Jump to content
Welcome to our new Citrix community!

Apple Workspace app logon issues with Netscaler 12.1 50.28


Recommended Posts

Hi,

 

Recently we updated our Netscaler Gateway to 12.1 50.28. Since this update the users from Apple devices (iOS, macOS, iPad, iPhone, Mac) have problems accessing our Netscaler Gateway. We use two-factor authentication (LDAP, RADIUS). We're using the required authentication policies to differentiate between Receiver and NonReceiver:

REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver

REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

 

The first contact with the Workspace app to Netscaler Gateway works. It asks for username, password and passcode. But after logging off and on again it asks for username, password 1 and password 2 and the login doesn't work anymore until the user deletes and recreated the store in the Workspace app.

This doesn't occur with Android and Windows Workspace apps.

Is this a bug in the new Netscaler Gateway build? I couldn't find a related entry in the Release Notes.

 

br, Patrick

Link to comment
Share on other sites

  • 4 weeks later...

Hi Patrick

 

I can't help much but to say we get this issue as well with the following versions:

NetScaler GW v12.057.24

SF 3.12

 

So I don't think it is something new on 12.1 50.28. Which version were you on before?

 

We get the issue on iPhone, Android apps and Windows receiver software as well.

 

Chris

Link to comment
Share on other sites

Hi,

 

I could solve the issue. I had to change the Netscaler Gateway Logon type in the StoreFront Config from "Domain" to "Domain and security token". This is mentioned in https://support.citrix.com/article/CTX125364 (Step 9). But I'm not sure why this has to be configured, because therefore I configured the Netscaler Gateway session policies, so that is passed only the PRIMARY or SECONDARY logon credentials to StoreFront. Does anybody know why this has to be configured?

 

It only seems to be necessary to configure this for Apple devices. Windows and Android don't need this.

Link to comment
Share on other sites

We also solved it in the same way on Friday. We spoke with a supplier who helped us with the initial setup and they configured it as just 'Domain' and said it was definitely just needing to be 'Domain' because the NetScaler did the auth, which makes sense. But it didn't work properly.

But when Citrix looked at a later issue, they wouldn't help us until we enabled 'Domain and security token'. This problem then vanished as well.

Unfortunately I had forgotten that sequence of events until recently and realized this on Friday, re-enabled the setting again and solved the problem. But in our case, it was not working for all remote clients, except iPhone. Android and Windows client were not working...

Link to comment
Share on other sites

  • 7 months later...

Thanks, 2FA works properly now in all Citrix Receiver/Workspace App's after doing the following:

 

1. Configurating the correct (order of) authentication methods

Primary:

Priority 90 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP..HEADER User-Agent CONTAINS CitrixWorkspace

Priority 100 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixWorkspace

Secondary:

Priority 90 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP..HEADER User-Agent CONTAINS CitrixWorkspace

Priority 100 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixWorkspace

 

2. Enabling the 'Domain and security token' in the Storefront the CAG uses for remote connections.

 

Warning: If you change setting 2 after Receiver / Workspace app has already performed discovery, then users might have to remove the Account from Receiver / Workspace app and re-add it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...