Jump to content


Photo

Trouble configuring logon point on CAG+AGC for iPad receiver using RSA authentication

Started by Tim Lovelock , 24 October 2011 - 10:23 AM
6 replies to this topic

Best Answer Scott McDonald , 24 October 2011 - 04:03 PM

Hi Tim, native mode is when it is used with a XenApp Services site - in this mode with AG 5.0, the authentication must be handled by the XA Services site, not the AG or AGC - unfortunately XA Services sites do not support two factor authentication, so your surmise is correct - you will not be able to do two factor authentication with the XA Services site.

This functionality will be added to Receiver for iOS in a future update.

Tim Lovelock Members

Tim Lovelock
  • 5 posts

Posted 24 October 2011 - 10:23 AM

I'm having trouble getting a logon point configured on our AGC for use with iPads that need to use RSA authentication to login. We have a XenApp6 farm which we would like our users to be able to connect to externally from their iPads using the Citrix receiver. We would like our users to log in using both their Windows domain password and their RSA token. Our environment is configured as follows:

XenApp6 farm
Web Interface Version: 5.3.0.34
Citrix Access Gateway Controller 5.0.3 (running on W2K8 R2 SP1)
Citrix Access Gateway 2010 Appliance (Advanced Edition 5.0.3)
Citrix Receiver for iOS version 5.0

I've read various documentation and eventually configured the following:

# On the WI server: A XenApp Services site called PNAgentTest which points to the XenApp6 farm, with the authentication method set to 'Prompt(default)', secure access set to 'Gateway Direct', the gateway address set to the FQDN of our CAG, session reliability turned off and STA's pointing to our XenApp6 servers.
# On the AGC: A web resource for iPads, with the web address set to 'http:// <Web Interface FQDN>//Citrix/PNAgentTest/config.xml'
# On the AGC: An access policy allowing web resource 'extended access' to the iPad web resource
# On the AGC: An authentication profile for our AD domain and an authentication profile for RSA (set to 'Force authentication to occur on the access controller')
# On the AGC: A basic logon point called 'iPhone' with the home page set to the iPad web resource, authentication set to RSA first, then Active Directory. This logon point is both enabled and deployed.

It's possible to get things working almost perfectly if I change the 'iPhone' basic logon point on the AGC to have the 'unauthenticated' option ticked. In this scenario I can login to the iPad receiver and a list of my XenApp applications will appear which I can either launch directly or click on the star sign to add as a favourite to my Citrix Receiver desktop. This is working exactly as I would like, except for the fact that RSA authentication is not present on the login screen. Also, if anyone browses directly to my logon point (https://<CAG FQDN>lp/iPhone) within a browser such as IE they do not get prompted for any authentication, but rather get a page of XML which includes various URL's containing the internal server name of our AGC. From a security perspective this is not an acceptable solution.

If I instead configure the logon point to use both RSA and AD authentication profiles, I get a Citrix Receiver screen asking me to enter all my login credentials as expected, but when I login with my password and RSA tokencode I get a dialog box appear saying 'Access Gateway Unexpected Response' with 'OK' as the only option. This is after ensuring the receiver settings were changed to 'Access Gateway' and 'Advanced Edition' with security token set to 'ON' and 'domain+security token' ticked. If I do not set any of these receiver options, I am taken to a WI style login page which I can login to with my RSA token but it then displays a plain text screen with the first line reading 'true false true add https://<CAG FQDN>' followed by about a dozen lines of URLS referencing my CAG's FQDN and relating to various .aspx pages. Not particularly useful!

Has anyone else encountered these issues and if so, how have you got around them? Does anybody else have a logon point working for iPad devices that uses RSA authentication specifically within a CAG Advanced/AGC setup?

Thanks for any help anyone can give me!

Edited by: Tim Lovelock on 24-Oct-2011 06:43



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 24 October 2011 - 03:29 PM

Tim, the Receiver for iPad can only connect to AG 5.0 in native mode if the AG is not performing authentication - RSA is not possible in this case.

The Receiver for iPad will connect to a standard AG logon point using a web view and will support the RSA login configured on the AG server.


Helpful Answer

Tim Lovelock Members

Tim Lovelock
  • 5 posts

Posted 24 October 2011 - 04:00 PM


Hi Scott, many thanks for this reply. Sorry to be a bit thick though, but I'm not sure I completely understand your response.

I think I understand the second part about being able to set up the iPad receiver to connect to a standard logon point. I assume you mean a logon point on the AGC that is configured with a standard XenApp WI resource rather than a XenApp services site? I appreciate this will probably work within a web view context on the iPad but I assume this means I will lose all the snazzy look and feel of the new Citrix Receiver such as the desktop area with the ability to create favourites and so on?

The bit that I really don't get though is your first paragraph. Firstly, what exactly is ‘native mode'? Secondly, the AG is clearly not performing authentication, but then surely it never would in advanced mode when there is an Access Gateway Controller configured? I assumed the authentication process was handled on either the AGC (which hosts the logon point) or on the WI site (if the logon point on the AGC is configured to be ‘unauthenticated''). How would you go about configuring the authentication to take place on the Access Gateway itself?

In summary though, I assume that the gist of your first paragraph is that I will not be able to get RSA authentication working with a CAG/AGC logon point that is configured to point to a XenApp Services site. Can you confirm that I'm correct in this assumption? Assuming I am, is this something that will simply never work, or are there plans to add this functionality to a later version of CAG/AGC/WI/Receiver?

Thanks again for taking the time to reply!



Scott McDonald Citrix Employees

Scott McDonald
  • 1,837 posts

Posted 24 October 2011 - 04:03 PM

Hi Tim, native mode is when it is used with a XenApp Services site - in this mode with AG 5.0, the authentication must be handled by the XA Services site, not the AG or AGC - unfortunately XA Services sites do not support two factor authentication, so your surmise is correct - you will not be able to do two factor authentication with the XA Services site.

This functionality will be added to Receiver for iOS in a future update.


Best Answer

Tim Lovelock Members

Tim Lovelock
  • 5 posts

Posted 24 October 2011 - 04:09 PM


Hi Scott,

Okay, that's a shame, but at least you've saved me from any further banging of my head against this particular wall...!

Thanks again for your help with this and also for your quick replies.



Alan Laird Members

Alan Laird
  • 1 posts

Posted 30 January 2012 - 03:45 PM

Hi,

We are hitting the same issue. However we need to use 2 factor authentication to satisfy security policy requirments. Is there any fix or workaround for this yet?

thanks



Jack Paterdis Members

Jack Paterdis
  • 5 posts

Posted 21 May 2012 - 04:55 AM

We are having the same problem.

Upgraded from CAG 4.6.2 and AAC to CAG 5.0.4 and AC.

Since upgrading 2 factor authentication using RSA does not work at the Access Gateway like it did in the previous version.

Pretty damn pathetic....



Give Us feedback