Windows Live Alerts
Start access
Support Forum
Remote Desktop Services
Terminal Services
Web Interface
Tips & Tools
Lassen Sie sich von einem Experten Beraten

SMS/E-Mail Token for Web Interface Print E-mail

This nice add-on for Citrix Web Interface by Claus Isager provides a 2-factor authentication. The software add-on works by sending a one time passcode to your mobile phone as a SMS or E-Mail.

The SMS/E-Mail Token solution is splited into two parts. First part adds a new Tab to the User properties in Active Directory (it's not a schema extension). Setting the mobile phone number and a token PIN is all that has to be done in the User properties.

SMS Token setting

Second part is the modification of Web Interface to add the SMS Token authentication and is quite easy. After setting the SMS properties for the used SMS Gateway (designed to use an online SMS Gateway - sending HTML request) your done to use SMS Tokens.

At the login page use the personal PIN as PASSCODE and next will bring up the page for the SMS Token that was send in the background to the User mobile phone. When the Token is correct the user get's access to the application set.




Written by Guest on 2007-07-11 12:03:26
Looks nice. 
But how is this OTP that gets sent created? 
I am unable to find anything on the site, and it looks like the forum died too. 
Basically I am wondering how secure it is.

Written by Guest on 2007-07-19 20:43:58
The one time password (opt) is created by the function GenerateCode in the sms_include.aspx file. The Function GenerateCode just create a random 6 digits code. This code is then stored in AD og send to the user.

Other SMS gateway
Written by rautsi on 2007-08-29 12:09:55
are there any whay to configure this appl to use another SMS gaeway ? 
We have an internal SMS gateway that we can use to send SMS througth a web page, command line or mail.

Written by Guest on 2008-03-10 16:07:50
does it means you can remove all the VASCO middleware software ... ?

Written by Guest on 2008-05-05 17:12:10
is there a way to implement this for owa or remoteweb places?

Written by Guest on 2008-08-13 12:09:07
What happens if there is a SMS delay, how do you handle events such as this. Also if the passcode is stored in AD, how is it protected or can it be viewed with a LDAP browser. :)

Written by Guest on 2009-02-02 11:48:46
Is there an update on this, i.e. a version for web interface 5?

WI 5.1
Written by Gast on 2009-04-20 15:59:06
update available for WI 5.1 ?

It do not work with WI / CSG / XENAPP 5
Written by Guest on 2009-05-19 11:59:07
I tested it with WI 5 but it did not work. 
THe portal said on the main page : 
"Configuration du système non valide 
La configuration du système est soit incorrecte soit indisponible. Veuillez nous excuser pour ce désagrément. 
L'erreur est de nature temporaire. Essayez de vous reconnecter et si le problème persiste, contactez votre administrateur système. 

We really need this feature under the last versions of WI and CSG. And the site does not repond. 
Anyone here ?

too bad!
Written by Guest on 2009-08-20 16:43:15
Looked promising but it seems its hardcoded to use I guess they funded developement or something ?

Lke to see a version to send code by e-m
Written by Guest on 2009-12-02 13:20:52
I would like to see a version that would send code by e-mail

Written by wizdom on 2010-04-29 19:22:40
Tried it today on a WebInterface 5.2 and it doesn't work : 
"Invalid System Configuration 
The system configuration is invalid or unavailable. We apologize for any inconvenience. 
The error may only be temporary. Try reconnecting and, if the problem persists, contact your system administrator. 

After looking at the WIndows Events : 
"Site path: c:\inetpub\wwwroot\Citrix\XenApp. 
The message key 2FactorConfigError does not correspond to a valid event ID. Check that the event ID file has a valid entry for 2FactorConfigError. The event ID must be an integer between 1 and 65535. [Unique Log ID: c5a04aba] 

Written by Claus Isager on 2010-05-04 08:18:10
Hi. There is a file missing in the zip file. create a new file in the \auth\smscode.aspx 
(same folder where safeword.aspx is located) 
I will send a new file to Thomas asap

File missing
Written by Guest on 2010-05-03 11:01:23
A file is missing in the zip file. I have send a new version to Thomas.  
To fix this: 
1. Make a copy of safeword.aspx (in auth folder) 
2. Rename to smscode.aspx 
3. Edit smscode.aspx and replace Safeword with smscode  
4. Save

Patch is working
Written by wizdom on 2010-05-04 00:02:07
I tried the new version tonight on my Web Interface 5.3 and now the authentifcation page is not crashing anymore. nice. 
But still, I don't understand how this can work : the login page ask for username + password + passcode (the page is "login.aspx"). But how can you have a passcode before the email (or SMS) is sent to you ?

Written by wizdom on 2010-05-04 00:24:20
I just understood that the needed Passcode is in fact the Pin code defined in the SMS TOKEN tab in Active Directory. 
Anyway, it still tells me that my authentication is wrong although I'm sure of all my credentials (it works well if I come back a classical login+password authentication mode).  
When checking the "User must change PIN at next logon" box, my Pincode is accepted at the logon page, a new page is coming and asking me for changing the PIN code. I type a new Pincode twice but I got an error message when validating that my pincode could't be updated.

