Jump to content


Photo

How can we disable NetScaler authentication and have it on storefront?

Started by Tejas Samarth , 10 February 2016 - 02:40 PM
22 replies to this topic

Tejas Samarth Members

Tejas Samarth
  • 5 posts

Posted 10 February 2016 - 02:40 PM

We are facing one issue which is hindering our user experience. We have developed a webclient using Storefront Web API, which does what Citrix HTML5 client does. For load balancing we have deployed NetScalar and configured domain name and SSL certificate on it. While accessing our client it gets redirected to NetScalar gateway authentication page. We are not sure if we can bypass NetScalar authentication and take user directly to our authentication landing page without authenticating on NetScalar.

 

Thus we need some help here, we did some search and found 2 articles where it is mentioned that we can disable the NetScalar authentication and can directly go to Storefront or in our case should go to our clients landing page.

 

1. http://support.citrix.com/article/CTX200066?_ga=1.199726441.63944912.1453906400

 

2. http://www.basvankaam.com/2014/11/24/the-ultimate-xendesktop-7-x-internals-cheat-sheet/

 

But we are not sure how to configure it, thanks in advance for any help and support.  :)



Carl Stalhood CTP Member

Carl Stalhood
  • 11,582 posts

Posted 10 February 2016 - 09:57 PM

Maybe this: http://support.citrix.com/article/CTX200066



Tejas Samarth Members

Tejas Samarth
  • 5 posts

Posted 11 February 2016 - 06:52 AM

 

Thanks for your reply Carl, can you please pin point where exactly to look for following setting on NetScaler as mentioned in the post.

 

Changes on the NetScaler Gateway

  1. Open the NetScaler Gateway virtual server.

  2. Click the Authentication tab and ensure that the Enable Authentication check-box is cleared.

  3. Bind the corresponding session policy to the NetScaler Gateway virtual server.

  4. Test the connection.

     

     



Carl Stalhood CTP Member

Carl Stalhood
  • 11,582 posts

Posted 11 February 2016 - 12:27 PM

Looks like those instructions were written for 10.1. Edit your Gateway, In the Basic Settings section click the pencil icon. Then click More to expand the box. There's a checkbox for "Enable authentication".



Tejas Samarth Members

Tejas Samarth
  • 5 posts

Posted 16 February 2016 - 09:42 AM

Thanks Carl, got it.. :)

 

Looks like those instructions were written for 10.1. Edit your Gateway, In the Basic Settings section click the pencil icon. Then click More to expand the box. There's a checkbox for "Enable authentication".



Tejas Samarth Members

Tejas Samarth
  • 5 posts

Posted 16 February 2016 - 11:17 AM

Looks like those instructions were written for 10.1. Edit your Gateway, In the Basic Settings section click the pencil icon. Then click More to expand the box. There's a checkbox for "Enable authentication".

 

Thanks Carl that was helpful, we are trying to setup it up.

 

One thing I have come across in the discussion was “Note: This procedure only works for web browser access (Receiver for Web). Receiver Clients will not authenticate if authentication is not enabled at the NetScaler Gateway VIP.”

Correct me if I’m wrong if we disable the authentication on NetScaler, Citrix Native Receiver will not be able to authenticate and work.

 

If I'm correct can you tell us if its possible to have two sets of authentication mechanism on same NetScaler one for Web Receiver with authentication disable and other for Native Receiver with authentication enabled.



Carl Stalhood CTP Member

Carl Stalhood
  • 11,582 posts

Posted 16 February 2016 - 12:17 PM

I don't think so. You would instead need two different Gateways (two different DNS names). Feel free to lab it up.



praveen Pa Members

praveen Pa
  • 6 posts

Posted 16 February 2016 - 07:04 PM

Hi Carl,

 

thanks for the comment. we have tried your suggestion on removing authentication which we managed to setup correctly . Now when we hit netscaler URL we are directly pointed to Storefront login screen however when we login we get error message .

 

"Your logon has expired. Please log on again to continue."

