FAS to XenDesktop Pub Desktop to Pub Application SSO pass through

[David Ray]

We are using SAML with an external identity provider through Netscaler and Storefront using FAS to our published desktops in Xendesktop.   This is working pretty well.

 

Within the published desktop (pooled, random, provisioned by PVS) we have Receiver installed with SSO/Pass-through for access to a few published applications that are not in our image for one reason or another.

 

 

The scenario works fine when you login the normal way... userid and password at Storefront or Netscaler.  

 

But when going in via SAML the Storefront logs into the pub desktop VDA with a SmartCard Cert provided by FAS.  This works fine... except for Receiver and the published apps.  Receiver obviously has nothing to pass on to the XenApp VDA to logon.  When you try you get a server 2008 console screen in a window.  You can click Switch User and logon... although the application does not actually start.  I have configured Storefront to allow SmartCard authentication but that does not fix it.

 

I have tried latest versions of Storefront (3.9) and Receiver (4.8).  VDAs are 7.13.

 

Anyone know if it is possible for this to work and if so how?

 

I made a nice(ish) ascii diagram I was going to paste here but you cannot choose a monospaced font so it looks bad.  Here is a link to the ascii diagram if you are interested.  Also attached it in a text file if you are leary about clicking on links (reasonable).

 

Thanks,
David

 

http://stable.ascii-flow.appspot.com/#Draw2088653605850943574

 

 

FAS_SSO_Problem.txt

[David Ray]

Well... I really hate to go on record for the whole internet to see... but it is working now.  And I am not sure when it started working.

 

René, yeah, all those things you mentioned last I had already checked.  I really think my problem was probably in getting my VDI environment switched successfully from the old Storefront stores with old 6.5 XenApp to the new Storefront stores with new FAS configured 7.x XenApps.  Some configs were baked into the image, some were GPO.  Hard to get them all right at the same time.  I probably got it fixed at some point and didn't realize it.

 

Still, it's odd... I had it fixed enough to get the screenshot I attached earlier.  I don't know... it's working now.

 

Anyway, thanks René, the fact that you understood what I was doing and could say it worked for you gave me confidence to keep plugging away at it.

 

See ya,

David

[Stefan Wendrich1709156509]

i cannot say, that this would help, because i dont try it. But have you enabled "Insession certificates" in the FAS GPO ?

[David Ray]

Sorry to be so slow to respond... I went on vacation and tuned all this out for a while.  I did try that (enabling InSession Certs).  It does not help.  And that stands to reason I think.  Receiver pass through auth probably doesn't know anything about Smart Card certificate authentication.

 

/David

[Mahima Pearl Fernandes1709157366]

Hi David,

 

What is the error you see when you launch the application?

What happens if you launch the application from Receiver for Web?

What errors do you see on the FAS server,the CA server and the StoreFront server when the application fails to launch?

[David Ray]

Apparently I am not doing a good job of explaining.  There are no visible errors.  The applications work fine if you run them directly from Storefront.  What I am doing is publishing the applications to a XenDesktop desktop.

 

My users use XenDesktop desktops for nearly all their work.  A few users get special applications published to their Xendesktop desktop from XenApp.  This works fine using the normal logon methods (Userid/Password to Storefront/Netscaler Gateway).

 

The breakdown is when when the users login using federated authentication.  In our case we are using a service with Netscaler to provide Multi-factor authentication.  The Netscaler using SAML and the Citrix Federated Authentication Service (FAS) to authenticate to the Xendesktop desktop.  So far so good... this works.

 

But then when the user attempts to access the published app (or sooner if I have pre-launch enabled) they just get the Windows Server 2008 R2 (our XenApp server OS) logon dialog because Receiver has (apparently) failed to pass-through the authentication. (Screenshot attached.)

 

Maybe I am the only person to ever try this.  My coworker spent hours with Citrix Support and got basically no where (although he may have been worse at explaining than I have been).

 

It is unclear to me if this can never work and I am wasting my time or if it just something with my environment that if I could fix would then work.  

[Rene Bigler]

Are you sure your XenApp Servers have the gpo applied to point to the fqdn of the FAS server. It definitely works, have it running here without prompting for login.

