Font size: +
7 minutes reading time (1364 words)

OTPEdit a management tool for One Time Passwords

QRCode_3d

With Citrix an ADC (Netscaler) there is the possibility from version 12 on for a Native One-Time-Password (OTP) integration with an Authenticator App (Google, Microsoft etc.) for two-factor authentication. The authenticator delivers a number as a second factor. The respective device (mobile phone with app) must can be registered for a user beforehand. Information on the OTP is stored in the user account of the respective user. The management of users and equipment is not always easy. Actually, with a GUI this can only be Users themselves on the Citrix Gateway. Therefore we have developed a tool for a central Management.

In this blog you will find the description of the tool, the tool itself and more Backgrounds.

 

 

Why a second factor?

In environments that are accessed remotely, it has always made sense to Securing access by a second factor. The first factor is the password (knowledge) the second a device (possession). Nu with a combination of both should access to a protected corporate environment. Citrix has it as of version 12.1 of the Citrix Gateway enables instead of a hardware token a Mobile phone to generate the second factor (without an additional radius server) to use. The advantages are obvious:

  • saving of costs for hardware tokens
  • Quickly scalable - avoids loss of time
  • We as Citrix Solution Provider can offer Citrix Gateway / ADC accesses and more cost-efficiently monthly rent (also in a higher edition). That works too, if no Citrix Virtual Apps & desktops are used. So the current bottleneck can be bypassed.

What is an OTP in the gateway and how is it used?

The login page on the gateway appears after setting up Native OTP with an additional field for the passcode. Here you can for example FreeOTP https://apps.apple.com/de/app/freeotp-authenticator/id872559395 or the Use Google Authenticator to generate the second factor for a login. Note: Image recognition works much better with Google Authenticator. A user can register a device by going to the Gateway with /ManageOtp. Ideally, a set of rules prevents this from happening even from can happen to the HomeOffice. Without a special tool (our tool) it works so far not otherwise.

Setting up Native OTP on a Citrix ADC

there are enough instructions for this. Gladly we can also help you here :-) Apart from that here is the most important information about the setup:

  • Citrix Netscaler Advanced (aka Enterprise) with firmware 12.1 build 49 and newer offers "native OTP" function and the possibility to configure "nFactor".
  • Citrix Workspace App 1809 is required. Older receivers or older firmware versions (between 12.0 build 51.24 and 12.1 build 49)

Constraint: The Gateway in version 13.x also has the mentioned functions. However, the attributes are encrypted in ActiveDirectory. In principle we can implement something like this for the tool (maybe later). However it is it is possible to deactivate the encryption on Citrix Gateway 13.x.

OTP-Edit a management tool for OTP devices and users

For what has disturbed the OTP so far, we have now built a management tool. This tool offers the following usecases:

  • Report all users who have configured a device for OTP access
  • Finding users with an OTP
  • Delete Central from assigned OTP devices (mobile phones) in Active Directory
  • View and save the QR Codes for the Authenticator App
  • Sending e-mails with the QR Codes for the Authenticator App
  • New creation of QR codes with a randomly generated number and send them by E-mail. The user no longer needs to register himself at the gateway!

Instructions / Installation

The AD Powershell module must be installed. On a server can be done with the following command:

Add-WindowsFeature RSAT-AD-Tools -IncludeManagementTools

After the start a dialog with the standard settings from the local program directory in the file OTPEditConfig.xml. Here it is important, first of all, specify an LDAP server (the domain or domain controller).

If you use another LDAP attribute as "Userparameters", this is also configure. This makes sense, because in "Userparameters" also the remote desktop settings can be saved for a user account (if used)! For the tool to work properly, the field (UserProperties) empty or filled with one or more OTP device strings. Other Data lead to errors here.

Values like SMTP are, I think, self-explanatory and for the function at first not necessary.

After saving with "OK" a new configuration file is created under %appdata%\AndreasNick\OTPEdit is generated. So if something doesn't work, just... delete this file.

After loading and if everything is configured correctly, we see on the left Page Users who have an OTP device assigned to them. Via the tab "All Users all users in the domain are listed. With the search filter "Filter" you can selection can be restricted.