 

any clue would help us please



praveen Pa Members

praveen Pa
  • 6 posts

Posted 16 February 2016 - 08:25 PM

Hi Carl,

 

thanks for the comment. we have tried your suggestion on removing authentication which we managed to setup correctly . Now when we hit netscaler URL we are directly pointed to Storefront login screen however when we login we get error message .

 

"Your logon has expired. Please log on again to continue."

 

any clue would help us please



Carl Stalhood CTP Member
  • #10

Carl Stalhood
  • 11,582 posts

Posted 16 February 2016 - 09:53 PM

What error are you seeing in the Event Viewer > Applications and Services > Citrix Delivery Services in StoreFront?

I think the article was updated today. Make sure you followed all of the instructions.

Carl Stalhood CTP Member
  • #11

Carl Stalhood
  • 11,582 posts

Posted 16 February 2016 - 09:55 PM

For load balancing, Are you doing SSL on the front end and HTTP on the back end? If so, make sure you enable HTTP Loopback by running Set-DSLoopback. https://www.citrix.com/blogs/2015/06/30/whats-new-in-storefront-3-0/

praveen Pa Members
  • #12

praveen Pa
  • 6 posts

Posted 17 February 2016 - 06:29 PM

We are not using loadbalancing for storefront . and as you said 

 

we use https in frontend and http on the backend. i got it i missed to enable netscaler for this store in storefront.

 

Now able to login and enumeration everything perfect. when we launch we receive citrix receiver cannot connect to server "websocket return code 1015"



praveen Pa Members
  • #13

praveen Pa
  • 6 posts

Posted 17 February 2016 - 06:32 PM

look like SSL is having issue

reason = "The connection was closed due to a failure to perform a TLS handshake (e.g., the server certificate can't be verified).";

 

 

in this environment i used local CA to issue the cert. i will update you once we get SSL from godaddy .



praveen Pa Members
  • #14

praveen Pa
  • 6 posts

Posted 18 February 2016 - 06:50 PM

Hi Carl,

 

After updating the ssl cert appp launch works perfectly.

 

one issue is not clear in session policy when i give storefront URL as https netscaler is not working .  When i make http traffic internally it works perfectly. what could be the reason ?



Carl Stalhood CTP Member
  • #15

Carl Stalhood
  • 11,582 posts

Posted 18 February 2016 - 07:42 PM

See http://support.citrix.com/article/CTX205578

Naser Naseri Members
  • #16

Naser Naseri
  • 5 posts

Posted 08 January 2017 - 08:40 AM

Looks like those instructions were written for 10.1. Edit your Gateway, In the Basic Settings section click the pencil icon. Then click More to expand the box. There's a checkbox for "Enable authentication".

 

Sorry but i can't see "Enable authentication" in NetScaler v11.1 when i editing my gateway !?? 



Carl Stalhood CTP Member
  • #17

Carl Stalhood
  • 11,582 posts

Posted 08 January 2017 - 05:45 PM

In the Basic Settings section, did you click More Settings?

Naser Naseri Members
  • #18

Naser Naseri
  • 5 posts

Posted 09 January 2017 - 06:23 PM

Thanks i found it ...



Patrice Jacques-Gustave Members
  • #19

Patrice Jacques-Gustave
  • 12 posts

Posted 09 January 2017 - 06:53 PM

Hi all,

 

In Citrix Storefront 3.6, if we uncheck Pass-through from NetScaler Gateway in Manage Authentication Methods, Citrix explain that is not possible to come via Citrix NetScaler so how this following Citrix KB can works exactly ?

 

https://support.citrix.com/article/CTX200066

 

I have followed this KB and I have thi message "Open session is expired...Open a new session"

 

In Citrix Storefront the Configure Remote Access Settings works together with Pass-through from NetScaler authentication...



Naser Naseri Members
  • #20

Naser Naseri
  • 5 posts

Posted 05 February 2017 - 03:34 PM

In the Basic Settings section, did you click More Settings?

 Hi

now i disabled authentication . but after i enter my credential , i faced an error that say

"your login has expired. please login again to continue"

after i enter my logon i see this error again and again ...

(i disabled netscaler authentication in authentication method & enable remote access and set to full-vpn in remote access setting)

 

any idea ?