Jump to content
Welcome to our new Citrix community!
  • The Complete Guide: AzureAD SAML Authentication into Citrix Virtual Apps and Desktops through Citrix Gateway


    cugcblogs

    ryangallierrnd.png.55e63d6ec8daef0bcbc28a89b611d778.png by Ryan Gallier, CTA, Columbia SC CUGC Leader

    Took me a while to get this blog post going. There is a lot of information out there. It took me looking over a bunch of other blogs to get this working. I figured I would write up everything I learned and found in this guide. Thanks to the following references. Aaron ParkerCarl StalhoodJason Samuel, and Anton Van Pelt.

    I’m sure there were some other links I used, but these were the biggest contributors.

    This article assumes a couple of things:

    • You already have a fully working Citrix Virtual Apps and Desktops environment
    • You have an Azure tenant with an Azure AD Premium P2 license
    • You have Citrix Gateway ADC 12.1 Enterprise license (or higher)

    Azure AD Connect

    This setup requires that you have your users setup in Azure already. In my case, I am using Azure AD Connect to sync my users up into my Azure AD tenant. I will walk through that setup here.  

    The first thing I’m going to do is add my Azure UPN suffix into AD. You will likely be doing this with a real domain. In this example I’m just going to use the onmicrosoft.com domain given to me by Azure. Go into the Attribute Editor on the user and change the userPrincipalName (UPN) for this user.

    gallier050219-01.png.272473b6da2cc0d85d9e53c37d730a53.png

    Next, on your AD controller, download Azure AD Connect https://www.microsoft.com/en-us/download/details.aspx?id=47594 and run it.

    PLEASE NOTE: Azure AD Connect is a very powerful tool that can have ramifications on your environment that you may NOT WANT. This is a simple example of sync’ing a couple OUs for just password hash. If you want to understand more about Azure AD Connect, please read through the docs from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity?toc=%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json

    Click Customize

    gallier050219-02.png.79d48a17713867575ca8b257ef5927de.png

    Click Install

    gallier050219-03.png.6341f13fbe5ab015176e7cc1ed9f74af.png

    Click Next

    gallier050219-04.png.56fe3b5bec8a40111e2fd44004fec285.png

    Next, you should setup a service account in Office365 to use as the Sync account. This user needs to be a global administrator.

    gallier050219-05.png.a4008a40584a6371b6047b6797547048.png

    After you create the user, you will need to login to portal.azure.com as that user so you can change the password.  

    You likely want to set this sync user to never expire.  You can do this with the following PowerShell command:

    Get-AzureADUser -ObjectId o365sync@ryangalliervc3.onmicrosoft.com | Select-Object UserprincipalName,@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}

    Then click Next

    gallier050219-06.png.c10d8047e1bf67c3b0e98837fcce6084.png

    You can let AD Connect create an account, or you can create your own.  In this lab I just let AD Connect create it. Hit OK here.

    gallier050219-07.png.517162eb12b8870cdf7eb50a7780c6c5.png

    Then click Next

    gallier050219-08.png.d59cde3501d31f5552c4f61f8172c156.png

    In this example, I don’t have a verified domain name. So, click next here. (If you did, you will match up the UPN suffix with the Azure AD Domain name here.) 

    gallier050219-10.png.0d409e636e88c0335cd560ad62079b6e.png

    In my example I’m going to limit sync to the OU of my users. 

    gallier050219-11.png.8db56242637dba0adb44117a8deacc0c.png

    Click Next here.

    gallier050219-12.png.a3b5190a820ff6ce9265078ccef00499.png

    Click Next here

    gallier050219-13.png.45d6919f760ff4dc6a7a41469f34c3f2.png

    Click Next here

    gallier050219-14.png.239c078ecb078f9cbbba2fed215a92bf.png

    Lastly, hit Install.

    gallier050219-15.png.272a8d160a3ccb8ef16fbfcb7ab6f4f2.pnggallier050219-16.png.d0d2de3844141bbe5788a290d4263997.png

    When this is done, you should see your users in your Azure AD portal. My environment only has the one testuser right now. Notice the user has the matching UPN suffix ryangalliervc3.onmicrosoft.com.

