SMART card authentication with Netscaler and SF - Need to avoid 2nd PIN prompt at application launch

[Smrutimaya Mohanty]

I have NS - 12.1.51.19 and SF 3.12

NS setup -

1. vserver-sc -

• client cert authentication mandatory
• URL - https://lab-sc.abc.com
• Users would use this URL externally.

2. vserver-callback

• URL - https://lab-callback.abc.com

3. vserver-ICAonly

• NO authentication, STAs are added, certificate added and no other configuration done.

 

SF setup - 

Netscaler gateway URL - https://lab-sc.abc.com

Usage Role - Auth and HDX routing

STA - As configured on the vserver-sc gateway.

Auth Settings - 

• vserver IP - Didn't configure
• Logon Type - Smart card
• call back - https://lab-callback.abc.com

 

With this setup application launch works as expected, but users are getting 2 PIN Prompts. One at the Netscaler logon and 2nd - before the app launch.

I want to avoid the 2nd pin prompt. I can't figure out how to use the vserver-ICAonly in the SF configuration.

What are the steps I need to take. Gone through multiple documents and citrix blogs but none of them were clear on the SF steps.

 

There are instructions to use same IP with different port number other than 443 for the ICAOnly vserver. Can we continue to use 443 and with a different IP? If yes how?

Any advice and assistance are most welcome.

 

 

 

 

[Jimmy Raborn]

I believe we're having a similar problem with Smart Card authentication in our environment.

Did you find a resolution?

 

We a similar setup and have seen where people set up your third line item but we don't have "3. vserver-ICAonly".

The extra pin prompt just started in Q4 of 2019 on Windows endpoints and Apple endpoints get an odd error that Citrix support has not had any luck in helping us resolve.

 

[Joshua Van Buren]

I'm experiencing the same issue as well, did you find a resolution?

[Smrutimaya Mohanty]

As long as we have set CERT auth as mandatory, the user's would get additional pin prompt. that's why I had to create the ICAOnly vServer, I could use the vserver-ICAOnly with port 443, and on the SF use the vserver-ICAonly CAG's URL instead of the Actual CAG url.

 

There is another option if nFactor is used, through nFactor, you can offload the authentication to the AAA vServer. In nFactor, you can just force users to have cert authentication based on policy expressions. No need of setting cert auth as mandatory on the CAG.

[Manuel Kolloff]

Hi, did you see the following? (Lower section)

https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-client-cert-authentication/ng-client-cert-smart-card-tsk.html

 

on the vserver-sc

 - disable mandatory SSL auth

 - add a CERT auth policy instead

 - allow SSL renegotiation (even though I would prefer the NONSECURE setting instead of NO as described in the article)

 

...that way the smart-card is only validated during authentication, not with every SSL handshake (i.e. ICA Session start, which causes the second prompt)

 

---

 

Another way is the described attempt of using a separate vserver-ICAonly.

You have to set this one up in Storefront as additional gateway and force sessions through it through "Optimal HDX Routing" (under Store-settings).

[Smrutimaya Mohanty]

https://support.citrix.com/article/CTX138304  - have a look at it, if we are using cert auth. Please refer to the table on the bottom of the document. I have highlighted it on the attached screenshot.

So it says that -  If CERT Auth is optional, handshake would be successful even if you have a revoked certificate or a missing CRL.

and I don't know if this behavior matrix would be applicable if we disable the cert auth completely, instead of setting it optional.

 

 

[Manuel Kolloff]

Good question, I guess this would need to be tested.

However, I read the matrix as follows:

 - the behaviour only changes if the CRL is optional or missing

 - if you have a CRL configured, its online and up to date, then a revoked certificate will always be rejected

 

[Smrutimaya Mohanty]

I have a citrix case open related to this behavior since last 45 days, no updates!
 

[Jimmy Raborn]

We eliminated the extra cert/pin WFICA32 prompt today by configuring optimal NetScaler Gateway routing for a store.  This ended up being a rabbit hole we went down and it resolved it. Our STA URLs were no longer set. We don't know why or when our STA URLs disappeared, it may have been when we updated Storefront last. Users never reported the problem, our team only noticed it over the holidays because we got to work remotely for a few days and the ticket we opened hasn't been resolved.

 

Log into your StoreFront and open a powershell prompt.

type: &”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″

Get-DSOptimalGatewayForFarms

 

When it asks for SiteID, it's the IISSiteID,  IISSiteID is probably 1 

ResourcesVirtualPath is   /Citrix/YourStoreFrontName

 

If you return no StaURLs, you might be having the same problem we were.

 

 

Source:   https://www.smali.net/configure-optimal-netscaler-gateway-routing-for-a-store-storefront-3-x/

 

Change your PowerShell Execution policy to unrestricted

Set-ExecutionPolicy unrestricted

 

Cut and paste the text below into a powershell script and run it on your Storefront. Change the variables to match your environment. The STA Servers were our Delivery Controllers and we used their names, not IP addresses. Gateway name was "ICAProxyGateway". GatewayHostname was the address to our CallBack Server (callbackname.domain:443) and VirtualPath was /Citrix/StoreFrontName

 

&”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″

$STAUrls = “http://ip-to-sta-server-01/scripts/ctxsta.dll“,”http://ip-to-sta-server-02/scripts/ctxsta.dll“

$GatewayName = “Gateway name”
$GatewayHostNames =　 “FQDN of Gateway name”
$IISSiteID = 1
$VirtualPath = “/Citrix/Store”

[string[]] $FarmNames = @()
$FarmSet = Get-DSFarmSets -IISSiteId $IISSiteID -VirtualPath $VirtualPath
foreach($farm in $FarmSet.Farms) { $FarmNames += $farm.FarmName }

 

Set-DSOptimalGatewayForFarms -SiteId $IISSiteID -ResourcesVirtualPath $VirtualPath -GatewayName $GatewayName -Hostnames $GatewayHostNames -StaUrls $STAUrls  -StasUseLoadBalancing:$false -StasBypassDuration 00.02:00:00 -EnableSessionReliability:$true -UseTwoTickets:$true -EnabledOnDirectAccess:$true -Farms $FarmNames