perform MFA implementations at the customer site with a minimum of impact on resources! The feature is also included in the MFA user license, so when you already have this AD Premium, MFA single or EMS license activated on your tenant, then u can use this feature without making extra costs. 

For every lock, there is someone out there trying to pick it or break in.” – David Bernstein

Nowadays more and more companies are migration their services to Office365, and most of them already use Azure MFA for securing their SharePoint, Exchange Online or OneDrive services. What makes it for most users a bit more complicated and confusing, when users must use different, physical or software token methods to provide external access, for other services like Citrix remote access. This will now be over, after reading this article you will be able to configure an MFA RADIUS server for your NetScaler device, in just a few simple configuration steps! 

One authentication method to rule them all! Let’s integrate even more services into the Microsoft Azure Cloud!

How does it work?

As said, the on-premises MFA server was required. This dedicated MFA server can now be replaced by an NPS server (Network Policy Server Role), they must be installed on one of your on-premises servers. Microsoft provides an MFA – NPS Extension that automatically (pre-config) adds cloud-based MFA authentication support to your NPS – RADIUS clients – settings. With this extension, you can add phone call, SMS, or phone app verification to your existing authentication environment.

When a user initiates an authentication request, by entering his domain credentials on the NetScaler external logon page, the NetScaler server reacts and send the RADIUS authentication request to the NPS server. The NPS server then connects to your on-premises Active Directory server to check the primary authentication request, if successful, the request is going back to the NPS, and through the installed NPS extensions the MFA request will be sent to Azure cloud-based to perform the secondary authentication. Once it receives the response, and when the MFA succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim issued by Azure STS. Your Citrix desktops will be shown to you, and you are good to go!



Table of Contents

Click on the title to get forwarded in the article:


    • Azure Active Directory subscription
    • Azure AD Connect software (Active Directory must be in sync with AzureAD)
    • Azure AD Premium license – EMS+ or MFA single license
    • On-premises NPS server (at least Server 2008 R2 SP1 or higher)
    • On-premises Active Directory
    • Mobile phone
    • NetScaler 11.1 (can be older of course, I used 11.1 for this article)
      • NetScaler Platform, Standard, Enterprise or Platinum license
      • Pre-configured NetScaler Gateway setup

Activate Azure MFA in Azure

In case you haven’t got any Azure Active Directory, or Azure Active Directory sync connect (AADC) setup in your environment, please start doing this first. As said in the requirements section, this is a pre-requirement (check out this article, for setup doing this).

If you have setup these – Azure MFA is not activated out-of-the-box, so we first need to activate this feature in the Office365 license portal.

Note: To proceed this step, the AD Premium license or MFA lossless must be activated on your tenant/subscription. You can make use of the 30 day trial of AD Premium, for testing purposes.

Step 1: login to the Microsoft Azure portal – – and start the Azure Active Directory – Resource option

Step 2: Check if your Directory sync works properly to proceed to step 3, click on Azure AD Connect and check if the Sync status is on Enabled and the last sync is on less than 1 hour ago.

  Step 3: Afterwards we need to activate the actual license on the users, to do so, click on Users and groups – All Users and click on the Multi-Factor A.. button

Step 4: Select the user(s) that must be activated with Azure MFA and press on Enable

Confirm the activation by click on the – Enable multi-factor auth – button

MFA is successfully activated for that account(s)

Step 5When you now try to logon to Azure( /, with the MFA pre-activated account, you will be prompt to proceed how you want to authentication second (phone or App), click on the – Set it up now – button to proceed these steps

Note: Users must proceed these steps first before they can make use of Azure MFA for Citrix NetScaler

Step 6: I use the Mobile App method – select the Use verification code – and click on the – set up – button to proceed

Step 7: Download the Microsoft Authenticator App on your mobile device and setup your work account, these steps are straight forward. Afterwards the camera will be activated an asks for an QR code

Step 8: Scan the QR code that is being showed on your screen, when your account is added in the app, click on the Done button

The activation is being checked…

When all steps went ok, this confirmation text shows up

Step 9: Click on the contact me button to confirm the App authentication setup

Step 10: Open the Mobile App an click on verify.

