Jump to content
Welcome to our new Citrix community!
  • 0

Receiver SSO \ Passthough auth \ Xenapp applications shorcuts on desktop


GianMarco Occhionero1709155336

Question

Info:

Windows 10 domain joined test PC

Reciever 4.9.5000 installed with /includeSSON

Xenapp 7.15 CU3

Storefront 3.12

Netcaler GW 11.1 59.10

Internal users only

Gateway URL:  https://citrixapps.domain.com

Storefront VIP on netscaler: https://Internal-sf-vip.domain,int

Base URL: Internal-sf-vip.domain,int

Different SSL certs for gateway URL \ internal SF VIPcommunications

 

Right now users access their apps via webinterface through netscaler GW, but we would like to have some PCs use the receiver app to populate application shortcuts on the user desktop and avoid logging into the webinterface. All our citrix ICA sessions must pass through a netscaler gateway, direct communication with storefront servers or  VIP is not permitted.  I would like receiver to use the domain credentials of the logged in user to auto login, but we are prompted for a login popup.

 

I have enabled domain passthough on storefront, Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True, session policy , Account Services Address points to https://Internal-sf-vip.domain,int

 

 

Link to comment

10 answers to this question

Recommended Posts

If I understood you correctly, then yes. From my understanding you want to allow direct communication with StoreFront for authentication (via SSO) and app enumeration and launch but you still want to route the ICA traffice through the GW so you don't have to allow direct communication with the backend VDAs - correct?

 

This would exactly describe the solution: https://support.citrix.com/article/CTX200129

Link to comment

Yes.  We want users to login with domain credentials on their PC, have receiver "auto login" using these credentials to populate the desktop with published applications.  Routing ICA traffic through the NS GW afterwards would be ideal.

 

If I understand the implementation requirements, receiver cannot point to the NS gateway URL as SSO with NTLM\Kerberos is not supported.  Receiver will have to be configured to use the SF VIP Url instead, (Firewall will have to allow this traffic) Then optimal GW routing configured to route ICA traffic though the NS gateway.  

 

Thanks for the help

Link to comment
7 minutes ago, GianMarco Occhionero1709155336 said:

If I understand the implementation requirements, receiver cannot point to the NS gateway URL as SSO with NTLM\Kerberos is not supported.  Receiver will have to be configured to use the SF VIP Url instead, (Firewall will have to allow this traffic) Then optimal GW routing configured to route ICA traffic though the NS gateway.  

 

Yes correct. Without the configured GW routing the user will make a point-2-point connection to the VDA bypassing the GW. Apart from increased security, this approach will also allow you to leverage Netscaler HDX insight for internal users (given you have the appropriate licensing on Virtual Apps and Desktops and Netscaler).

Link to comment

Thanks, I got the basic implementation with optimal gateway routing working. Configured receiver with storefront VIP (base URL) and SSO auto logged in user to apps. 

 

Now the scenario that this solution doesn't address is our current 2FA implementation. We have conditional 2FA based on AD group membership. We currently use RSA tokens, though usernames are different than ldap accounts.  Via the web interface, this is not an issue, we use nfactor auth and prompt the user to login via ldap and the RSA account if he is part of an LDAP group.  Are there any work arounds \ config options that would allow 2FA with the receiver app (using different usernames) ?

Link to comment

Hi,

 

You mean, you are currently using selective 2FA based on AD group membership using nFactor Authentication on Netscaler (like described in https://support.citrix.com/article/CTX220793)? Citrix Receiver 4.x doesn't support nFactor, meaning users will have to use a browser instead. However according to the product feature matrix (https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf) Citrix Workspace App 1812 does support nFactor authentication. If haven't tried myself but I'd give it a shot.

 

Regards

 

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...