Jump to content
Welcome to our new Citrix community!

Citrix ADC (NetScaler) - micro VPN integration with Microsoft Endpoint Manager/ - nFactor Auth issues after completed OAUTH with enrolled / managed MS mobile Edge Browser / NetworkTunnelWebSSO

Markus Jupe

Recommended Posts

Hi folks,

has anybody integrated once that use-case (Citrix NS / mVPN - Intune WebSSOTunnel" in his lab or in production environment?


My OAUTH Integration (sh oauthaction) > OAuth status is "completed" - I think here we are fine..


When I open the fully configured (and proofed through MS )  "MS Edge Browser" and initiated an internal intranet domain access I see following issues in my "debug" "/var/log/ns.log"


: default SSLLOG SSL_HANDSHAKE_SUCCESS 47561 0 :  SPCBId 3883 - ClientIP myMobileIPv4 - ClientPort 50170 - VserverServiceIP myPublicIPv4 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 61 ms
: default SSLLOG SSL_HANDSHAKE_SUCCESS 47562 0 :  SPCBId 3884 - ClientIP myMobileIPv4 - ClientPort 50169 - VserverServiceIP myPublicIPv4 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 89 ms
: default SSLVPN Message 47563 0 :  "native client, request: checking aaac/epac for dht lookup"
: default AAATM Message 47564 0 :  "Claims allowed in current loginschema are 80"
: default SSLVPN Message 47565 0 :  "nFactor <1> or native client <1>: checking for certificate authentication policies"
: default SSLVPN Message 47566 0 :  "nFactor <1> or native client <1>: no active certificate policy found"

: default SSLVPN Message 47567 0 :  "Core-id = 0, While processing index.html request, skip_saml = 0, redirecting to SAML-IdP "


In my AAA vServer (for advanced Auth inside Citrix Gateway vServer) there is an attached "Advanced Authentication Policy / 1 x Authentication Policy Binding for OAuth / Intune

and a dedicated OAuth Login Schema (provided by Citrix Script for Intune Integration)


I don't understand why I have trouble with the nsfactor Advanced Authentication. I've no configured / enrolled client user cert inside Intune MDM.


I see in my mobile Edge Browser only a blank white page / waiting status to authenticate.

I have opened a citrix support case but unfortunately with no luck.





ADC / NS 13.0 Build 52.24


Ideas from this community ? ;)


Thanks in advanced...




Link to comment
Share on other sites

Hope you have followed below steps to configure the mVPN to integrate with MS Intune, if not check which portion you are missing.

From the error you have posted, it seems it is missing the SSL certificate.


The bundle has the following files:
1. <NsgCreateScriptFileName> -- Contains the NetScaler CLI commands that configure the required components in NetScaler.
2. <NsgDeleteScriptFileName> -- Contains the NetScaler CLI commands that remove the corresponding configurations.
3. <NsgPowerShellScriptFileName> -- PowerShell script to create AAD app secret consumed by NetScaler.
4. <NsgReadMeFileName> -- This file.
1. Windows PC with PowerShell
2. PC must include Windows Management Framework 5.0 or greater - included with Windows 10. 
   For other versions of Windows, obtain at: http://www.microsoft.com/en-us/download/details.aspx?id=54616
3. AzureAD PowerShell v2. You can install this from Administrative PowerShell window using the command "Install-Module AzureAD".
NetScaler requirements:
1. NetScaler 12.0.59.x or 12.1.50.x or later.
2. NetScaler IP address is configured and has connectivity to the LDAP server unless LDAP is being load balanced.
3. NetScaler Subnet IP (SNIP) address is configured, has connectivity to the necessary backend servers, and has public network access.
4. DNS can resolve public domains.
5. NetScaler is licensed with Platform/Universal or Trial licenses - https://support.citrix.com/article/CTX126049.
6. A NetScaler Gateway SSL certificate is uploaded and installed on the NetScaler - https://support.citrix.com/article/CTX136023.
Steps to configure NetScaler:
NOTE: These steps should be done AFTER the above step to grant the AAD application permissions needed by NetScaler.
1. Azure Global Administrator must run the PowerShell script included in this package -- <NsgPowerShellScriptFileName> -- and take note of the value for generated AAD app secret.
2. Modify place holders in <NsgCreateScriptFileName> with the appropriate values. <NSG_IP>, <SERVER_CERT_NAME>, and the <AAD_CLIENT_SECRET> all need to be replaced. The text file describes the values you use to replace those placeholders.
3. Upload <NsgCreateScriptFileName> into the /var directory of the NetScaler appliance.
4. Execute the following command in the NetScaler bash shell:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/<NsgCreateScriptFileName>"

Link to comment
Share on other sites

Hello amahara755,


thank you for your quick response and your help...