Step 11: The setup of an alternative authentication method, in case you lose your phone, is asking for configure your phone number. Enter the number that you want to use

Click on Done

The account pre-setup is now all set, now proceed to the NPS configuration part

Setup the NPS server role

The new MFA authentication method will take place on the Network Policy Role feathure, so for this reason we need to activate one server in our site with this role. I will setup the NPS role on my Windows Server 2012 R2 – Active Directory Server. You can do this on your own separate server, this is not an requirement…

Step 9: Install the NPS Role on the server, by selecting the – Network Policy and Access Services – role, make sure the Network Policy Server role Service is selected and confirm the installation

Step 10:Before we start to NPS configuration, we need to Install the following 2 packages on the NPS server:

Microsoft Visual Studio 2013 C++ Redistributable (64 bits)

Microsoft Azure Active Directory Module for Windows PowerShell (AdministrationConfig-V1.1.166.0-GA.msi)

Install the NPS MFA Extension

Step 11: Now we need to download and install the NPS MFA Extension on the NPS server

Step 12: Accept the license terms and conditions and click on Install

The setup is now processing

Step 13: Click on the Close button if the Setup was successful

Step 14: Now we need to open an PowerShell prompt as administrator – change the default directory location to C:\Program Files\Microsoft\AzureMfa\Config and run the following script – AzureMfaNpsExtnConfigSetup.ps1

Step 15: The setup now asks for the tenant ID of your Azure Active Directory subscription.

This is not your tenant name, but the Directory ID that can be found in the Azure portal under the Properties of your Azure Active Directory Service, click on the copy button to set it under your clipboard

Step 16: Paste the Directory ID in the PowerShell prompt and click on Enter

Step 17: You now need to sign in with your Azure AD administrator (global administrator/co-administrator) credentials – click on Sign in when finished

Step 18: The script now starts running, when all the steps proceeded correctly, the screen must be like this – click on random key afterwards to close the PowerShell prompt

The script performs the following steps:

– Create a self-signed certificate.

– Associate the public key of the certificate to the service principal on Azure AD.

– Store the cert in the local machine cert store.

– Grant access to the certificate’s private key to Network User.

– Restart the NPS.


Step 19: Open the Network Policy Server Console and start adding the RADIUS client like picture below, the IP address must be the NSIP of your NetScaler device – enter a random Shared secret and save it for a few steps later, when we need to match these in de NetScaler RADIUS Policy

Note: Make sure that your NSIP network can interact with the NPS server!


Step 20: Add a – Remote Radius Server Group – with the RADIUS server address of your NPS server, you can choose your own name, click on Ok when finished

Step 21: Click on the Edit button – open tab Load Balancing –and take over the settings from the picture below;


Step 22: Now we need to add 2 Connection request policy’s, first add the – MFA Server No Forward – policy, unspecified source, with the NetScaler NSIP as client IPv4 condition and MS-CHAP v2 as authentication method.

Step 23: Now add the second request policy, name – MFA Server Request Forward –unspecified source, activate the NAS Identifier condition with – MFA – as value and again MS-CHAPv2 as authentication method

Step 24: Now we need to create an Network Policy, but we need to disable or delete the default policy’s first

Step 25: Create an new Network Policy, name it something like – NetScaler-MFA – source – unspecified activate the condition NAS identifier value – MFA – and again MS-CHAP v2 as authentication method. All the other settings are pre-defined and can be left default.

Place the newly created policy at level 1 in process order



Configure the NetScaler RADIUS Authentication Policy

Note: I first thought that I need to change my primary LDAP authentication policy from sAMAccountName to UserPrincipalName, as required in the official Microsoft note, so I tested both of them and I can confirm that both methods work great!

