Configuring One-Time Password Use

You can configure Citrix Gateway to use one-time passwords, such as a token personal identification number (PIN) or passcode. After a user enters the passcode or PIN, the authentication server immediately invalidates the one-time password and the user cannot enter the same PIN or password again.

Products that include using a one-time password include:

  • RSA SecurID
  • Imprivata OneSign
  • SafeWord
  • Gemalto Protiva

To use each of these products, configure the authentication server in the internal network to use RADIUS. For more information, see Configuring RADIUS Authentication.

If you configure authentication on Citrix Gateway to use a one-time password with RADIUS, as provided by an RSA SecurID token, for example, Citrix Gateway attempts to reauthenticate users by using the cached password. This reauthentication occurs when you make changes to Citrix Gateway or if the connection between the Citrix Gateway plug-in and Citrix Gateway is interrupted and then restored.

An attempt to reauthenticate can also occur when connections are configured to use Citrix Workspace app and users connect to the Web Interface by using RADIUS or LDAP. When a user starts an application and uses the application, and then returns to Receiver to start another application, Citrix Gateway uses cached information to authenticate the user.

Configuring One-Time Password Use