Smrutimaya Mohanty Posted September 22, 2019 Share Posted September 22, 2019 I have NS - 12.1.51.19 and SF 3.12 NS setup - 1. vserver-sc - client cert authentication mandatory URL - https://lab-sc.abc.com Users would use this URL externally. 2. vserver-callback URL - https://lab-callback.abc.com 3. vserver-ICAonly NO authentication, STAs are added, certificate added and no other configuration done. SF setup - Netscaler gateway URL - https://lab-sc.abc.com Usage Role - Auth and HDX routing STA - As configured on the vserver-sc gateway. Auth Settings - vserver IP - Didn't configure Logon Type - Smart card call back - https://lab-callback.abc.com With this setup application launch works as expected, but users are getting 2 PIN Prompts. One at the Netscaler logon and 2nd - before the app launch. I want to avoid the 2nd pin prompt. I can't figure out how to use the vserver-ICAonly in the SF configuration. What are the steps I need to take. Gone through multiple documents and citrix blogs but none of them were clear on the SF steps. There are instructions to use same IP with different port number other than 443 for the ICAOnly vserver. Can we continue to use 443 and with a different IP? If yes how? Any advice and assistance are most welcome. Link to comment Share on other sites More sharing options...
Jimmy Raborn Posted February 4, 2020 Share Posted February 4, 2020 I believe we're having a similar problem with Smart Card authentication in our environment. Did you find a resolution? We a similar setup and have seen where people set up your third line item but we don't have "3. vserver-ICAonly". The extra pin prompt just started in Q4 of 2019 on Windows endpoints and Apple endpoints get an odd error that Citrix support has not had any luck in helping us resolve. Link to comment Share on other sites More sharing options...
Joshua Van Buren Posted February 4, 2020 Share Posted February 4, 2020 I'm experiencing the same issue as well, did you find a resolution? Link to comment Share on other sites More sharing options...
Smrutimaya Mohanty Posted February 5, 2020 Author Share Posted February 5, 2020 As long as we have set CERT auth as mandatory, the user's would get additional pin prompt. that's why I had to create the ICAOnly vServer, I could use the vserver-ICAOnly with port 443, and on the SF use the vserver-ICAonly CAG's URL instead of the Actual CAG url. There is another option if nFactor is used, through nFactor, you can offload the authentication to the AAA vServer. In nFactor, you can just force users to have cert authentication based on policy expressions. No need of setting cert auth as mandatory on the CAG. Link to comment Share on other sites More sharing options...
Manuel Kolloff Posted February 5, 2020 Share Posted February 5, 2020 Hi, did you see the following? (Lower section) https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-client-cert-authentication/ng-client-cert-smart-card-tsk.html on the vserver-sc - disable mandatory SSL auth - add a CERT auth policy instead - allow SSL renegotiation (even though I would prefer the NONSECURE setting instead of NO as described in the article) ...that way the smart-card is only validated during authentication, not with every SSL handshake (i.e. ICA Session start, which causes the second prompt) --- Another way is the described attempt of using a separate vserver-ICAonly. You have to set this one up in Storefront as additional gateway and force sessions through it through "Optimal HDX Routing" (under Store-settings). Link to comment Share on other sites More sharing options...
Smrutimaya Mohanty Posted February 5, 2020 Author Share Posted February 5, 2020 https://support.citrix.com/article/CTX138304 - have a look at it, if we are using cert auth. Please refer to the table on the bottom of the document. I have highlighted it on the attached screenshot. So it says that - If CERT Auth is optional, handshake would be successful even if you have a revoked certificate or a missing CRL. and I don't know if this behavior matrix would be applicable if we disable the cert auth completely, instead of setting it optional. Link to comment Share on other sites More sharing options...
Manuel Kolloff Posted February 5, 2020 Share Posted February 5, 2020 Good question, I guess this would need to be tested. However, I read the matrix as follows: - the behaviour only changes if the CRL is optional or missing - if you have a CRL configured, its online and up to date, then a revoked certificate will always be rejected Link to comment Share on other sites More sharing options...
Smrutimaya Mohanty Posted February 5, 2020 Author Share Posted February 5, 2020 I have a citrix case open related to this behavior since last 45 days, no updates! Link to comment Share on other sites More sharing options...
Jimmy Raborn Posted February 10, 2020 Share Posted February 10, 2020 We eliminated the extra cert/pin WFICA32 prompt today by configuring optimal NetScaler Gateway routing for a store. This ended up being a rabbit hole we went down and it resolved it. Our STA URLs were no longer set. We don't know why or when our STA URLs disappeared, it may have been when we updated Storefront last. Users never reported the problem, our team only noticed it over the holidays because we got to work remotely for a few days and the ticket we opened hasn't been resolved. Log into your StoreFront and open a powershell prompt. type: &”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″ Get-DSOptimalGatewayForFarms When it asks for SiteID, it's the IISSiteID, IISSiteID is probably 1 ResourcesVirtualPath is /Citrix/YourStoreFrontName If you return no StaURLs, you might be having the same problem we were. Source: https://www.smali.net/configure-optimal-netscaler-gateway-routing-for-a-store-storefront-3-x/ Change your PowerShell Execution policy to unrestricted Set-ExecutionPolicy unrestricted Cut and paste the text below into a powershell script and run it on your Storefront. Change the variables to match your environment. The STA Servers were our Delivery Controllers and we used their names, not IP addresses. Gateway name was "ICAProxyGateway". GatewayHostname was the address to our CallBack Server (callbackname.domain:443) and VirtualPath was /Citrix/StoreFrontName &”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″ $STAUrls = “http://ip-to-sta-server-01/scripts/ctxsta.dll“,”http://ip-to-sta-server-02/scripts/ctxsta.dll“ $GatewayName = “Gateway name” $GatewayHostNames = “FQDN of Gateway name” $IISSiteID = 1 $VirtualPath = “/Citrix/Store” [string[]] $FarmNames = @() $FarmSet = Get-DSFarmSets -IISSiteId $IISSiteID -VirtualPath $VirtualPath foreach($farm in $FarmSet.Farms) { $FarmNames += $farm.FarmName } Set-DSOptimalGatewayForFarms -SiteId $IISSiteID -ResourcesVirtualPath $VirtualPath -GatewayName $GatewayName -Hostnames $GatewayHostNames -StaUrls $STAUrls -StasUseLoadBalancing:$false -StasBypassDuration 00.02:00:00 -EnableSessionReliability:$true -UseTwoTickets:$true -EnabledOnDirectAccess:$true -Farms $FarmNames Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now