Step 26: Log on to your NetScaler device and go in the left menu to System -> Authentication -> RADIUS and click on Add

Step 27: Give in an name for the authentication policy, I uses – auth_radius_mfa – enter the – ns_true expression – select/add your Radius NPS server and press on the pencil icon to configure the RADIUS settings

Step 28: Enter your RADIUS (NPS) server IP, port 1812 (default) the secret key that we defined earlier in step 19 and change the Time-Out setting on 10 seconds – click on more

Note: We change the time-out to 10 seconds, because the Azure authenticator app must approve the request at that moment, the default 3 seconds are way to short. You can set this up higher if you want to create more time to approve the request in the Authenticator app

When you choose for Phone Call authentication – the time-out settings must be set to a minimum of 30 sec. this is required to setup the call

Step 29: Now we need to enter the NAS ID value – MFA – that we defined earlier and change the password encoding to – mschapv2 – click on Ok and create to save the settings and create the new RADIUS policy


Step 30: Now we need to attach the new policy to an existing VPN vServer configuration. I will be using my ICA Proxy vServer for that. Go in the NetScaler menu to NetScaler Gateway -> Virtual Servers, select your vServer and click on Edit

Step 31: Click on the + button next to – Basic Authentication

Step 32: Select RADIUS and Secondary as policy, click on Continue

  Step 33: Select the just created RADIUS policy – auth_radius_mfa – and click on Bind

Step 34: Click on the Done button at the end of the VPN vServer screen to confirm your RADIUS settings.


Remove second Password 2 text field

At this moment, the secondary authentication text field has no function anymore. To avoid confusions, we must remove the secondary (password 2) authentication field. You can do this by following steps.

Step 35: We first need to create a Rewrite Action, go in the menu to AppExpert -> Rewrite -> Action and click on Add

Step 36: Name the action with the same info like the picture below, click on Create afterwards


Header Name:       Set-Cookie

Expression:    (“pwcount=”+ 1”)


Step 37: Now we need to create the Rewrite policy, in the same menu we choose for Policies and then Add



Step 38: Name the policy and fill in the info like picture below, click on create to save


Action:          Select the rewrite action which you created 

Undefined Result Action:       -Global undefined result action

Expression:       HTTP.REQ.HEADER(“Cookie”).CONTAINS(“pwcount”).NOT


2017-02-16 22_49_27-Citrix NetScaler VPX - Configuration


Step 39: Now we need to attach the new Rewrite policy to the VPN vServer. Go again in the menu to NetScaler Gateway -> Virtual Servers, select your vServer and click on the Edit button

Step 40: Scroll down to Policies and press the + to attach


Step 41: Choose for Rewrite and Response, click continue 

Step 42Select the Rewrite policy and click on Bind – the policy will now be applied to your VPN vServer

Simon Gottschlag wrote an great article to remove the secondary password field for the new RfWebUI theme, find it over here.

Test the remote login request

Step 43: Open your NetScaler portal and enter your username and domain password – the password 2 field is gone! Click on Log On

Authentication is in progress…

Step 44: You now must receive an notification. Open the Azure Authentication app on your Mobile Phone to see if there is an notification message on the screen, and yes there is! Push on verify

Note: You have 10 seconds to verify the request – remember the RADIUS time-out settings? Now you know the reason…

If your phone is locked, the authentication app even send out an message to your lockscreen of your phone or Apple watch!

Step 45: And the RADIUS authentication did his work! We are now logged on to the StoreFront portal!


And even the desktop is launching properly!



  1. When the NPS Extension is installed, there will be added an AzureMfa entry in your eventlogs menu of your NPS server. All the NPS authentication request will be listed in authZOptCh.

 2. When an successful login takes place, the following information event must be logged:

If you have more questions, please feel free to leave an comment at the bottom of this article

Share Button
Christiaan Brinkhoff

Christiaan Brinkhoff

Christiaan Brinkhoff works as Cloud Architect and Technology Evangelist for FSLogix (now part of Microsoft), and owns his own consulting company. In addition to his work, he shares his passion for Cloud innovation by speaking at large international conferences, writing articles for vendors and external community programs, such as VDILIKEAPRO, WhatMatrix, as well as on his website. This community related work got him the privilege to achieve the following three - Microsoft Valuable Professional (MVP) for Microsoft Azure, Citrix Technology Professional (CTP), VMware vExpert - vendor awards.
Christiaan Brinkhoff
  • Martijn

    Thanks, I just wonder why you bind the LDAP policy AND the RADIUS policy.
    I have just installed this component on my infrastructure and have only bind the RADIUS policy as primary.
    This seems to work fine.

