Gateway

Configuring Cascading Authentication

January 8, 2024

Contributed by:

C S C

Authentication allows you to create a cascade of multiple authentication servers using policy prioritization. When you configure a cascade, the system traverses each authentication server, as defined by the cascaded policies, to validate a user’s credentials. Prioritized authentication policies are cascaded in ascending order and can have priority values in the range of 1–9999. You define these priorities when binding your policies at either the global or the virtual server level.

During authentication, when a user logs on, the virtual server is checked first and then global authentication policies are checked. If a user belongs to an authentication policy on both the virtual server and globally, the policy from the virtual server is applied first and then the global authentication policy. If you want users to receive the authentication policy that is bound globally, change the priority of the policy. When a global authentication policy has a priority number of one and an authentication policy bound to a virtual server has a priority number two, the global authentication policy takes precedence. For example, you can have three authentication policies bound to the virtual server and you can set the priority of each policy.

If a user fails to authenticate against a policy in the primary cascade, or if that user succeeds in authenticating against a policy in the primary cascade but fails to authenticate against a policy in the secondary cascade, the authentication process stops and the user is redirected to an error page.

Note: Citrix recommends that when you bind multiple policies to a virtual server or globally, you define unique priorities for all authentication policies.

To set the priority for global authentication policies

In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies \ > Authentication.
Select the policy that is bound globally and then in Action, click Global Bindings.
In the Bind/Unbind Authentication Global Polices dialog box, under Priority, type the number and then click OK.

To change the priority for an authentication policy bound to a virtual server

You can also modify an authentication policy that is bound to a virtual server.

In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Virtual Servers.
In the details pane, select a virtual server and then click Open.
Click the Authentication tab and then click either Primary or Secondary.
Next to the authentication policy, under Priority, type the number and then click OK.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configuring Cascading Authentication

January 8, 2024

Contributed by:

C S C

January 8, 2024

Contributed by:

C S C

Configuring Cascading Authentication

To set the priority for global authentication policies

To change the priority for an authentication policy bound to a virtual server

In this article