Configure prefill user name from certificate in Citrix ADC nFactor authentication

The following section describes the use case of two factor authentication. The first factor is certificate authentication followed by LDAP.

Use Case: Certificate and LDAP authentication

Assume a use case where, admins configure two factor authentication. First-level as certificate authentication and followed by LDAP authentication. As part of the first factor, client requests for a user certificate. The user name is extracted from the certificate and prefilled in the user name field of the logon form returned for the next factor.

  1. Client browser accesses traffic management virtual server and gets redirected to a logon page for authentication.

  2. First factor is evaluated against a certificate action which extracts the user name. Evaluation is successful and passed to the next factor, policy “label1” in this case.

  3. The policy label specifies that the second factor is login schema “login1” with LDAP policy.

  4. The logon form with the user name prefilled is returned to get the password from the user for LDAP authentication.

  5. The authentication server returns cookies and a response that redirects the client’s browser back to the traffic management virtual server, where the requested content is. On the other hand, if the login fails, the client’s browser is presented with the original logon page, so that the client can retry.


The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer SAML and LDAP

Perform the following by using the CLI

  1. Configure traffic management virtual server and authentication server.

    • add lb vserver lbvs1 HTTP 80 -AuthenticationHost -Authentication ON
    • add authentication vserver avn SSL 443 -AuthenticationDomain
    • set ssl vserver avn -clientAuth ENABLED -clientCert Mandatory


    • set ssl parameter –denysslrenegotiation NO
  2. Configure a first factor as certificate action.

    • add authentication certAction cert -userNameField Subject:CN
    • add authentication Policy certpol -rule true -action cert
  3. Configure a second factor.

    • add authentication loginSchema login1 -authenticationSchema login1.xml
    • add authentication policylabel label1 -loginSchema login1
  4. Configure LDAP action.

    • add authentication ldapAction ldapact -serverIP -ldapBase "cn=users,dc=dep,dc=sqltest,dc=net" -ldapBindDn -ldapBindDnPassword 8f7e6642195bc181f734cbc1bd18dfaf03bf9835abda7c045f7a964ceb58d4c9 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute userprincipalname
    • add authentication Policy ldappolicy -rule true -action ldapact
  5. Bind the policies.

    • bind authentication vserver avn -policy certpol -priority 1 -nextFactor label1 -gotoPriorityExpression NEXT
    • bind authentication policylabel label1 -policyName ldappolicy -priority 10 -gotoPriorityExpression END

Configuring by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.

  2. Click + to add the nFactor flow.

  3. Add a factor. The name that you enter is the name of the nFactor flow.

    Add a name for the flow

  4. No Schema is needed for the certificate authentication.

  5. Click Add Policy to create policy for the certificate authentication.

    Prefill policy

  6. Add policy for the certificate authentication.

    Add cert policy


    For more information on certificate authentication, see Configuring and Binding a Client Certificate Authentication Policy.

  7. Click green + next to cert policy to add the next factor.

    Add policy next factor

  8. Select Create Factor to create a factor for LDAP Authentication.

    Create factor LDAP

  9. Click Add Schema to add a PrefilUserFormExpr.xml schema for the second factor that has pre-filled user name.

    Prefilled user name

  10. Select Add Policy to add policy for LDAP authentication.

    Policy for LDAP


    For more information on creating LDAP authentication, see To configure LDAP authentication by using the configuration utility.

  11. Click Done to save the configuration.

  12. To bind the created nFactor Flow to an authentication, authorization, and auditing virtual server, click Bind to Authentication Server and click Create.

    Bind auth server


    Bind and unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

Unbind the nFactor Flow

  1. Select the nFactor Flow and click Show Bindings.

  2. Select the authentication virtual server and click Unbind.

Configure prefill user name from certificate in Citrix ADC nFactor authentication