    I have also tried the sms method, this also seems to work fine. (you mention that only the app method is supported.)

  • Christiaan Brinkhoff

    Hi Martijn,

    Just because of a extra security layer – but as you say – you also can remove the ldap authentication and make the MFA primary or MFA primary and ldap second. Choose your own, that fits your personal/business (security) needs.

    I know that all the methods are supported – text is now removed (thought that i removed that earlier)

    Thanks for the notify!


  • jehawk2

    Thanks for the help here! I was able to get this working as you explain above. I then changed my NetScaler Gateway theme to use a template off of RfWebUI. When I use that format, I’m now seeing the 2nd password field again. I see the rewrite policy gets a hit, but it’s not applying and removing the 2nd password field. Should I modify the rewrite policy to accommodate the RfWebUI theme?

  • Christiaan Brinkhoff


    Great! I was able to get this working for the Builtin X1 theme, not tested the other themes. You mean that it is working for the RfwebUI, but not for a custom created version?


  • jehawk2

    It was working for the Default (black screen) theme but I couldn’t get it working for the RfwebUI theme. I found that I had to create a AAA vServer, bind Advanaced Auth Policies and tie in a Login Schema in order to get this setup with the newer theme. Good ol Carl has the scoop on this if you’d like me to send you the link, let me know.

  • Christiaan Brinkhoff

    Please share it over here, just to inform more people.

    Thanks for your input!


  • jehawk2
  • Doug

    I get a syntax error using (“pwcount=”+ 1”)

  • Christiaan Brinkhoff

    Hi Doug,

    Can you be more specific? I guess its a copy/paste problem…


  • Dennis Mohrmann

    great article! I try to use the rewrite policy you mentioned in your article but Netscaler 12 gives me an “Expression syntax error” with the expression (“pwcount=”+ 1”). Do you know what is the correct expression with Netscaler 12?

    kind regards

  • Christiaan Brinkhoff

    Hi Dennis,

    Don’t checked this setup on NetScaler v12 already, but assume it has to work.

    Problem still active or did you solved it?


  • Christiaan Brinkhoff

    Hi Dennis,

    Problem still exists?

  • Sajid Khan

    Can you please explain more rewrite policy and action needed here?

  • Christiaan Brinkhoff

    What would you like to know? Need to receive more information to give a clear answer…

  • Sajid Khan

    We managed to get this worked, Now we need that a certain user(eg.jsmith) to be challenged for MFA only when the request goes via NPS azure extension. If the user directly accesses any other application such as O365 applications, It should NOT be challenged for MFA. Any help is appreciated.

  • Jan-Paul Plaisier

    Some extra information that can be helpful:

    – take a look at, “Prepare for users that aren’t enrolled for MFA”

    – Also check if the AD user is allowed to dial in:

  • Christiaan Brinkhoff

    A bit late, but thanks for the extra input Jan-Paul!

  • Frank Frenks

    it looks great, thing is that the netscaler says there is no server listening on port 1812 when we follow this guide.
    Also in the part : xpression: (“pwcount=”+ 1”) we get an error that it is not supported.

  • Christiaan Brinkhoff

    Thanks for the update Frank!

  • Björn

    try (“pwcount=” + “1”)

  • Grant Dwyer

    This works fine for the web client, any suggestions how to get it to work with the Citrix Receiver app? The receiver app looks for the token field which you wouldn’t have until the username and password was validated.

  • Christiaan Brinkhoff

    Hi Grant,

    Please follow the procedure of Carl Stalhood and use the MFA Radius instead of the one mentioned in the article.

    Hope this helps.

  • Ryan Pool

    This isn’t working for us with MFA NPS ext on Server 2016, NetScaler (10.5) sends an AccessReject RADIUS request when RADIUS is secondary auth policy and LDAP first..