    gallier050219-17.png.be701f7b8aff58756eea168b9e441a36.png

    Certificate Authority

    After all of this is done, we need to setup an Enterprise CA in our environment. I’m going to put this on the AD Controller. You can pretty much put this wherever. Add this through Roles and Feature

    gallier050219-18.png.441e4ff388d1d1b946f026db4c3ccf7a.pnggallier050219-19.png.76e77abb9dcc58edfd8cd2118de273e7.pnggallier050219-20.png.b1b03f7a5686d922c0d476eaa28ca260.pnggallier050219-21.png.a5702af4fa540d753ea156901624821b.png

    I kept all the defaults here.

    gallier050219-22.png.76e772aeb77444558f36bae2946cb91c.png

    Install

    gallier050219-23.png.279dac3745a40327c643c96c9aa650cb.png

    Configure the CA now

    gallier050219-24.png.5348c58d28785f06e2b728e69e3dc88c.pnggallier050219-25.png.930c3009970d65876dfa1768d6e95386.pnggallier050219-26.png.c0eac9336a9dc37ced443dff6e5f4fd4.pnggallier050219-27.png.1d0d5c290786fe677567081880838083.pnggallier050219-28.png.bb48263303a6c0869ec98de445a7b852.pnggallier050219-29.png.8327f07739e097d8df2429c808ed6ee8.pnggallier050219-30.png.09833b3d22b7375a24b0021257dd903e.pnggallier050219-31.png.eab32bb10873a1316f3413089d164e1c.pnggallier050219-32.png.c582e8524bec677b33834d8cc41cba61.pnggallier050219-33.png.d1f197ca848ccd5ab7d3efdf91ea1531.pnggallier050219-34.png.d3614397b16f012a8efe54ad06c811c3.pnggallier050219-335.png.c7f2be580687015be12cd5df198bf3fe.png

    After this is done you need to give a cert to the AD controller. On the domain controller, open up mmc.

    Click File, Click Add/Remove Snap-in, Select Certificates, click Add, then select Computer account, Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.  Press Next.  Select Domain Controller Authentication and press Enroll.

    gallier050219-36.png.d4f49ab222dacf9e4b34496e3ae08c7d.pnggallier050219-37.png.e6728555bbd2a6113c9c3a9f85db24c9.pnggallier050219-38.png.c1e177ea86050b468e3c18acc8be6c70.pnggallier050219-39.png.763de832c531cc0aeab6b30cd4bd41df.png

    FAS Server

    After this is done, let’s setup FAS. You can reference Carl’s article, or you can just follow along here. 

    Run autoselect.exe which ever method you like.  (Mount the ISO, extract the ISO, etc) Click:  “Federated Authentication Service”

    gallier050219-40.png.f1d77fc8267a6164c005a1bc63ca4aec.pnggallier050219-41.png.142c2088a92d2ce61a1ec68950e5798c.pnggallier050219-42.png.8eb2fcc88b3a61d922a114acac97890e.pnggallier050219-43.png.9bc99b95682f67196b88063d08cb358f.pnggallier050219-44.png.99ce192f0821f77fd2200d80bca9c7b7.png

    It may or may not ask you to reboot. Reboot if it asks you.

    Grab the ADMX/ADML files and put them on your domain controller.

    gallier050219-45.png.ff9a0e3d62dbc3ceb39bd0ccbfddba24.png

    Create a GPO that will hit the FAS, StoreFront, and VDA servers that points them to the FAS server.

    gallier050219-46.png.7a07a288bed501b7e39084f88fe707f4.png

    Run GPUPdate on the FAS/VDA/StoreFront and make sure the registry key shows up that points it to the FAS server. 

    HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses

    gallier050219-47.png.b2559ebab8b867476155e398aa2d7292.png

    Once this is in place, we can start configuring FAS. Make sure you “run as administrator”.

    gallier050219-48.png.d07788738d8063d1bec7927a147a00ac.png

    Step 1, start, ok. 

    gallier050219-49.png.f561f58a8928120e11e1fa1701f79572.png

    You may or may not want to disable AutoEnroll.  This is detailed in Carl’s article Under Step 5. 