Resolve domain
Written by Claus Isager on 2010-05-04 09:18:36
Please check that your webinterface can resolve the domain. 
On the webinterface check that you can ping your domain . ex. test.lan and be sure that port 389 tcp is open between the WI and your AD servers

Not a domain issue
Written by wizdom on 2010-05-04 18:14:19
Well, I'm a 100% sure this is not a domain issue because : 
a) there's no firewall between WI and Domain Controller 
b) there's a second XenApp website on the same WI, without 2-factors auth, and this one works (with the same user credentials, except passcode of course). 
c) when user must change pin at next logon, he's correctly redirected to CHANGE_PIN.ASPX (but he cannot change it, see above). He's not redirected if its password is incorrect. So the password can clearly be checked by the WI. Obviously the pincode cannot. 
I'm trying with different users, with passcode as easy as "1234" or "abcd", and always get the same issue. 
All servers are running English version of Windows 2003 SP2. 
Is there any way to trace something during auth phase ?

Written by Claus Isager on 2010-05-05 08:17:43
Does it make any differens if the user is a Domain Admin? 
SMS token make use of the field primaryTelexnumber on a user object. Try starting adsiedit.msc (included in support tools) and look at the advanced permissions for the user. The user (SELF) should have r/w permissions for "Personal informations" (Default setting)

move to forum
Written by wizdom on 2010-05-07 13:56:13
Following the discussion here :

SMS/EMAIL Token fo AD 2008 x64
Written by Gast on 2010-06-14 12:59:57
Hi Forum, 
i have the system in use. I use the SMS function. 
Now i would use this on my AD 2008 x64. 
Unfortuanly the regsrv32 jobs did'nt work on x64. 
Are x64 files available ? 
regards -  

not sending email
Written by Gast on 2010-07-22 14:00:41
while within the lab the mail function works fine within the dmz i can only see the http get to  
There are no smtp packets. 
But i am able to use telnet from the WI with port 25 to access the mailserver with his name. 
The config are the same like the lab-config. 
USEMAIL=1 are present.

R2 x64: yes or no
Written by Gast on 2010-08-24 08:31:39
does this work on R2 x64 as well?!? It seems the registartion of the ocx and dll's does no work... :-( 
Thanks for help.

R2 x64: yes or no
Written by Guest on 2010-11-16 17:07:23
Following MS requisites, I've first open a command prompt as administrator, 2nd move dll and ocx files to %programfiles (x86)\smstoken and 3rd run regsvr32 from %systemroot%\sysWOW64 folder. 
If the files seems to be fine registered, the AD snap-in don't appears into the AD user'property...

R2 x64: yes or no
Written by Thomas Koetzing on 2010-11-16 19:36:49
x64 is NOT supported with any Windows OS!

R2 x64: yes or no
Written by Guest on 2010-11-17 14:49:02
OK. SMS Token works perfectly under a primary site which is running WI 5.2/CSG 3.1 and Win2003 for Mfs. 
We have register all DLL and OCX, update WI conf. files and users receive the SMS token on their cell. 
Now, we must reproduce this configuration with the latest Citrix release for front in and XenApp 6 for back-end. All servers (front and back) are running Win2008 R2 (64bits). If we don't have any error message during the registration process (regsvr32 files.dll/ocx), the new tab never appears into the AD users snap IN... 
Is there another way to update this snap in under Win2008 R2? 
Best regards

R2 x64: yes or no
Written by Guest on 2010-11-17 15:17:29
Its works. 
After successfully registered the dll and ocx, we must open the 32bits MS console (mmc -32) to be able to see the new tab in the snap-in menu (AD users & computers).

Written by Guest on 2010-11-25 14:47:32
AD User cannot write to self AD properties(sended SMS code), how could I resolve this issue? please. 
If user is in administrators group SMS working correctly and for user only it get exception - I tried it in Visual Studio, too 
It give exception: "General access denied error". 
I think that is AD security problem but I have not found resolve yet. 
Thanks for help

Written by peet on 2010-12-08 18:10:38
You must delegate control for SELF at your root (AD) for object users to be able to write into Personnal Information. 

Howto use our own SMS Gateway
Written by Guest on 2011-02-01 13:00:25
Hi ! 
We have our own SMS Gateway. How do we configure this system to use that instead of ClickaTell ? 
Thanks for your help

Written by Guest on 2011-03-08 18:37:59
How can i delegate control for SELF at my root (AD) for object users to be able to write into Personnal Information?  
Thanks for your help.

does not work on srv2008
Written by Guest on 2011-03-08 20:52:15
can someone confirm that this works on srv2008 R2 X64? i only get error System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089

SMS Gateway mit Clickattell mit W2008 x6
Written by turmhuus on 2011-04-05 18:00:04
Following MS requisites, I've first open a command prompt as administrator, 2nd move dll and ocx files to %programfiles (x86)\smstoken and 3rd run regsvr32 from %systemroot%\sysWOW64 folder.  
If the files seems to be fine registered, the AD snap-in don't appears into the AD user'property... 
Die SMS-Authentifikation mit Clickatell funktioniert auf unserer Citrix-Umgebung einwandfrei! 
Die Einstellungen müssen einfach im 32-Bit AD-Snapin konfiguriert werden. 
Danke für den guten Tipp!

