Jump to content
Welcome to our new Citrix community!
  • 2

Can you use ADFS/Azure AD auth without FAS?


Ben Grinsted

Question

19 answers to this question

Recommended Posts

  • 0
9 hours ago, Ben Grinsted said:

Given that FAS breaks Azure AD authentication once connected through to the VDA, is it possible to use these mechanisms without FAS?

 

I'm not sure that is entirely true.

 

In my current environment, I have users coming into an ADC that hosts a gateway.  The gateway uses SAML against Azure AD (for MFA), and then hits the storefront. FAS logs the users in and everything works fine.  I have no Azure logon prompts for resources, that includes Office C2R, Sharepoint Online, Teams, and even hitting microsoft web pages like portal.azure.com.

 

I know that I had to do a lot of work on the back end to make that happen, including some configuration with AD Connect...  

Link to comment
  • 0
18 minutes ago, Joe Robinson said:

 

I'm not sure that is entirely true.

 

In my current environment, I have users coming into an ADC that hosts a gateway.  The gateway uses SAML against Azure AD (for MFA), and then hits the storefront. FAS logs the users in and everything works fine.  I have no Azure logon prompts for resources, that includes Office C2R, Sharepoint Online, Teams, and even hitting microsoft web pages like portal.azure.com.

 

I know that I had to do a lot of work on the back end to make that happen, including some configuration with AD Connect...  

 

Hi Joe, appreciate the reply. Do you remember what work you did? We've had a lengthy call with Citrix Support and they have said that we can't achieve our desired state with FAS. We see that the user state portion of the AAD ticket doesn't generate:

 

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
             EnterprisePrt : NO
    EnterprisePrtAuthority : 
 

Because we use Conditional Access to require Domain Joined devices, the session doesn't identify itself successfully and it doesn't see the machine being on the domain.

Link to comment
  • 0

You're doing something I'm not -- requiring a domain joined device -- that may be the problem.  However, I heavily rely on conditional access policies (bad IPs, MFA, etc), but only for the endpoint.  My VDAs are all coming into azure from a trusted site which is excluded in all (well, almost all) conditional access policies.  

 

 

Link to comment
  • 0
53 minutes ago, James Kindon said:

I am with Joe.....we have plenty of customers running FAS and we don't see the issues described above at any of them

 

Are they running Conditional Access with Domain Join required? We haven't been able to find a way to get that working, even after spending a lot of time with Citrix and Microsoft support.

Link to comment
  • 0
3 hours ago, Ben Grinsted said:

 

Are they running Conditional Access with Domain Join required? We haven't been able to find a way to get that working, even after spending a lot of time with Citrix and Microsoft support.

 

If we look at the workflow ---

 

  1. User hits Citrix Gateway
  2. Gateway prompts for authentication
    1. Authentication profile redirects user to Microsoft Azure AD Enterprise Application
    2. User authentications to Azure.
      1. If authentication not successful, things stop here
      2. If authentication is successful, Enterprise App redirects user back to the gateway URL specified in the app.
  3. Gateway talks to storefront
  4. Storefront talks to FAS.
    1. FAS brokers a certificate for the user and hands it back to storefront.
    2. Storefront users the cert as authentication, similar to smartcard auth
  5. User opens outlook or a desktop
    1. A connection is brokered a VDA.  Logon is handled via the Certificate that FAS brokered.
    2. User is logged into the VDA. 
    3. The desktop or App opens. 
      1. If the app requires activation with azure, the user is redirected to microsoft logon.
      2. User authenticates with azure.
        1. If auth is unsuccessful, the app stops.
        2. If auth is successful, the app starts.

 

Conditional access happens at step 2.2 and 5.3.2.  Seems unnecessary to take the double hit since the VDA should be a trusted device already.  I'd get rid of the conditional access on the VDA if its enabled, but I still don't see how that would cause the issue unless you're using a much older build of Office.  There were quite a few bugs when the passthrough auth was first available.   Maybe an office upgrade?

 

Are you using a different workflow for your azure authentication?

 

 

 

Link to comment
  • 0

There are some slight changes to the above flow as I understand it:

 

1. User hits ADC -> ADC says go away and hands it straight over to Azure AD

2. Azure AD now runs through its authentication Engine (inc Conditional Access) and once OK sends back to ADC with a "no problem, the user is good, here are his details"

3. ADC Trusts what Azure AD tells it (this is all SAML), authenticates the connection and now passes to the Session Profile -> StoreFront

4. StoreFront fully trusts the ADC at this point (this is key) and as such authenticates the user into StoreFront and displays the apps. At this point, FAS has still not be leveraged at all

 

FIRST PART COMPLETE - All SAML up until now

 

5. User now launches an App. At this point its game time for FAS as Windows has no idea about SAML and would simply fail (request and prompt) the logon attempt. So far, its been nothing but SAML. StoreFront now requests that FAS go and get a user certificate from the CA based on the user details provided by the ADC (the SAML response from previous step)

6. FAS gets a certificate issued from the CA and stores it on the FAS box. This certificate is effectively the user credential so is very important

