Hardware tokens for Native OTP Authentication with NetScaler

Citrix NetScaler One Time Password (OTP) feature is introduced with NetScaler 12.0 FR1. This feature offers OTP authentication capabilities without having to use a third party server. In addition, it consolidates configuration within the NetScaler, thus offering great control to administrators.


This guide describes the user interface flow for enabling Token2 programmable tokens with the Native OTP capability already activated. Native OTP configuration procedures are described here.


Navigating to ManageOTP URL e.g., https://otpauth.server.com/manageotp (alternatively, you can use https://alt.server.com if you have configured host-based management page), we will be presented with initial logon page that only requires ldap logon credential:

Hardware tokens for Native OTP Authentication with NetScaler

After login with a valid credential, we will see the manage device page as follow:

Hardware tokens for Native OTP Authentication with NetScaler

After click ‘+’, type in the device name, click ‘go’, and click ‘done’, we will see a QR code generated. This indicates the device has been registered:

Hardware tokens for Native OTP Authentication with NetScaler

Now, launch Token2 Burner App on your Android device.

Note! You need an NFC-enabled Android device for the enrollment process only. Subsequent logins will utilize only the programmable token itself
Click on Scan QR button and scan the QR code shown on the configuration page as described in the previous step. Then, push the button on the token device and hold it close to the NFC antenna of your Android device (usually below the camera on the back). Click on "burn seed" button. The app should show "burn seed process succeeded" message if the process is successfully completed.


An OTP generated by your token can be entered to test the newly registered device.