NetScaler Gateway Dual Factor Authentication using SMS2

A big thank you to Steven Wright of SMS2 for helping me with this when I got stuck.

SMS Authentication
If you are going to be using SMS to receive your OTP you must sign up to a Cloud SMS service such as Text Local

If you will be using Google Authenticator, download the app from your app store.


Installing Network Policy Server
Select Network Policy and Access Services and click Next

Click Next

Click Next

Click Next

Click Install

Configuring NPS with a RADIUS client
Open Network Policy Server console

Expand RADIUS Clients and Servers

Right click RADIUS client and click New

Enter the NSIP of your NetScaler Gateway and configure a shared secret. You will need the shared secret when you configure the RADIUS policy on your NetScaler Gateway.

Configure NetScaler Gateway RADIUS Authentication Policy
Log into your NetScaler Gateway.

Expand Access Gatewa–>Policies–>Authentication–>Radius and click Add

Give the Policy a name and then click New next to Server

Give the Server a name, enter the IP address of your NPS Server, enter the shared key / secret created in the previous step and click Create.

In named Expressions select General and True value from the drop down and click Add Expression.

You show now see ns_true in the expressions box.

Now click Create

Installing SMS2
Click Next

Click Typical

Click Configure AuthEngine

Copy and paste your license into this window and click Check License, and then Next

If you want to use the Local System account click Test Login and click Next.

Enter your ldap configuration and click Test

Note: If you set your base DN to an OU that DOES NOT contain your admin accounts, you will not be able to launch the SMS2 console.

To change this after install, open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml and edit the line


You should get a message like this returned. Click OK then click Next

Enter the connection details to your database server and click Test Connection

You should get a message saying Test SQL Connection Sucessful

Click OK and click Next.

Now click on configure CloudSMS

Click Next

Select the name of your Cloud SMS provider from the Samples drop down and hit Load. I used Textlocal.

Fill in the required details and click Next.

Click on Configure OATHCalc

Click Next

Click Finish

Click Configure AdminGUI/Clients

Click Finish.

Note: If you are getting a IAS/NPS message on this screen it is because you have not installed NPS role yet, go back and install it without exiting this screen. Then click Back and Typical and you will be able to proceed without having to redo the config.

Now click Next.

The Web Interface directory is not required if you are using NetScaler Gateway or just StoreFront.

Click Next.

Click Install and click Finish once it’s complete.

Now Run SMS2 Administration from your Start Screen.

Configuring SMS2
To configure SMS2 open the following file in a text editor.

C:Program Files (x86)WrightCCS2SettingsConfiguration.xml

Base DN
I have found that I get the following message if the LDAP Base DN is set to anything else than the root of the domain.

To change this open

Open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml

And edit the line


So that it is pointing to the root of the domain.

No Admin Rights
The first time I setup SMS2 my Domain Admin account was not configured as an Administrator in the SMS2 console and therefore I could only see my account in the Admin console.

To get around this run the following command with elevated rights

C:Program FilesWrightCCS2ServiceWright.MakeAdmin.exe” <configration.xml> <ad_username>

Where configuration.xml is the path to the configuration.xml as above and ad_username is the username of the person you want to make administrators (use domainusername)

After you have done this you will need to restart the WrightAuthEngine service.

Disabling / Enabling Providers
If you want to disable the Dual Factor Authentication providers that are available to users in the console

Under the <AuthProviders><Provider> section

Set <Enabled> to false as below



<AdGroup />



<Config />


The Providers you disable will then no longer be available when you relaunch the console, as below.

Enable Challenge Response
In order for SMS2 to prompt you for your OTP after you have entered your PIN you must set the line below to true.


And add this line


Image credits to Trusty Joe

Book a free consultation
and discuss your IT challenges with us