[David Ray]

René,

I do have that GPO set on the XenApps and the XenDesktops.  But thanks. It is good to know it works for you.  I likely have something goofed in my config.  Knowing that it can work encourages me to keep hunting.

 

/David

[Rene Bigler]

one more thought: you use delegated authentication to netscaler on your storefronts for the remote access only, right? in my setup there is no saml setup on the storefronts itselfs and the receivers inside the VDI are pointed to the internal sf with enabled passthrough auth.

[David Ray]

Right.  That is how we have it.  SAML is not setup on the SF's.  SAML is handled by (delegated to) the Netcaler as you say.

[Rene Bigler]

what happens if you launch the vdi via storefront? does passthrough work inside the vdi in this case?

[David Ray]

Yes, that works fine. If you login with a userid/password on Storefront or a different Netscaler GW then you can go into VDI then into the published apps just fine.

[Rene Bigler]

hmm that's strange. once again i would doublecheck the FAS gpo on your XenApp. look in registry if the fqdn is really applied. check. some other things to check:

- single domain?

- check user rules on FAS (all storefronts and VDAs allowed)?

- stores on the storefronts in question are enabled to request claim by running the ps script?

[Rene Bigler]

you are welcome, glad the issue is solved for you

[Nirmal Thangarasu1709155869]

Hi, I am having similar issue. SSO to VDA published desktop from Netscaler with SAML authentication works after setting FAS GPO's in VDA. But Citrix Receiver configured in VDA server to different Storefront site is not working and not able to open apps using storefront service site. any help is appriciated 

[Rene Bigler]

What type of authentication do you use on your second Storefront? If you want do do SAML there as well, you need to enable it for this store and an add the Storefront to the FAS. Ah and of course all the GPO settings must apply to the double hop components too.

[Nirmal Thangarasu1709155869]

USer name and Password and Domain Pass-Through. so we have to do same process we did for external site?

[Rene Bigler]

No in this case it’s just the usual PTA configuration you have to set up.

[Nirmal Thangarasu1709155869]

when we access 1st hop VDA Desktop directly through Storefront, PTA for Citrix Receiver in VDA works.

[David Williams1709151547]

If you are using FAS for the first hop (i.e. to reach the published desktop), you cannot use Receiver's SSO feature (since this uses a credential capture mechanism that won't work with FAS).

 

Here's how the deployment should be configured:

 

- Receiver SSO NOT enabled as noted above

- Second hop StoreFront configured for "domain pass thru" (will allow Receiver to SSO to second hop StoreFront to enumerate published apps)

- Second hop StoreFront FAS enabled (will allow SSO to second hop VDA where app is hosted)
 

The FAS server(s) used by the second hop StoreFront can be the same OR different from the FAS server(s) used by the first hop StoreFront - it doesn't matter.

[Nirmal Thangarasu1709155869]

2 hours ago, David Williams1709151547 said:

If you are using FAS for the first hop (i.e. to reach the published desktop), you cannot use Receiver's SSO feature (since this uses a credential capture mechanism that won't work with FAS).

 

Here's how the deployment should be configured:

 

- Receiver SSO NOT enabled as noted above

- Second hop StoreFront configured for "domain pass thru" (will allow Receiver to SSO to second hop StoreFront to enumerate published apps)

- Second hop StoreFront FAS enabled (will allow SSO to second hop VDA where app is hosted)
 

The FAS server(s) used by the second hop StoreFront can be the same OR different from the FAS server(s) used by the first hop StoreFront - it doesn't matter.

Thanks for the response David

- Receiver SSO NOT enabled as noted above

     Should we disabled SSOEnabled on Receiver?

And do we need to set AuthenticationService to FASClaimsFactory?

If 1st hop published desktop is accessed directly from Storefront when accessed internal network without FAS, still 2nd hop connection works?

[Matthew McCarron]

I tried to get around same problem by enabling smartcard pass-through in the default.ica file on the storefront, as figured the user has logged on with a smartcard class certificate issued by FAS.  Unfortunately, i couldn't get this to work, so looks like may need to resort to enabling FAS on second store.

 

https://docs.citrix.com/en-us/storefront/1912-ltsr/configure-authentication-and-delegation/configure-smart-card.html