Jump to content
Welcome to our new Citrix community!

XenApp through Gateway presents user with a second logon

Joe Robinson

Recommended Posts



I am having an issue with my environment, and I'm sure I'm overlooking something simple.


XenApp 1811 running on physical HP hardware with Server 2016.


When I access storefront directly, everything works fine.  When I access storefront through gateway, the Workspace App Loading bar pops up, and then a Windows Server login pops in behind it.  I currently have NetScaler setup using AAA vserver for authentication.  It acts as a service provider for Azure Active Directory along me to do MFA and uses FAS to log me in.  It's been working well, but I wanted to tweak the settings to get Workspace App working, and I broke it.  Fortunately, it's not in production yet!


It seems like the AD Domain is not being passed to the machine.  When you manually enter the credentials, you have to specify username in the domain\username format.  If you just enter the username, it tries to log in locally to the server.  


I took a peek at the SAML assertion coming back from azure, and it is passing my UPN as the Name attribute.   I believe this is correct.


Storefront has the following Authentication Configured on the store:

* Username/Password

* Domain Passthrough

* Passthrough from NetScaler, with Fully delegate credential validation to NetScaler Gateway


I found a few articles regarding this error, but nothing seemed applicable.  I'm not seeing anything in the logs of the VDA, Storefront or FAS that jumps out as a problem....


Any thoughts to get me in the right direction?


Link to comment
Share on other sites

I figured it out, sharing my screwup so maybe it saves someone down the road.


My environment uses Azure as an Identity Provider.  That requires FAS.  I had created a store to test this with and I forgot FAS authentication is enabled per store, not per storefront server.  I'd love to see this in the GUI in the Authentication Settings for the store!


I was able to verify this by watching the event logs on my FAS servers.  Every time FAS is used, an event log is created.  I wasn't seeing the events created.  The events should look like this:

[S105] Server [DOMAIN\STOREFRONTSERVER$] issued identity assertion [upn: <user's UPN>, role default, Security Context: []].


The fix was to enable FAS for my production store.  Per Carl's docs:



don't copy paste this -- you have to adjust the store virtual path before running it!

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

After propagating to all my Storefront servers, I'm back up and running!

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...