    Now click Step 2, start, ok.  It should find your CA that we configured above.

    gallier050219-50.png.bc048c34e5dac9af7cd020c0844f9c8f.png

    Step 3, start, ok.

    gallier050219-51.png.a2aedf5410a28a0507b6926bc45ce321.png

    Now go back to your CA.  Open up the CA console and look for the pending request. 

    gallier050219-52.png.7270e650a2bf3d5d07e7645371167065.png

    Issue it. Just right-click it, all tasks, and issue. Your FAS server should go green now.

    gallier050219-53.png.b70e2252e965fa50e7832bd3de8167b5.png

    Click on the User Rules Tab, add your CA and point the Template to the Citrix_SmartcardLogon

    gallier050219-54.png.fa1b3d8f278a80e7b679084d31753bed.png

    Edit the Storefront Servers rule, remove domain controllers, and point it to your storefront server(s).

    gallier050219-55.png.7da4287d678c61c443315697aaa4232a.png

    You can change VDA list if you want. By default it allows domain computers, which should be fine. 

    Click Apply and close the FAS console. 

    Back ON the Storefront Server.

    Run the following commands on the Storefront server. (Make sure you change “/Citrix/test” to your store name.)

    & "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"$StoreVirtualPath = "/Citrix/test"$store = Get-STFStoreService -VirtualPath $StoreVirtualPath$auth = Get-STFAuthenticationService -StoreService $storeSet-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

    On the Delivery Controller, run the following command.

    asnp citrix.*Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

    On your StoreFront server, go to Manage Authentication Methods, and Pass-through from Citrix Gateway, and select Configure Delegated Authentication. 

    gallier050219-56.png.033038593657db510cc4ca5892888dd0.png

    Check this box and hit OK.

    gallier050219-58.png.92181ac74d399884b5385944b0b7db61.png

    Now go to “Manage Citrix Gateways” and Authentication Settings. You will need to add your vServer IP Address and callback URL here for this to work. 

    gallier050219-59.png.4f2f5b0179ed47ed8c3d16f7b9029914.png

    Make sure the Store points to this Citrix Gateway in (No VPN tunnel) mode.

    gallier050219-60.png.23a0a20b63f8f1693d86ad4d1eed47d9.png

    Azure AD

    Login to your Azure AD portal and go to Azure Active Directory. Click on Enterprise Applications and click + New Application.

    Click on Non-Gallery Application. (You will need an Azure AD P2 SKU for this.)

    gallier050219-61.png.a9703431dbae5f7c8618b76ed05ab05f.png

    Call it something.

    gallier050219-62.png.d9b047e20c3066e7da7799db113fdef8.png

    When that’s done, click on “Single sign-on” on the left and click SAML in the middle. 

    gallier050219-63.png.9b747057c9f13a723c069d45ae424200.png

    Edit “Basic SAML Configuration” under #1.

    gallier050219-64.png.854bb97aae625fecf4639b66b36f14b5.png

    Identifier will be the URL to your NetScaler. In my example it’s https://galliertest.domain.com

    Reply url is the same URL with /cgi/samlauth on the end. 

    Logout url is the same URL with /cgi/logout on the end. 

    Enter all of that and click save.

    gallier050219-65.png.9944d622771227b5693adee2acbb3c2b.png

    Next, download the Certificate (Base64).  We will use this on the Citrix Gateway.

    gallier050219-66.png.b1326da1b4b6e0160eccb9969fd1c9c0.png

    Then, copy the URLs in step 4 somewhere. We will need them for the Citrix Gateway.

    gallier050219-67.png.39b6c8689b06671d68c53c9363f123a3.png

    Lastly, we need to assign users to this application. Click “Users and Groups” on the left. I recommend you create an AD Security group with all of your users and assign it here. In my example, I have only allowed my testuser.

    gallier050219-68.png.400151ba7cf33646676bcc62a2e1c71e.png

    Citrix Gateway Setup

    I am running on 12.1-51.19 Citrix Gateway ADC with an Enterprise License. 

    First, upload the SAML certificate we downloaded above.  Traffic Management / SSL / Certificates / Server Certificates. 

    gallier050219-69.png.470da75ae66cf85c91c4da11901c1601.png

    This will show up in “Unknown Certificates”

    gallier050219-70.png.193ed964fcc5b1ebd6a4ce6b50383a08.png

    We now need to setup an Authentication vServer.  Go to Security / AAA – Application Traffic / Virtual Servers.  Click Add.

    gallier050219-71.png.d86ac4805fd23150146b59cd3ca9e5b5.pnggallier050219-72.png.ca89f222a02546bc008cb3d2c9c3e332.png

    Bind your normal SSL certificate here.

    gallier050219-73.png.52b2d2a12c40dff7afae1de0a4c7fda8.png

    Add an Authentication Policy

    gallier050219-74.png.96629b24ba40293f948dde2fbcb5dd6d.png

    Add a policy.

    gallier050219-75.png.9d37bf66b5da1ae939cedd6452e116d5.png

    Fill it out like this and Add an action (HTTP.REQ.IS_VALID).

    gallier050219-76.png.28030017add15b55ac08f412cb20e8cd.png

    First, uncheck “Import Metadata”

    Fill it out like this and hit create. 

