Stewart Michie Posted April 1, 2021 Share Posted April 1, 2021 Hi All Am stuck on a bit of a weird problem with an unwanted authentication prompt within the Windows Receiver and Workspace apps. We're using ADC/Netscaler v12.1.60.x for remote access to Citrix. We're using nFactor Auth: 1st Factor: Azure AD SAML 2nd Factor: LDAP. The LDAP 2nd factor is being used as we don't want to use FAS and it was the only way to keep Storefront happy with logon via Netscaler. The login process flows as follows: User accesses NetScaler URL https://citrix.company.com User is redirected from NetScaler (SP) to SAML IDP User completes SAML IDP and if successful, are redirected back to NetScaler (SP) User is prompted for their AD password - We're using the PrefilUserFromExpr.xml schema so the username (in UPN format) is pre-filled from the SAML response. The LDAP profile is configured to only accept a UPN as as username. User enters AD password and if successful, Storefront opens and users can access their apps This works brilliantly from the web browser and iPad Workplace app. But for some reason on the Windows Receiver or Workplace application, after the two successful SAML and LDAP authentication steps, users are being prompted for credentials again by a Receiver/Workspace dialog box. Weirdly, this dialog box only successfully authenticates when using a the pre-Windows2000 login name (not UPN). I suspect it is something to do with Storefront Configuration, but not sure where to start. Attached is a screenshot of the final, unwanted credentials prompt. The only LDAP profile associated with the VS is configured to only accept UPN, so I don't think it is related to the NetScaler LDAP configuration. Appreciate any help or guidance! Link to comment Share on other sites More sharing options...
ArnaudP1 Posted April 20, 2021 Share Posted April 20, 2021 On 3/31/2021 at 9:31 PM, Stewart Michie said: Hi All Am stuck on a bit of a weird problem with an unwanted authentication prompt within the Windows Receiver and Workspace apps. We're using ADC/Netscaler v12.1.60.x for remote access to Citrix. We're using nFactor Auth: 1st Factor: Azure AD SAML 2nd Factor: LDAP. The LDAP 2nd factor is being used as we don't want to use FAS and it was the only way to keep Storefront happy with logon via Netscaler. The login process flows as follows: User accesses NetScaler URL https://citrix.company.com User is redirected from NetScaler (SP) to SAML IDP User completes SAML IDP and if successful, are redirected back to NetScaler (SP) User is prompted for their AD password - We're using the PrefilUserFromExpr.xml schema so the username (in UPN format) is pre-filled from the SAML response. The LDAP profile is configured to only accept a UPN as as username. User enters AD password and if successful, Storefront opens and users can access their apps This works brilliantly from the web browser and iPad Workplace app. But for some reason on the Windows Receiver or Workplace application, after the two successful SAML and LDAP authentication steps, users are being prompted for credentials again by a Receiver/Workspace dialog box. Weirdly, this dialog box only successfully authenticates when using a the pre-Windows2000 login name (not UPN). I suspect it is something to do with Storefront Configuration, but not sure where to start. Attached is a screenshot of the final, unwanted credentials prompt. The only LDAP profile associated with the VS is configured to only accept UPN, so I don't think it is related to the NetScaler LDAP configuration. Appreciate any help or guidance! Hello, As you first factor is SAML, did you try to uncheck the Authentication box on the LDAP server on the ADC? Thanks Arnaud Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now