    I don’t understand the NPS No Forward and Forward Request policies as it caused it to fail for us, if we remove those 2 and use a single Windows Auth policy based on Domain users/ADGroup, and within NetScaler only assign the RADIUS policy as Primary Auth (no LDAP Auth policy bound to the virtual server), the MFA NPS extension/server does what it’s documented to do and performs both the LDAP Auth first, then the MFA Challenge, and everything works without the need for any rewrite policies or local LDAP policies (this in a LAB so far, it’s possible we’d need to reintroduce LDAP for AD Group Authorization but baby steps).

    Unfortunately, this isn’t what we want, sigh, as we’re transitioning from RSAID and want people to be able to enter either the RSA Token or MFA Authenticator Code in that 2nd password box… cascading authentication I think it’s called, if that even works in that situation, so that it’ll try the RSA RADIUS server first with the digits or the MFA NPS server if that fails.. but with AccessReject it seems like the RADIUS request is buggered off the mark.. presumably malformed because we entered something into that second password box (entering nothing in the 2nd password box triggers MFA and all works), do you know if this is a limitation of the NetScaler RADIUS implementation?

    Is it not possible to have a 2nd password box when using Azure MFA NPS (even if just for the Authenticator app code), like we do with RSAID today? If so perhaps a big-bang migration may be about the only way so we can go straight to the working solution of 1 RADIUS policy and let the MFA NPS Server handle the LDAP and MFA challenge. Interested in your thoughts, this is doing my head in.

  • Marcel

    Hey Christiaan,

    I try to get the configuration of MFA with NPS (according to your post and also James Kindon ( but do not get it working.

    On the NPS server I keep this error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request”

    I have the RADIUS server load balanced (according to Carl Stalhood:
    On the NPS server I have the NetScaler SNIP as RADIUS client.

    I have already tested by adjusting the dial-in properties for the user account, etc. Everything without effect.

    Do you have any idea what goes wrong in my setup?

    Thank you in advance!

  • Christiaan Brinkhoff

    Hi Marcel,

    Did you disabled all the other default NPS policies (step 25)? Used the Azure AD Directory subscription during the PowerShell configuration part? Did you purchased and assigned the MFA license to the end-user in the Office365 portal?

    Hope this helps.


  • Marcel

    Hi Christiaan,

    I have done all the steps exactly as described. except the rewrite policy. I did not manage this. I still get the same error. How can I do the best, an fast, simple test from the netscaler to see if it works? When I test using NTRadPing from another server (without firewall rules to the NPS) I get a message that the NPS server does not give a response. So the problem will be somewhere in the NPS, i guess………

    Hopefully you still have ideas


  • Marcel

    Hi Christiaan,

    I’ve tried a few things, but do not get it working.
    I have put a simple basic RADIUS policy on the gateway vserver, but also then nothing happens.
    In aaad.debug I see the LDAP part OK, but for RADIUS it stays with the message “RADIUS auth: Making radius request for user ” and after a while followed by “retransmit radius packet”, “RADIUS auth: RADIUS server unresponsive, timed out:No valid RADIUS responses received” and finaly ”
    There is therefore no Acces-Request to the NPS server at all.Rejecting with error code 4003″

    What could be the cause of this?

    (My NetScaler is v12.0.57.19)

    I tried several things, like:

    – Enable NTLMv2 Compatabiliy key with value 1 on the NPS server (Without this key on the NPS server I get the error “Invalid credentials, error code 4001);

    – add radiusNode -radkey ;

    – Direct connection to the NPS server instead of via an LoadBalanced RADIUS server;
    – Diabled (one by one) the Connection Request Policies / Network policies on the NPS server.

    Everything without a positive result…..

    On the NPS server i still see the error:

    – “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request”

    – NPS Extension for Azure MFA: CID: c63a40f4-70fe-4227-b09e-ab838fbfcc10 :Exception in Authentication Ext for User :: ErrorCode:: AZURE_MFA_RESPONSE_ERROR Msg:: cid: c63a40f4-70fe-4227-b09e-ab838fbfcc10 Received the following response which could not be parsed successfully:: Enter ERROR_CODE @ detailed TroubleShooting steps.

    Hopefully you still have ideas.

