Unwanted authentication prompt within the Windows Receiver and Workspace apps.

[Stewart Michie]

Hi All

 

Am stuck on a bit of a weird problem with an unwanted authentication prompt within the Windows Receiver and Workspace apps. 

 

We're using ADC/Netscaler v12.1.60.x for remote access to Citrix.

We're using nFactor Auth: 

1st Factor: Azure AD SAML

2nd Factor: LDAP.

 

The LDAP 2nd factor is being used as we don't want to use FAS and it was the only way to keep Storefront happy with logon via Netscaler.

 

The login process flows as follows:

 

1.  User accesses NetScaler URL https://citrix.company.com
2.  User is  redirected from NetScaler (SP) to SAML IDP
3.  User completes SAML IDP and if successful, are redirected back to NetScaler (SP)
4.  User is prompted for their AD password - We're using the PrefilUserFromExpr.xml schema so the username (in UPN format) is pre-filled from the SAML response. The LDAP profile is configured to only accept a UPN as as username. 
5.  User enters AD password and if successful, Storefront opens and users can access their apps

 

This works brilliantly from the web browser and iPad Workplace app.

 

But for some reason on the Windows Receiver or Workplace application, after the two successful SAML and LDAP authentication steps, users are being prompted for credentials again by a Receiver/Workspace dialog box. Weirdly, this dialog box only successfully authenticates when using a the pre-Windows2000 login name (not UPN). I suspect it is something to do with Storefront Configuration, but not sure where to start. Attached is a screenshot of the final, unwanted credentials prompt. The only LDAP profile associated with the VS is configured to only accept UPN, so I don't think it is related to the NetScaler LDAP configuration. 

 

Appreciate any help or guidance! 

 

[ArnaudP1]

On 3/31/2021 at 9:31 PM, Stewart Michie said:

Hi All

 

Am stuck on a bit of a weird problem with an unwanted authentication prompt within the Windows Receiver and Workspace apps. 

 

We're using ADC/Netscaler v12.1.60.x for remote access to Citrix.

We're using nFactor Auth: 

1st Factor: Azure AD SAML

2nd Factor: LDAP.

 

The LDAP 2nd factor is being used as we don't want to use FAS and it was the only way to keep Storefront happy with logon via Netscaler.

 

The login process flows as follows:

 

1.  User accesses NetScaler URL https://citrix.company.com
2.  User is  redirected from NetScaler (SP) to SAML IDP
3.  User completes SAML IDP and if successful, are redirected back to NetScaler (SP)
4.  User is prompted for their AD password - We're using the PrefilUserFromExpr.xml schema so the username (in UPN format) is pre-filled from the SAML response. The LDAP profile is configured to only accept a UPN as as username. 
5.  User enters AD password and if successful, Storefront opens and users can access their apps

 

This works brilliantly from the web browser and iPad Workplace app.

 

But for some reason on the Windows Receiver or Workplace application, after the two successful SAML and LDAP authentication steps, users are being prompted for credentials again by a Receiver/Workspace dialog box. Weirdly, this dialog box only successfully authenticates when using a the pre-Windows2000 login name (not UPN). I suspect it is something to do with Storefront Configuration, but not sure where to start. Attached is a screenshot of the final, unwanted credentials prompt. The only LDAP profile associated with the VS is configured to only accept UPN, so I don't think it is related to the NetScaler LDAP configuration. 

 

Appreciate any help or guidance! 

 

 

Hello,

 

As you first factor is SAML, did you try to uncheck the Authentication box on the LDAP server on the ADC?

 

Thanks

Arnaud