7. The actual VDA requests the certificate from the FAS, and performs a smart card logon (virtual) to Windows

8. Logon process complete

 

Now that you have a session and have been logged on, FAS plays no part in anything further in relation to user auth #UNLESS# you have enabled in session certs and choose to allow for the FAS issued cert to be leveraged. That is not relevant for your scenario

 

With conditional access policies, i have always built a dedicated policy and applied it to the Citrix ADC enterprise App (or Citrix Cloud) and wrapped my policies and requirements around that app. I also exclude the Citrix Enterprise App from any other CA policy so that it's not effected by anything other than my specifics. One of those specifics could be Hybrid Domain Join, or Compliant device - whatever. It's all just about getting back to the ADC and being granted your apps

 

Once you launch your apps within the VDA, there really needs to be some thought into what conditions are actually required for accessing services - you have already been auth'd, you have already had CA policies met, do you need to do much more with Auth back to O365 as a second pass within the VDA (as Joe suggested above)? I could legitimately see how this would fail if you were double tapping your CA requirements

 

Link to comment
  • 0

This Microsoft page seem to suggest that it is possible to link a Citrix NetScaler with Azure AD in an SSO manner without the use of FAS+AD CS+(on-premise AD DS with shadow user password OR on-premise AD DS with Azure AD Connect sync, which implies you are either the owner of the directory or you have shadow users again).

So in effect your SaaS just comprises of the NS/SF/XApps and whatever those hosted apps require for their operation i.e. SQL DB

 

The "Just in time user provisioning for Citrix NetScaler" point seems to be the critical part of the process which I cannot find any reference or configuration information.

Does anyone have any documentation about this approach? Maybe have used it successfully?

 

P.S. I find the notion of using shadow user accounts missed in quite few configuration documents despite how critical it appears to be in the operation life-cycle of the product. Or maybe it's just me..

Link to comment
  • 0

Curious for those of you who have Citrix ADC with FAS and Azure AD MFA (no ADFS) working, do you see that the Azure AD PRT is yes? This was the piece missing which MSFT and CTX said is not supported unless doing ADFS and stated O365 sign in will fail unless that is YES.

 

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
             EnterprisePrt : NO
    EnterprisePrtAuthority : 

Link to comment
  • 0
On 5/14/2020 at 4:08 AM, Ben Grinsted said:

 

Are they running Conditional Access with Domain Join required? We haven't been able to find a way to get that working, even after spending a lot of time with Citrix and Microsoft support.

 

Are you having this issue with Windows Server 2019?

Link to comment
  • 0

We are running Citrix ADC with FAS and Azure AD MFA (no ADFS) and are also seeing this issue where users are not seeing an AzureAdPrt token.

 

This is a considerable issues for us as it means SSO doesn't work once inside the VDA (desktop or app) as without AzureAdPrt, conditional access doesnt get the full client information, including Application / AAD Join status.

 

Has anyone found a solution for this ?

Link to comment
  • 0

Following....

 

Same issue here.  I've spent hours over the last 3 months on calls with Microsoft and Citrix.  PRT works fine in RDP; just not in Citrix.  I'm using AD Connect, No ADFS, with FAS and can't get OneDrive, or any other app for that matter, to utilize SSO within a session whether it's a desktop or an app.  I'm also using Citrix Cloud as well as the gateway service that's included.  I don't want to deploy a Netscaler ADC but if that's what it takes to get this working I'll do it.  Just need some help understanding what should or should not work and Microsoft/Citrix support have not been helpful.

 

I have no allegiance to FAS if there is an alternative that can make this work (without having to buy an expensive product preferably).  I honestly don't want to re-deploy ADFS for this either though if I can help it.  Surely there is a better way with AD Connect to get single sign on to apps/desktops that are capable of extending into the session itself.

Link to comment
  • 0

Following this too, I've also spent quite a bit of time with both Citrix and Microsoft support, with no solution in sight to resolve the AzureAdPrt issue.

 

This essentially makes our VDA app only sessions useless as our staff rely heavily on OneDrive being signed in when they log in to store files from other apps. Our conditional access requires Azure AD or MFA or Intune Compliance and they don't even get a MFA prompt when not in a full desktop session.

 

At this point we are going to be forced to NAT these machines behind a different public IP and exclude them from the conditional access policy which reduces security significantly.

 

Why doesn't anyone from Citrix confirm when this will be resolved or at least that its been worked on as a bug.

Link to comment
  • 0

Hey Carl.  Sorry for the late post here.  I did get CBA working in Azure AD and I can select my cert to authenticate.  Unfortunately, OneDrive doesn't support this method of authentication.  And publishing applications, instead of desktops, complicates things as well.  Thanks for the suggestion.  I'm still looking for ways to do Azure AD with CAPs, AD Connect, and maintain a PRT for SSO.  I'm going to try utilizing Windows 11 with Azure AD-only (not hybrid) authentication and see how far I can get.  Curious if anyone has had success with this method or any other method to maintain SSO/PRTs. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...