Jump to content
Updated Privacy Statement
  • 1

Azure MFA and the Citrix Cloud Service

Wayne Fisher1709152770

Asked by Wayne Fisher1709152770,

Question

Wayne Fisher1709152770 Newbie

Wayne Fisher1709152770

Posted
Posted

Hi, setting up a XenDesktop and XenApp service, and the company has Azure MFA set up at the moment with an on-premises NS, and want to move away from that model to the Netscaler gateway service. I see that there is an Azure AD button within the Workspace Configurator. When logging in via this, MFA isn't triggered and it SSO's on via ADFS. Changing to just Active Directory obviously goes straight to LDAP on-premises via the CCC's so won't trigger MFA. 

 

Is there a way to make it go via the MFA?

 

 

Link to comment

5 answers to this question

Recommended Posts

  • 1
Daniel Tackett1709156956 Newbie

Daniel Tackett1709156956

Posted
Posted

For anyone else who comes across this thread.

I was also working on this and had a hard time figuring out this exact situation. Here is how I got the Azure AD to prompt for MFA.

 

After connecting to Azure AD from Citrix Cloud you have to go into Azure as a global admin and accept the permissions Citrix requires to access Azure AD. This creates an Azure "Application" In my case it created 2. (I'm not sure if that will be the same for everyone since I was experimenting a lot.)

 

After you have connected to Azure AD and the application is created you need to go into Azure and navigate to "Azure Active Directory" then under security select  "Conditional Access".

 

Create a New policy and call it whatever you want. Under the assignments select the user groups you want this policy to apply to. (don't worry this is only if they meet all the conditions, this will not blanket turn on MFA.) Then under "Cloud Apps or Actions" search for Citrix and choose the Citrix applications that were created when you connected to Azure from Citrix Cloud. In my case there were 2 and I added both. Finally under Access controls choose "Grant" section and on the right blade tick the grant access radio button and under that check the box to require Multi-Factor authentication and save this. 

 

As long as the user trying to access is part of users and groups AND accessing from Citrix Cloud they will be prompted for 2 factor. 

 

HOWEVER this does not fix the SSO portion so they will still get prompted again to log into the session host or VM once they select the application/VM. I'm still working on this part and as soon as I have a way around this I will update this thread. I'm planning on using Federated Authentication Service which is currently in tech preview to accomplish this. 

  • Like 1
Link to comment
  • 0
Colin Anderson1709156245 Newbie

Colin Anderson1709156245

Posted
Posted

From my understanding, you'd need to configure your on-prem NS to be your NS Gateway Service for the cloud.  I.e. your NS would have to have an external presence and you'd configure your resource location to point to your on-prem NS as an authentication provider.

 

We have almost the exact scenario with Azure MFA on prem.

 

There is a configuration article somewhere, but I can't seem to find it....

Link to comment
  • 0
Christopher Yue Collaborator

Christopher Yue

Posted
Posted
On 16/07/2018 at 4:37 PM, Wayne Fisher1709152770 said:

Hi, setting up a XenDesktop and XenApp service, and the company has Azure MFA set up at the moment with an on-premises NS, and want to move away from that model to the Netscaler gateway service. I see that there is an Azure AD button within the Workspace Configurator. When logging in via this, MFA isn't triggered and it SSO's on via ADFS. Changing to just Active Directory obviously goes straight to LDAP on-premises via the CCC's so won't trigger MFA. 

 

Is there a way to make it go via the MFA?

 

 

Did you get this to work in the end?

Link to comment
  • 0
Benjamin Bartels Apprentice

Benjamin Bartels

Posted
Posted
On 8/13/2019 at 10:27 AM, Daniel Tackett1709156956 said:

...

HOWEVER this does not fix the SSO portion so they will still get prompted again to log into the session host or VM once they select the application/VM. I'm still working on this part and as soon as I have a way around this I will update this thread. I'm planning on using Federated Authentication Service which is currently in tech preview to accomplish this. 

 


In regards to this SSO topic...

To get full SSO into the Windows desktops, this requires Federated Authentication Services.  We have a tech preview for Cloud FAS you should look at. You will need to have Federated Authentication Services deployed on prem. Then you can add FAS as an IDP under Workspace Configuration. 

For more info see: 

https://docs.citrix.com/en-us/citrix-workspace/workspace-federated-authentication.html

https://www.citrix.com/blogs/2019/12/19/tech-preview-federated-authentication-service-for-citrix-workspace/

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to question listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...