The "ExportCSV" function exports an overview of all users to whom devices are assigned. With the context menu (right mouse button) a new device can be be created.

"Add Device" shows a dialog in which the device name and the e-mail address to which the QR Code is to be sent. As e-mail address the AD attribute "Mail" is used. If this should not be set, the UserPrincipalName of the user account entered.

The device name must be unique and may not be retrieved for a user. With "Save" the QU code can be saved as PNG. "Send" on the other hand does several things. First, the device is entered in the Active Directory attribute. In this version, a dialog always appears with the PowerShell command which must be executed to change the attribute.

First after a successful entry in the AD object of the user the question after the e-mail has been sent.

The data from the configuration file is used for sending. If the GUI should freeze here or it takes a little longer, then the data is not correct. Please wait two minutes. After this time you will get an error message.

An e-mail looks like this:

Other functions like "Remove Device" and "View Device" behave similarly. In any case, the user is asked before an action is performed. With ViewDevice it is possible to a QR Code e-mail can be sent again.

e-mail dispatch

Even when sending e-mails and when formatting e-mails, it is not always possible everything must be taken into account. So I've written this part right into a little PowerSehll script outsourced. You can store this script in the program directory as you like. or use another method for sending the messages.

Function Send-QRCodeEMail 
{
  <#
      .SYNOPSIS
       A simple function to send notifications with a QRCode
  #>

  [CmdletBinding()]
  param
  (
    
    [Parameter(Mandatory=$true)] [String] $SMPTServer,
    [Parameter(Mandatory=$true)] [int] $SMTPPort,
    [bool] $SMTPUseSSL = $True,
    [String] $SMTPMailuser,
    [String] $SMTPMailPassword,
    [String] $From = "",
    [Parameter(Mandatory=$true)] [String] $To,
    [String] $Subject = "QRCode Mail",
    [String] $UserName = "Rudi",
    [Parameter(Mandatory=$true)] [Byte[]] $QRCode
    

  )
  $ImageBase64 = [Convert]::ToBase64String($QRCode)
  $secure_pwd = $SMTPMailPassword  | ConvertTo-SecureString -AsPlainText -Force
  $creds = New-Object System.Management.Automation.PSCredential -ArgumentList   $SMTPMailuser, $secure_pwd

  #
  # Als als html Mail
  #
  [String] $htmlDoc = $null
  #Bachground

  $htmlDoc += '<style>'
  $htmlDoc += 'body {background-color:#d2E0EF;}'
  $htmlDoc += 'h1   {color: blue;}'
  $htmlDoc += 'strong    {color:blue;}'
  $htmlDoc += '* {font-family: Consolas;}'
  $htmlDoc += '</style>'
  $htmlDoc += '</head>'
  $htmlDoc += '<body>'
  #Headline
  $htmlDoc += '<h1>OTP QR Code for: ' + $UserName + '</h1>'
  $htmlDoc += '<h2>Please scan the code with an Authenticator (Microsoft, Google etc.)</h2>'
  $htmlDoc += '<img src="/images/easyblog_articles/102/3b872e0cd0cb5d13d58aecd9984a326c.png" />'
  $htmlDoc += '</body>'

  Send-MailMessage -From $From  -To $To -Subject  $Subject -SmtpServer  $SMPTServer -Port  $SMTPPort -Credential $creds `
                   -Body $htmlDoc -UseSsl:$SMTPUseSSL  -Encoding UTF8 -BodyAsHtml -ErrorAction Stop

}

Download

The tool is completely programmed in PowerShell and is implemented using the ISE-Seroids (http://powertheshell.com) The application is digitally signed and integrated into an exe ...arms. Among other things, a new basis for Citrix and AD management tools has been created here.

Important: we/I do not assume any liability for damage caused by the use of the of the tool. In the current version every action is queried again, before it is executed. The same hint is given again before the Download!

Version 1.0

* Additional Informations and a Link in OTP mails
* Some smal Bugfixes

Download Link

Also directly runable as PowerShell. Here are the source codes on Github.