Written by Guest on 2011-05-11 21:48:12
Did anyone already test with WI 5.4?

Written by Gast on 2011-08-09 17:07:33
Der Link auf die Website von Claus Isager geht ins Leere

XenApp 6.5 ans Wi 5.4
Written by Gast on 2011-10-03 15:39:39
I have the same problem: 
System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089 
Can anyone help me? 
In AD User + Computers i can see the SMS Token settings

Written by Guest on 2011-10-25 15:23:34
A x64 snapin is available from 

XenApp 6.5 and WI 5.4
Written by Guest on 2011-10-29 12:22:19
Work fine. If you get the error System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089  
Check the permission for "ApplicationPoolIdentity" in the IIS. If all else fails change the "ApplicationPoolIdentity" to "NetworkService" for the webside application pool.

Tablet / Smartphones
Written by Guest on 2011-12-07 14:31:27
Will it work for smartphones and tablets also?

Written by Guest on 2011-12-14 07:34:13
can't find sms_include.aspxf to use "mobile" instead of "telephoneNumber".... 
Thks for your help ! 
Everything else is working fine ....

invalid token
Written by Guest on 2012-01-20 00:17:01
I am testing WI5.4 on Windows 2003 R2 server. 
Users receive an email with the token, but after they entered the token in the 2nd login page, they are brought back to the first login page. The message on the bottom with the RED X said please verify your username and password and try loggin on again. If you cannot log on, contact your help desk. 
Any suggestions is greately appreciated.

Almost working...
Written by Gast on 2012-07-24 14:22:08
We are trying to set it up for Citrix Web Interface 5.4. We are using latest Versions (WI 5.4.3, CSG 3.3.1) on Windows Server 2008 R2 (all patches installed). 
We have succeeded in 
- Installing the AD Snap-In 
- Opening an account at 
- Installing a test WI site 
When logging in the test site with username, password and PIN, the next step appears, asking for the SMS token. But the SMS token never gets send to mobile phone. 
If we look up the current token in AD (Attribute Editor, primaryTelexNumber), we can 
- use it to successfully login 
- send it successfully from the WI-Server to using Internet Explorer 
Strangely, sms_include.aspx does not seem to be installed/needed when using WI 5.2 - 5.4? 
We tried adding it in serverscripts and referencing it in smscode.aspx but that didn't do the trick, obviously. 
For tests, we entered the mobile phone number in the default 'Phone' field. For production, we do need to use 'mobileNumber', as our Mail-Signature is created from AD.

Works on WI 5.4 / W2k8R2
Written by Gast on 2012-07-24 17:19:58
We successfully installed it on Web Interface 5.4 (in DMZ) with a Windows Server 2008 R2 domain. 
Still need to sort out the wrong AD Field (telephoneNumber instead of mobile), as apparently sms_include.aspx was used in WI 4.5 but is not used in WI 5.4 anymore. 
Hint, anyone?

Written by Guest on 2012-08-29 22:52:17
I'm getting this error when trying to use SMSToken with SMTP or the API. Any ideas? 
"SMSToken was unable to read all infomation from Active Directory for user testuser ## Check that email (if email solution is used) and phone number (if sms solution is used) is setup correctly and smstoken is configured for the user. Also check using adsiedit.msc that the user 'SELF* has access to read/write private information on his AD object "

Written by Guest on 2012-08-29 22:55:36
SMSToken was unable to read all infomation from Active Directory for user testuser ## Check that email (if email solution is used) and phone number (if sms solution is used) is setup correctly and smstoken is configured for the user. Also check using adsiedit.msc that the user 'SELF* has access to read/write private information on his AD object

Written by Guest on 2012-08-30 18:53:06
Can you do a telnet from you WebInterface to your domain on port 389? Try to do: 
telnet 389  
if you are not able to, create a host entry in c:\windows\system32\drivers\etc\hosts  
pointing to you domain controllers 
Also check that the your has a valid email address specified in the E-Mail field in Active Directory Users and Computers

Not able to login
Written by Guest on 2013-09-04 09:45:48
have made all the changes but when trying to login I am getting error like "Your credentials are invalid. Try again or contact your system administrator" 
If I have set PIN to change in next login its working fine but while login not able to login it self.

NOTE  You have to register in the Forum to post comments with your name.

Write Comment
BBCode:Web AddressEmail AddressBold TextItalic TextUnderlined TextQuoteCodeOpen ListList ItemClose List

Code Verification
CAPTCHA Security Code Security Code *

find or follow me @