    Redirect URL = the Login URL you saved from Azure

    Single Logout URL = the Logout URL you saved from Azure

     

    Logout Binding = Set to REDIRECT

    IDP Certificate Name = The cert we downloaded from Azure

    Signing Certificate Name = Your normal cert

    Issuer Name = Your URL to connect to Citrix Gateway

    gallier050219-77.jpeg.3e2635b10b3404d9f97981e0ad78dcbb.jpeg

    Apparently, there is a bug in the GUI on this screen.  This is going to bomb. You need to use the CLI to add at least the baseline information, then come back in here and edit it.  This is the command I used to get this to work.

    add authentication samlaction SAML_Auth_Srv -samlIDPCertName AzureAD-SAML -samlSigningCertName wildcard.xxxxxxxxx.com -samlredirectUrl https://fqdn

    It should look like this when you are done.

    gallier050219-78.png.fc29da2bc8769c48ca2b894d3fc52258.png

    Change Goto Expression to “END” and click Bind.

    gallier050219-79.png.5dddb912afc9ae3ef91a9d74e6eac5b0.png

    Lastly, hit Continue and Done to close out of the vServer creation. You should see a green dot next to this vServer now. 

    gallier050219-80.png.aefc2ded55ae3130afbfd83894513fb4.png

    Now we need to attach this policy to your Citrix Gateway vServer. In my scenario I have an existing vServer that already has an authentication policy. We are going to remove it and add this new SAML policy. 

    gallier050219-81.png.fdb0394d54a3dbe7e4330ebfec1be94f.png

    Remove your “Basic Authentication” Policy if you have one.

    gallier050219-82.png.786b3dbfad77c73299e42157f3f50db8.pnggallier050219-83.png.0f1a5c47be0f79e8825ddb855ad38149.png

    Now that this is gone, Hit +Authentication Profile on the right. 

    gallier050219-84.png.d8d97081bc5f35259efaf34260eeea84.png

    Name it something and select the SAML_vServer we created above. 

    gallier050219-85.png.47ab0d109e3b7a4b598281a836af66ee.png

    Hit Create, OK.

    Next, edit your Receiver session profile to REMOVE “Single Sign-On Domain” from the Published Applications tab. (This example has a value in it. That value you will be removing.)

    gallier050219-86.png.35650dcd918d9211b46a258a74bd148a.png

    Hit OK, Close, and Done. 

    Now let’s test. Start with the website. I enter my URL. https://galliertest.xxxxxxxxxx.com. This redirects me to AzureAD to login. I put in my testuser account. 

    gallier050219-87.png.763e89d76d1d0d1a14aca9937cc9ae97.png

    I login, and here are my apps/desktops! 

    gallier050219-88.png.621888fc1208afe80497363863b41355.png

    Now let’s test Workspace App.

    gallier050219-89.png.782407f4542f24845ed15cb95764bc8a.pnggallier050219-90.png.0499d69d6666020b19e6dd191cb4374e.pnggallier050219-91.png.749654725a3582a625c2d05720b86679.png

    NOTE: In our case we have other SSO based apps that use AzureAD for auth. You will probably want to adjust your storefront timeout accordingly. Otherwise after 5 minutes, Storefront will time out your credentials and you will have unhappy users needing to login too often. :)  

     

    See this CTX article - https://docs.citrix.com/en-us/storefront/current-release/manage-citrix-receiver-for-web-site/communication-timeout.html 

     

    That's it! Have fun!  


    User Feedback

    Recommended Comments

    Guest Top 10 Most-Read Blogs in 2021 – BLOGS

    Posted

    […] The Complete Guide: AzureAD SAML Authentication into Citrix Virtual Apps and Desktops through Citrix… by Ryan […]
    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...