GitHub Source

 

 

 

App-V Link Cleanup Script
The PowerShell Book Generator
 

Comments 36

Guest - marko on Tuesday, September 03, 2024 22:41

How can this be configured with Windows RDS web server ?

How can this be configured with Windows RDS web server ?
Andreas Nick on Thursday, September 05, 2024 10:33

I think so, as only the authentication on the Netscaler is affected here. Once you are authenticated, the RDP session is provided via the Netscaler. I have never tested anything like this. If you want to know exactly, you should ask in the Citrix Community Forum.

I think so, as only the authentication on the Netscaler is affected here. Once you are authenticated, the RDP session is provided via the Netscaler. I have never tested anything like this. If you want to know exactly, you should ask in the Citrix Community Forum.
Guest - Petro on Friday, June 07, 2024 12:14

Andreas, Are there new versions?

Petro

Andreas, Are there new versions? Petro
Andreas Nick on Friday, June 07, 2024 12:46

the latest version can be found in my Github account. However, I have been planning a complete overhaul for a long time to also manage hardware tokens. Not much has changed in the current version

the latest version can be found in my Github account. However, I have been planning a complete overhaul for a long time to also manage hardware tokens. Not much has changed in the current version :(
Guest - Thomas on Tuesday, January 25, 2022 21:47

Hello Andreas, I hope you are well. I'm late to finding this but it is fantastic. I'm wondering how difficult it would be for you to add a feature, or create a separate .PS1 file that can accept a .CSV file of SAMAccount names, and auto-email them with the QR code. I looked at the code and I can't seem to pull out all the pieces needed to make this happen. I'd like to enroll a large number of users at once is my reason. Thank you!

Hello Andreas, I hope you are well. I'm late to finding this but it is fantastic. I'm wondering how difficult it would be for you to add a feature, or create a separate .PS1 file that can accept a .CSV file of SAMAccount names, and auto-email them with the QR code. I looked at the code and I can't seem to pull out all the pieces needed to make this happen. I'd like to enroll a large number of users at once is my reason. Thank you!
Andreas Nick on Wednesday, April 06, 2022 10:09

Sorry, the notification is still inactive because there was too much spam. I am planning a new version. Send me info on what functions you need. But I can't promise anything.

Sorry, the notification is still inactive because there was too much spam. I am planning a new version. Send me info on what functions you need. But I can't promise anything.
Guest - Darren Porter on Friday, January 07, 2022 12:49

Hello, is there away to make the QR code time out? and also limit this QR code to only be usable once?

Thanks

Hello, is there away to make the QR code time out? and also limit this QR code to only be usable once? Thanks
Andreas Nick on Wednesday, April 06, 2022 10:10

If then as a configuration on the Citrix Gateway. I would also have to ask an expert

If then as a configuration on the Citrix Gateway. I would also have to ask an expert
Guest - Duke Walters on Thursday, July 22, 2021 15:32

FYI. Immunet AV detects this file as a Mdrop trojan and removes / quarantines it.

FYI. Immunet AV detects this file as a Mdrop trojan and removes / quarantines it.
Andreas Nick on Wednesday, April 06, 2022 10:12

Sorry, the notification is still inactive because there was too much spam. I am planning a new version. The PowerShell script in the directory does the same as the "Exe" file. PowerShell and PowerShell with Exe wrapper are often used for Trojans. Therefore, the tools that I also use generate the same header for the exe and all of a sudden everything is detected as a Trojan. You can just use the PowerShell script directly!

Sorry, the notification is still inactive because there was too much spam. I am planning a new version. The PowerShell script in the directory does the same as the "Exe" file. PowerShell and PowerShell with Exe wrapper are often used for Trojans. Therefore, the tools that I also use generate the same header for the exe and all of a sudden everything is detected as a Trojan. You can just use the PowerShell script directly!
Guest - CK on Tuesday, May 18, 2021 00:33

how do i use an smtp relay that does not require a username

how do i use an smtp relay that does not require a username
Andreas Nick on Wednesday, April 06, 2022 10:13

You can write your own function. Maybe in dotnet. The script for sending e-mails is in the program folder.

