Configuring Two Factor Authentication For Citrix Web Interface With WiKID
Many organizations that process credit card payments must comply with the PCI (Payment Card Industry) security standard to help maintain the integrity of their systems. One of the technologies an organization can make use of to help in complying with this standard is to implement a multi-factor authentication scheme. WiKID offers a robust two factor authentication method based on one-time use passcodes. The WiKID server is based on the CentOS 5 Linux distribution. WiKID offers a free Community Edition, however several built in features are missing (such as RADIUS) that are needed to integrate with the Citrix Web Interface. WiKID Enterprise Server is offered with a 30 day trial and has all features necessary for integration with Citrix included out of the box. It has a reasonable price tag that is much cheaper than competing multi-factor authentication solutions. Facebook
In this example I will implement a WiKID server to provide an additional layer of authentication for Citrix Web Interface user logons. WiKID offers a prebuilt VMware appliance, however I had trouble getting this to work properly. At the moment my recommendation if you intend to set up WiKID in VMware is to set up a virtual machine manually using Red Hat Enterprise Linux 5 (32-bit) as the machine type with a basic setup (512MB RAM, 5GB Hard Drive, and 1 NIC). Once that is complete boot using the WiKID Enterprise Server ISO.
Select your time zone and press tab until the OK button is highlighted, press enter.
Enter a password for the root user.
I attempted to run “yum update” but I needed to first configure the system with some name servers. To configure this as other network settings run:
This wizard makes it very easy to step through the networking set up. In later installations I only answered Yes to using “eth0” and No on all the other interfaces. This appears to be all that is needed, although I have seen documentation indicating that 2 NICs should be configured (at the moment I am not sure why). Also don’t forget to enter your default gateway and nameserver info.
We now need to enter info pertaining to the self-signed SSL certificate for the WiKID administration website. Please note that you can recreate this certificate by deleting the certificate file and restarting WiKID.
Enter Yes to create the certificate.
I entered No for replication, which if implemented will allow us to add high availability features to our WiKID installation. Now start the WiKID server:
# wikidctl start
Now switch over to your browser:
http://YourWiKIDServer/WiKIDAdmin/
Since the SSL cert is self signed you’ll receive warnings that it is not trusted.
Now log in to the WiKID administration site with these credentials:
Username: WiKIDAdmin
Password: 2Factor
Click the Configuration tab.
Aaron Walrath - Another IT Guy's Meanderings 
Nice document, i made kinda same document together with securenvoy sms authentication and citrix + radius. Some thing not mentiod in here: make a backup of the conf files you edit, because if you do a ‘repair website’in the ctx webinterface server all you settings are overwitten.
Also this setup doesn’t work with upn logon names correctly for that you need to change the TwoFactorAuth.java file.
Good point and thanks for the info, Jan. It is always a good idea to make backups of the config files that get edited.
Great document! This fills a nice hole for us!
Nick
Thanks for the kind words, Nick.