Jump to content
Welcome to our new Citrix community!

Accessing AAA Vserver Portal using Salesforce on Android leads to "unsupported device"


Mark Nickolai 2

Recommended Posts

Hello,

 

by our design it is needed to sign in against the NetScaler AAA portal using 2fa authentication, which forwards the primary credential set to a backend server in order to full fill sign in to Salesforce.

 

The portal itself is build with nFactor and is using a RfWebUi based theme.

 

The whole thing works properly if using an old fashioned browser like chrome / firefox / ... etc

Some users also using the Salesforce App for iPhone, which works properly with rendering the logon page.

 

Users who are using the recent  Salesforce App for Android are facing an issue, where a popup message is shown by NetScaler:

 

"unsupported device" "please use a supported phone, tablet or desktop to access your apps and desktops"

 

From what I know, we did not set up any limitation of browsers in the configuration.

 

 I noticed the following details about the User-Agent from a trace:

 

User-Agent: SalesforceMobileSDK/7.1.2 android mobile/8.0.0 (SM-A320FL) Salesforce1/222.010.0(222010100) Native uid_69fc2f7e06b97159 ftr_ Cordova/8.0.0

 

Any ideas how to handle this behavior?

 

Kind regards

 

Mark

Link to comment
Share on other sites

Could it possibly be related to an inability to set cookies for authentication tracking purposes and not the user-agent itself?  This could result in an "unsupported device".  

 

This is not the same app, but a similar issue where the authentication cookie isn't being set on android:  https://discussions.citrix.com/topic/314992-aaa-server-and-loadbalancing-activesync-authentication-error-only-on-android-devices/  (Though admittedly this is an ancient post.)  Not sure what the current workaround would be.

 

 

Link to comment
Share on other sites

I found a fix with the support.

 

It is needed to apply a global responder policy which does a redirect.

I have no background information WHY this works, but well, it worked :10_wink:

 

add responder action RESACT_302_android_aaavserver redirect "\"https://aaavserver.example.com/logon/LogonPoint/index.html?android\"" -responseStatusCode 302


add responder policy RESPOL_SalesforceMobileSDK_Logon_aaavserver "HTTP.REQ.HOSTNAME.TO_LOWER.EQ(\"aaavserver.example.com\") && HTTP.REQ.URL.CONTAINS(\"LogonPoint/tmindex\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"SalesforceMobileSDK\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"android\")" RESACT_302_android_aaavserver

bind responder global RESPOL_SalesforceMobileSDK_Logon_aaavserver 100 END -type REQ_DEFAULT

Edit your url / hostname, the way you need.

 

Be aware that at least for me it is not possible to insert a questionmark ( "?" ) into an expression in the CLI.

 

I usually paste it in, but it got cropped away, so it is needed to add it afterwards in webui again.

 

Good luck :)

  • Like 1
Link to comment
Share on other sites

7 hours ago, Mark Nickolai 2 said:

 

Be aware that at least for me it is not possible to insert a questionmark ( "?" ) into an expression in the CLI.

 

 

To enter  "?" in the cli, you either need to type in \? to get the literal string ? to appear OR copy/paste from a text editor.

The "?" is a help shortcut for syntax when in the cli.  (Glad you found your fix though.)

Link to comment
Share on other sites

21 hours ago, Rhonda Rowland1709152125 said:

 

To enter  "?" in the cli, you either need to type in \? to get the literal string ? to appear OR copy/paste from a text editor.

The "?" is a help shortcut for syntax when in the cli.  (Glad you found your fix though.)

 

Hi Rhonda, 

 

sadly copy/paste does not work for me. If I do so, the CLI crops the "?" right away from the pasting.

 

Maybe it is related to the version we have running: NetScaler NS11.1: Build 61.7.nc, Date: Jan 31 2019, 03:09:31

 

The \? approach seems to work, but leading \ got right cropped away and then there is only ? in cli.

So copy of

add responder action RESACT_302_android_aaavserver redirect "\"https://aaavserver.example.com/logon/LogonPoint/index.html\?android\"" -responseStatusCode 302

leads pasted to

 

add responder action RESACT_302_android_aaavserver redirect "\"https://aaavserver.example.com/logon/LogonPoint/index.html?android\"" -responseStatusCode 302



 

Link to comment
Share on other sites

I messed up this edit twice. Sorry.  Yes to copy the "?" mark in to the cli, copy "\?" and pasted into cli and you will end up with a literal "?" which is all you need. 

 

Edit:

To clarify, you don't need the "\" in the expression; you need the "\" when entering the "?" to stop the CLI from interpreting it as the command completion/help command so you can have a literal that is being otherwsie caught during "entry" not during processing.

In the GUI, there is no such intercept and the literal ? can be entered without working hard at it.

 

I hope that makes more sense.

Edited by Rhonda Rowland
adding clarifying note
  • Like 1
Link to comment
Share on other sites

54 minutes ago, Rhonda Rowland1709152125 said:

I messed up this edit twice. Sorry.  Yes to copy the "?" mark in to the cli, copy "\?" and pasted into cli and you will end up with a literal "?" which is all you need. 

 

Edit:

To clarify, you don't need the "\" in the expression; you need the "\" when entering the "?" to stop the CLI from interpreting it as the command completion/help command so you can have a literal that is being otherwsie caught during "entry" not during processing.

In the GUI, there is no such intercept and the literal ? can be entered without working hard at it.

 

I hope that makes more sense.

 

Thank you, that helps me a lot :6_smile:

Link to comment
Share on other sites

  • 10 months later...

In Citrix ADC v13.0.67.39 (and maybe before) this fix will stop working. The reason is that "logonpoint/tmindex" will not be part of the request URLs in time. The way the RfWebUi theme is delivered is changed by Citrix and tmindex is not a part of the first http request anymore. Before tmindex will show up the Salesforce app will have died already (device not supported error).

 

I worked around it doing the following:

- created an extra AAA vServer with X1 theme bound to it.

- created an extra ADFS Load Balancing vServer that uses the AAA-X1 vServer for authentication.

- created a content switching policy that applies for useragent SalesForce && android && adfs.company.com URL that opens that new ADFS Load Balancing vServer.

 

What will happen is the Salesforce App will access ADFS. It get's redirected to the AAA-X1 vServer .However this time the logonpoint/tmindex is present in the first http request so the globally bound responder policy will kick in and redirect to the original AAA vserver with the ?android page.

 

This works like a charm however is not a permanent solution because X1 will dissapear in the next release. So I will consult Citrix why they changed the behavior of the RfWebUi theme.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...