    Best regards,


  • Marcel

    Hi Christiaan,
    I do’nt get it working 🙁
    Can you tell me what the Remote Radius Server group is doing?
    In the Connection Request policys it is indicated that the authentication provider is the local computer.

  • Marcel


    I have fixed it. The server is no longer going via a proxy. This has solved the problem.

    Thank you very much for your contribution! I appreciate that.

    Best regards,


  • Christiaan Brinkhoff

    Great to hear.



  • Kristof

    Hello Christiaan,

    Is there a specific reason on why you should implement RADIUS?

    On the Microsoft website ( ) both options are listed, but there is no specific reason mentioned on which authentication methos is the most secure/efficient.

    Thank you in advance for your reply!

    Best regards,


  • Omar Hempsall

    Hi Christiaan, great article!

    We’re also seeing the error that NPS will only perform Secondary Auth for Radius requests in AccessAccept state. – There’s not much troubleshooting information available. – This scenario has LDAP Primary and RSA + NPS in a cascade. – Have you seen NPS with Azure MFA extension working as a cascaded Radius, or could you offer any advice?



  • Mike O’Shaughnessy


    I am implementing Azure MFA with Netscaler and it works fine when logging in through the web & when the user is using the “Notify me through App security option. I am running into issues getting the other methods of authentication to work. Did you test any of the other methods such as phone call, SMS codes, or OATH codes from the mobile app?

    I also still have issues with Citrix Receiver even though I have followed Carl’s article (and will probably be posting there as well) & I can make it work if I enter my password in the third field for Passcode. Just wondering if you tested Citrix Receiver for this scenario?

    Last question, why do you do the different connection request policies for Forward and No Forward. It seems that the NetScaler hits the Forward policy with the NAS Identifier every time during my testing & I didn’t see an explanation as to why this was needed, so I was curious.



  • jean-marc Pigeon

    Dear Christiaan,
    First I would like to thank you for the post. it’s working like a charm for on my lab. I do have the multi factor authentication.

    My question is about, if I do not enable the muti factor for a user in azure, and i want to connect to my netscaler, is it possible ? or not ?
    How can I do to tell the netscaler not using Radius or bypass it for user who I do not want multi factor ?



  • Brian

    Hi Christiaan,

    Thanks for a great article. I am having problems finding the Microsoft Azure Active Directory Module for Windows PowerShell (AdministrationConfig-V1.1.166.0-GA.msi) and wonder if you could point me in the right direction please. I have tried Microsoft Collaborate as advised in the Microsoft article but can`t see it here.


  • Christiaan Brinkhoff

    To increase the security layer of your Remote VDI environment and allign with other Azure AD authentication services.

    Citrix ADC, or better say NetScaler only supports MFA by using the RADIUS server or NPS extension.


  • Christiaan Brinkhoff

    Thanks, Jean-Marc!

  • Henrik M. Christensen

    Christian, Do you have a design for a multi tenant Azure setup with NPS? As I see it, it is only possible to run the powershell script once for a single tenant? So for multi tenant, I will need a NPS server for each?

  • katja horan

    Hello Marcel, Christiaan,

    have the same problem as you.
    Have you found a solution by now?

  • Jonathan Vassmer

    check and make sure that AZURE Multi-Factor Auth Client and Azure Multi-Factor Connector are enabled in azure active directory -> enterprise apps. This got us.

  • Chad Myslinsky

    Christiaan, your article made building an NetScaler/Azure MFA POC a breeze. Thank you for creating it.

    I was wondering if you could share insights on what additional functionality the Connection Request Policies and Server Group provide for someone new to RADIUS and NPS.

  • James Ma

    Is this still true in going in 12/2018? I’ve seen that you can set this up using Azure cloud MFA and NetScaler with support for SAML, simply publish as an enterprise app… I’m not sure its an apples to apples implementation…

  • Mark Smits

    Amazing Article. I could never have got this working with out you.
    The only issue I had was it didn’t accept this expression:
    (“pwcount=”+ 1”)
    It had to be (“pwcount=” + “1”)
    Also on the next expression in the policy, what you have is correct, but copying and pasting didn’t work, i had to retype sections of it.