I have checked these settings and this information several times also according to these guidelines.


Unfortunately I still have the same error in the log.


I have also downgraded to 12.1 latest build. (the same error)


I am still waiting for Citrix support. If I solve the problem in any way I will of course report it here... ;)  

Link to comment
Share on other sites

I have configured using the below template in my Citrix Gateway 11.1 and its working fine for us.




#Important Note: Please update the following placeholders with valid values:
# <NSG_IP> -- Virtual IP Address to be assigned to the NetScaler Gateway virtual server. This IP address must be reachable from your devices either directly or via a NAT.
# <SERVER_CERT_NAME> -- Name of the server certificate file on the NetScaler. This certificate is bound to the NetScaler Gateway virtual server.
# <AAD_CLIENT_SECRET> -- Value of secret generated using the CreateCitrixSecret.ps1 PowerShell script
# <ENV_NAME> - Display name for Gateway VServer (no spaces)
# <AAD_TENANT_ID> – This needs to be the Azure Tenant ID of where the customer's AAD is stored.

#COMMENT: Enabling Features.
enable ns feature LB SSL SSLVPN AAA
enable ns mode FR L3 MBF Edge USNIP PMTUD

#COMMENT: create the Netscaler Auth Virtual Server
add authentication vserver <ENV_NAME>_auth_vs SSL

#COMMENT: Create authentication profile
add authentication authnProfile <ENV_NAME>_authProf -authnVsName <ENV_NAME>_auth_vs

#COMMENT: Creating NetScaler Gateway virtual server.
add vpn vserver <ENV_NAME>_GW SSL <NSG_IP> 443 -Listenpolicy NONE -authnProfile <ENV_NAME>_authProf

#COMMENT: Create OAuth Action and Athentication Policy
add authentication OAuthAction <ENV_NAME>_oa_action -OAuthType INTUNE -clientID b6a53a76-5d50-499e-beb3-c8dbdad5c40b -clientSecret <AAD_CLIENT_SECRET> -tenantID <AAD_TENANT_ID> -audience https://citrix.onmicrosoft.com/29b86053-639c-4426-8725-4b3f3ecdaeee -issuer https://sts.windows.net/<AAD_TENANT_ID>/ -userNameField upn -certEndpoint "https://login.microsoftonline.com/common/discovery/v2.0/keys/"
add authentication Policy <ENV_NAME>_oa_pol -rule true -action <ENV_NAME>_oa_action

#COMMENT: Bind Auth Virtual Server to OAuth policy
bind authentication vserver <ENV_NAME>_auth_vs -policy <ENV_NAME>_oa_pol -priority 2 -gotoPriorityExpression END

#COMMENT: Create authentication loginSchema
add authentication loginSchema <ENV_NAME>_oa_loginschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyOAuthToken.xml"
add authentication loginSchemaPolicy <ENV_NAME>_oa_loginschema_pol -rule true -action <ENV_NAME>_oa_loginschema

#COMMENT: Bind to OAuth policy
add vpn sessionAction <ENV_NAME>_session_action -transparentInterception ON -defaultAuthorizationAction ALLOW -icaProxy OFF -ClientChoices ON -clientlessVpnMode OFF
add vpn sessionPolicy <ENV_NAME>_session_policy  NS_TRUE <ENV_NAME>_session_action
bind vpn vserver <ENV_NAME>_GW -policy <ENV_NAME>_session_policy -priority 100
bind authentication vserver <ENV_NAME>_auth_vs -policy <ENV_NAME>_oa_loginschema_pol -priority 2 -gotoPriorityExpression END

#COMMENT: Bind server certificate to NetScaler Gateway virtual server.
bind ssl vserver <ENV_NAME>_GW -certkeyName <SERVER_CERT_NAME>
bind ssl vserver <ENV_NAME>_auth_vs -certkeyName <SERVER_CERT_NAME>

save ns config

Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...



Did you managed to make it work?

We have the same issue with v13 and none of those work. Even new schemas don't fix the issue and just removes NS complains about null user and null password.

We managed to make this work only with that has vulnerabilities so we can't use it.

It's strange that nobody is complaining about it. Does everyone live with outdated and vulnerable NS?


From my digging and comparing working and non working NS versions conclusion as follows: working one fails login with null null (username and passowrd) and on retry forwards to dooauth and succeeds (using onlyoauth schema)

And on other version while using onlyoauth it gets 500 when client is redirected. And new schemas just think client is normal browser coming in and stops at vpn/index.html so clients are stuck in retry loop.



This issue is fixed with the new MDX toolkit SDK (removed null user and null password flood) so who tried to use NS above version these were not working. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...