Criteria

Defining Client Certificate Criteria

To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the user must meet the certificate criteria in addition to passing all other authentication rules that are configured for that group. For example, the following criteria requires that the subject field of the client certificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name (CN) attribute set to a value matching the user's local user name on the Access Gateway.

client_cert_end_user_subject_organizational_unit="Accounting" and
username=client_cert_end_user_subject_common_name.


Valid operators for the client certificate are as follows:

and logical AND

= equality test
Valid constants for the criteria are:
true logical TRUE
Valid variables for the criteria are:
username local user name on the Access Gateway
client_cert_end_user_subject_common_name CN attribute of the Subject of the client certificate
client_cert_end_user_subject_organizational_unit OU attribute of the Subject of the client certificate
client_cert_end_user_subject_organization O attribute of the Subject of the client certificate
Values for the client certificate criteria require quotation marks around them to work. Correct and incorrect examples are:

The Boolean expression
client_cert_end_user_subject_common_name="clients.gateways.citrix.com" is valid and it works.

The Boolean expression
client_cert_end_user_subject_common_name=clients.gateways.citrix.com is not valid and does not work

To specify client certificate configuration:

1. On the Access Policy Manager tab, right-click a group that is not the default group and click Properties.

Note: Client certificate configuration is not available for the default user group

2. On the Client Certificate tab, under Client certificate criteria expression, type the certificate information. Click OK.