Sedric Christopher1709154496 Posted November 22, 2018 Share Posted November 22, 2018 Hi All I have configured FAS with ADFS for SAML login via Netscaler. I followed Carl's instructions at the following link. https://www.carlstalhood.com/citrix-federated-authentication-service-saml/ Everything work fine with these configurations. But I could also see that Citrix Receiver SAML Authentication is only supported directly by Storefront without Netscaler. Is it possible to configure Netscaler so that SAML Authencitcation works with Citrix Receiver? Or is that not supported by Citrix. Thank you for any tips. Best regards Sedric Link to comment Share on other sites More sharing options...
CarlStalhood Posted November 22, 2018 Share Posted November 22, 2018 The newest versions of NetScaler and Workspace app should support web-based authentication. What versions are you trying? Link to comment Share on other sites More sharing options...
Sedric Christopher1709154496 Posted November 22, 2018 Author Share Posted November 22, 2018 Netscaler Version: NS11.1 58.13.nc Workspace App: 18.10.0.20023 (1810) Storefront: 3.15.0.18019 Citrix Virtual Apps and Desktop: 7.18.0.58 (1808) Link to comment Share on other sites More sharing options...
Sedric Christopher1709154496 Posted November 22, 2018 Author Share Posted November 22, 2018 10 hours ago, Carl Stalhood1709151912 said: The newest versions of NetScaler and Workspace app should support web-based authentication. What versions are you trying? Now I updated my environment. Netscaler: NS12.1 48.13.nc Citrix Receiver: 18.10.0.20023 (1810) If I configure the account in Citrix Workspace App I am receiving the following error: Your account cannot be added using this server address Link to comment Share on other sites More sharing options...
Srikanth Challa Posted November 29, 2018 Share Posted November 29, 2018 @Sedric - I would first suggest to check if the same works with browser and see at wat step it breaks. The error which you are getting looks to be the initial URL stage and before the authentication. Also try using HTML 5 and see the behavior. Link to comment Share on other sites More sharing options...
Sedric Christopher1709154496 Posted November 29, 2018 Author Share Posted November 29, 2018 2 hours ago, Srikanth Challa said: @Sedric - I would first suggest to check if the same works with browser and see at wat step it breaks. The error which you are getting looks to be the initial URL stage and before the authentication. Also try using HTML 5 and see the behavior. Hi Srikanth With the browser I never had this problem. Also the HTML5 Receiver works fine. I am always facing this problem while entering the netscaler gateway adress when I add a new account in Citrix Receiver. As you say already in the url stage and before authentication. Link to comment Share on other sites More sharing options...
Ryan Jewell1709155084 Posted December 19, 2018 Share Posted December 19, 2018 Sedric, you didn't happen to get this resolved did you, we are having the same problem with FAS and SAML? Link to comment Share on other sites More sharing options...
Omar Hempsall1709158465 Posted January 24, 2019 Share Posted January 24, 2019 #metoo - Looking at the Receiver logging, it's throwing the old "Detail: The gateway response did not contain the expected cookie (pwcount)" which I've seen when you're messing with password fields... Link to comment Share on other sites More sharing options...
Michael Shuster1709152649 Posted January 31, 2019 Share Posted January 31, 2019 You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected. Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors. 1 - Enable AAA if not already enabled 2 - Unbind your basic SAML policies from the Gateway 3 - Create the non-addressable Auth vServer. Some reference commands below: add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0 4 - Bind cert to the AAA vServer (can be same cert as your gateway) bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair 5 - Create authentication profile (links to the AAA, you will bind this to your Gateway) add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA 6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0 7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile 8 - Bind the auth policy to the AAA vServer bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT 9 - Bind the authentication profile to the Gateway 10 - test both web and Worspace App auth Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though. https://support.citrix.com/article/CTX227673 Link to comment Share on other sites More sharing options...
dpalchu521 Posted November 6, 2019 Share Posted November 6, 2019 On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said: You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected. Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors. 1 - Enable AAA if not already enabled 2 - Unbind your basic SAML policies from the Gateway 3 - Create the non-addressable Auth vServer. Some reference commands below: add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0 4 - Bind cert to the AAA vServer (can be same cert as your gateway) bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair 5 - Create authentication profile (links to the AAA, you will bind this to your Gateway) add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA 6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0 7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile 8 - Bind the auth policy to the AAA vServer bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT 9 - Bind the authentication profile to the Gateway 10 - test both web and Worspace App auth Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though. https://support.citrix.com/article/CTX227673 I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. Link to comment Share on other sites More sharing options...