You can write your own function. Maybe in dotnet. The script for sending e-mails is in the program folder.
Guest - Stephan Pfister on Monday, May 03, 2021 12:56

Hi Nick
Thanks for your tool, it works great :-) i just have an additional question, actually the devices are limited to 3 per user. We have accounts, where we need to register more than 10 different devices. How can this be established? Thanks a lot, Stephan

Hi Nick Thanks for your tool, it works great :-) i just have an additional question, actually the devices are limited to 3 per user. We have accounts, where we need to register more than 10 different devices. How can this be established? Thanks a lot, Stephan
Andreas Nick on Wednesday, April 06, 2022 10:14

Is there a limit? If I have installed one, I would have to look in the source code myself. Please send me an e-mail directly if it is not up to date.

Is there a limit? If I have installed one, I would have to look in the source code myself. Please send me an e-mail directly if it is not up to date.
Guest - Andoni Juaristi on Thursday, December 24, 2020 11:29

Hello Andreas. Do you have any plan to develop the tool to be used with encrypted OTP data? How do you see?

Thank you. Andoni

Hello Andreas. Do you have any plan to develop the tool to be used with encrypted OTP data? How do you see? Thank you. Andoni
Andreas Nick on Thursday, December 24, 2020 12:10

As far as I know, the encryption is certificate-based with the key on the Citrix ADC. So this is not so easy to realize. However, the encryption can be disabled. I have never tested with the newer versions of the Citrix Gateway myself but I don't like to invest time here for now. If someone has an idea how we can realize this, he is welcome to contact me. Then I can implement it.

As far as I know, the encryption is certificate-based with the key on the Citrix ADC. So this is not so easy to realize. However, the encryption can be disabled. I have never tested with the newer versions of the Citrix Gateway myself but I don't like to invest time here for now. If someone has an idea how we can realize this, he is welcome to contact me. Then I can implement it.
Guest - Andoni on Monday, December 28, 2020 11:26

Thanks Andreas. I will investigate a little bit more, because I think (I have to ask to my support team) that really we are using a certificate that we have included in ADC, so we are able to use the key too... but I don't know how, I don't know hot to program this. In theory, we can have all the parts of the certificate that use in ADC, so if we will be able to choose the certificate and use, perhaps it can be done

Thanks Andreas. I will investigate a little bit more, because I think (I have to ask to my support team) that really we are using a certificate that we have included in ADC, so we are able to use the key too... but I don't know how, I don't know hot to program this. In theory, we can have all the parts of the certificate that use in ADC, so if we will be able to choose the certificate and use, perhaps it can be done
Guest - Ovesny on Friday, October 09, 2020 13:55

Hi,
I have an extensive AD with 3t users.
Is there any way, how to set up LDAP on a specific OU?

Please demonstrate how to use filter to a specific username.
Thank you.

Hi, I have an extensive AD with 3t users. Is there any way, how to set up LDAP on a specific OU? Please demonstrate how to use filter to a specific username. Thank you.
Andreas Nick on Saturday, October 10, 2020 12:20

Hello Ovesny, currently not, but I put this on my ToDo list. It will not cost much effort.

Hello Ovesny, currently not, but I put this on my ToDo list. It will not cost much effort.
Guest - Günther Imbrechts on Tuesday, September 15, 2020 16:51

Hello Andreas,

I was testing your tool, thanks a lot for sharing this. I was just wandering what could be the reason of this error: https://my-smartdrive.easi.net/portal/s/94705768001028569378.jpg
I have used the UPN as username and the mail attribute for the email address. A few users do exist which were registered with the manageotp site and which also use the same names.
Do you have the possibility to help me further? Thanks a lot!
Günther

Hello Andreas, I was testing your tool, thanks a lot for sharing this. I was just wandering what could be the reason of this error: [img]https://my-smartdrive.easi.net/portal/s/94705768001028569378.jpg[/img] I have used the UPN as username and the mail attribute for the email address. A few users do exist which were registered with the manageotp site and which also use the same names. Do you have the possibility to help me further? Thanks a lot! Günther
Already Registered? Login Here
Wednesday, December 11, 2024

Captcha Image

@nickinformation Tweets

My german Blog: 

http://www.software-virtualisierung.de

in 

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.