Citrix Receiver SAML Authentication with Netscaler and FAS

[Sedric Christopher1709154496]

Hi All

 

I have configured FAS with ADFS for SAML login via Netscaler. I followed Carl's instructions at the following link.

https://www.carlstalhood.com/citrix-federated-authentication-service-saml/

 

Everything work fine with these configurations. But I could also see that Citrix Receiver SAML Authentication is only supported directly by Storefront without Netscaler.

 

Is it possible to configure Netscaler so that SAML Authencitcation works with Citrix Receiver? Or is that not supported by Citrix.

 

Thank you for any tips.

 

Best regards

Sedric

 

[CarlStalhood]

The newest versions of NetScaler and Workspace app should support web-based authentication. What versions are you trying?

[Sedric Christopher1709154496]

Netscaler Version: NS11.1 58.13.nc

Workspace App: 18.10.0.20023 (1810)

Storefront: 3.15.0.18019

Citrix Virtual Apps and Desktop: 7.18.0.58 (1808)

[Sedric Christopher1709154496]

10 hours ago, Carl Stalhood1709151912 said:

The newest versions of NetScaler and Workspace app should support web-based authentication. What versions are you trying?

 

Now I updated my environment.

 

Netscaler: NS12.1 48.13.nc

Citrix Receiver: 18.10.0.20023 (1810)

 

If I configure the account in Citrix Workspace App I am receiving the following error:

Your account cannot be added using this server address

[Srikanth Challa]

@Sedric -

 

I would first suggest to check if the same works with browser and see at wat step it breaks. The error which you are getting looks to be the initial URL stage and before the authentication. Also try using HTML 5 and see the behavior.

 

 

[Sedric Christopher1709154496]

2 hours ago, Srikanth Challa said:

@Sedric -

 

I would first suggest to check if the same works with browser and see at wat step it breaks. The error which you are getting looks to be the initial URL stage and before the authentication. Also try using HTML 5 and see the behavior.

 

 

Hi Srikanth

 

With the browser I never had this problem. Also the HTML5 Receiver works fine. 

I am always facing this problem while entering the netscaler gateway adress when I add a new account in Citrix Receiver.

As you say already in the url stage and before authentication.

 

[Ryan Jewell1709155084]

Sedric, you didn't happen to get this resolved did you, we are having the same problem with FAS and SAML?

 

 

[Omar Hempsall1709158465]

#metoo

 

- Looking at the Receiver logging, it's throwing the old "Detail: The gateway response did not contain the expected cookie (pwcount)" which I've seen when you're messing with password fields...

[Michael Shuster1709152649]

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

[dpalchu521]

On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said:

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

[Mike Romp]

On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said:

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

 

I had this exact issue, followed these steps, and can confirm it is working now.

 

NetScaler Version: NS12.1 52.15.nc

Workspace Version: 19.9.0.21

 

Thanks!

[ScubaMiike]

From my testing (Netscaler 12.1 51.19):

 

- With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!)

- Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates

 

Is anyone else experiencing this?

 

 

[dpalchu521]

On 11/6/2019 at 11:52 AM, dpalchu521 said:

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

 

 

12.1 upgrade fixed the issue with Citrix Workspace. 

[dpalchu521]

On 11/6/2019 at 11:52 AM, dpalchu521 said:

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

 

duplicate

[dpalchu521]

On 11/20/2019 at 10:07 PM, ScubaMiike said:

From my testing (Netscaler 12.1 51.19):

 

- With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!)

- Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates

 

Is anyone else experiencing this?

 

 

I found the workaround for IOS client. You need to configure connection manually and specify Web Interface as option - not Access Gateway.

 

Update: works on Android without any modifications - just setting up new connection with URL. 

Edited December 4, 2019 by dpalchu521

[David Liu NZ]

On 11/23/2019 at 1:09 PM, dpalchu521 said:

 

 

12.1 upgrade fixed the issue with Citrix Workspace. 

Which version did you have the problem with? What full version of 12.1 did you upgrade to?

[dpalchu521]

17 hours ago, David Liu1709157371 said:

Which version did you have the problem with? What full version of 12.1 did you upgrade to?

Came from one of the latest 11.1 versions (11.1 62.8 i think) and moved to 12.1 54.13. So I am guessing its entire 11.1 not specific release.

[Martijn Kools]

Hi all, I followed this guide to the letter: https://www.mycugc.org/blogs/ryan-gallier/2019/05/02/the-complete-guide-azuread-saml-authentication

 

Plus I've followed Michael Shuster's his post, and confirmed it's basically the same thing as in the guide.

 

Through the web site everything works great but using workspace app I always get: your account cannot be added using this server address. With the Workspace App for Android it gives me Error Code 548. I've double checked this: https://support.citrix.com/article/CTX250706

 

My Citrix Storefront has the same base URL as the Netscaler vserver.

 

I've been trying all day, keep getting the error.  I hope anybody has any clue.

 

Thanks!

 

Btw using Netscaler NS13.0 58.32.nc and Storefront 1912 LTSR CU1.

 

 

Edited October 25, 2020 by mkools

[Martijn Kools]

Btw here's my receiver log file, weird thing is it says it can't even find the store?

https://pastebin.com/CdqMF6vg

[Terry Rebstein]

Did this ever get resolved ?

 

[Martijn Kools]

On 12/15/2020 at 9:14 PM, Terry Rebstein said:

Did this ever get resolved ?

 

For me yes, installing an updated built of NS13 solved the issue.