Mike Romp Posted November 15, 2019 Share Posted November 15, 2019 On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said: You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected. Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors. 1 - Enable AAA if not already enabled 2 - Unbind your basic SAML policies from the Gateway 3 - Create the non-addressable Auth vServer. Some reference commands below: add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0 4 - Bind cert to the AAA vServer (can be same cert as your gateway) bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair 5 - Create authentication profile (links to the AAA, you will bind this to your Gateway) add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA 6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0 7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile 8 - Bind the auth policy to the AAA vServer bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT 9 - Bind the authentication profile to the Gateway 10 - test both web and Worspace App auth Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though. https://support.citrix.com/article/CTX227673 I had this exact issue, followed these steps, and can confirm it is working now. NetScaler Version: NS12.1 52.15.nc Workspace Version: 19.9.0.21 Thanks! Link to comment Share on other sites More sharing options...
ScubaMiike Posted November 21, 2019 Share Posted November 21, 2019 From my testing (Netscaler 12.1 51.19): - With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!) - Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates Is anyone else experiencing this? Link to comment Share on other sites More sharing options...
dpalchu521 Posted November 23, 2019 Share Posted November 23, 2019 On 11/6/2019 at 11:52 AM, dpalchu521 said: I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 12.1 upgrade fixed the issue with Citrix Workspace. Link to comment Share on other sites More sharing options...
dpalchu521 Posted November 23, 2019 Share Posted November 23, 2019 On 11/6/2019 at 11:52 AM, dpalchu521 said: I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. duplicate Link to comment Share on other sites More sharing options...
dpalchu521 Posted December 3, 2019 Share Posted December 3, 2019 (edited) On 11/20/2019 at 10:07 PM, ScubaMiike said: From my testing (Netscaler 12.1 51.19): - With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!) - Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates Is anyone else experiencing this? I found the workaround for IOS client. You need to configure connection manually and specify Web Interface as option - not Access Gateway. Update: works on Android without any modifications - just setting up new connection with URL. Edited December 4, 2019 by dpalchu521 Link to comment Share on other sites More sharing options...
David Liu NZ Posted February 7, 2020 Share Posted February 7, 2020 On 11/23/2019 at 1:09 PM, dpalchu521 said: 12.1 upgrade fixed the issue with Citrix Workspace. Which version did you have the problem with? What full version of 12.1 did you upgrade to? Link to comment Share on other sites More sharing options...
dpalchu521 Posted February 7, 2020 Share Posted February 7, 2020 17 hours ago, David Liu1709157371 said: Which version did you have the problem with? What full version of 12.1 did you upgrade to? Came from one of the latest 11.1 versions (11.1 62.8 i think) and moved to 12.1 54.13. So I am guessing its entire 11.1 not specific release. Link to comment Share on other sites More sharing options...
Martijn Kools Posted October 25, 2020 Share Posted October 25, 2020 (edited) Hi all, I followed this guide to the letter: https://www.mycugc.org/blogs/ryan-gallier/2019/05/02/the-complete-guide-azuread-saml-authentication Plus I've followed Michael Shuster's his post, and confirmed it's basically the same thing as in the guide. Through the web site everything works great but using workspace app I always get: your account cannot be added using this server address. With the Workspace App for Android it gives me Error Code 548. I've double checked this: https://support.citrix.com/article/CTX250706 My Citrix Storefront has the same base URL as the Netscaler vserver. I've been trying all day, keep getting the error. I hope anybody has any clue. Thanks! Btw using Netscaler NS13.0 58.32.nc and Storefront 1912 LTSR CU1. Edited October 25, 2020 by mkools Link to comment Share on other sites More sharing options...
Martijn Kools Posted October 25, 2020 Share Posted October 25, 2020 Btw here's my receiver log file, weird thing is it says it can't even find the store? https://pastebin.com/CdqMF6vg Link to comment Share on other sites More sharing options...
Terry Rebstein Posted December 15, 2020 Share Posted December 15, 2020 Did this ever get resolved ? Link to comment Share on other sites More sharing options...
Martijn Kools Posted January 13, 2021 Share Posted January 13, 2021 On 12/15/2020 at 9:14 PM, Terry Rebstein said: Did this ever get resolved ? For me yes, installing an updated built of NS13 solved the issue. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now