Jump to content
Welcome to our new Citrix community!
  • 0

Receiver Only Detected in IE When Performing Domain pass-through Authentication Due to ICA File Request Using Internal URL


Steve Lyons1709162131

Question

I am currently performing smart card authentication from a non domain joined workstation to an F5 with Kerberos Constrained Delegation to Storefront.  When authenticating using IE 11, authentication is successful and I can see the Kerberos ticket being passed in a server side capture and I am presented applications and a desktop.  When attempting authentication using Chrome and Firefox, I am prompted with a receiver detection screen where I select launch using receiver and nothing happens.  In a web capture I can see the client and server communicating to determine detection status but thats it.  If I select "Already Installed," I receive an error that no logons are available on this platform.  I have changed the Receiver for Web Sites to disable the protocol handler and I receive the same error.  

 

I am running Citrix StoreFront Version: 1909.1.0.11 with Receiver 4.12.  I have installed workspace with the same results.  I also enabled trace logging on Storefront and the client but cant seem to identify any errors.  I have gone as far as trying to modify the user-agent in the http headers but that did not seem to have any impact on the user experience with Chrome or Firefox.

 

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true was run to allow me to actually launch items from Storefront but that does not assist with the detection when using other non-IE browsers.

 

ConnectionLeasingEnabled                    : True
DefaultMinimumFunctionalLevel               : L7_9
DesktopGroupIconUid                         : 1
DnsResolutionEnabled                        : False
LicenseServerName                           : XenApp1.itc.demo
LicenseServerPort                           : 27000
MetadataMap                                 : {}
Name                                        : udf
SecureIcaRequired                           : False
TrustManagedAnonymousXmlServiceRequests     : False
TrustRequestsSentToTheXmlServicePort        : True

 

When view trace logs of the storeWeb, I see IntegratedWindows as the available protocol choices.

 

GetResources: Returning Web Proxy challenge with reason notoken
List: returning Citrix.Web.AuthenticationManager.WebReceiverChallenge
Verify: called
Login: called
EnumerateProtocolChoices: Initializing ProtocolsServiceClient
EnumerateProtocolChoices: Getting protocols list.
EnumerateProtocolChoices: Completed protocols list. 
EnumerateProtocolChoices: Available protocols:IntegratedWindows

Link to comment

7 answers to this question

Recommended Posts

  • 0

StoreAuth Log

 

HTTP Request Response: Status OK XML:
OK
HTTP Request End
Returning XML response Status:OK ContentType:'application/vnd.citrix.endpoints+xml' 
HTTP Request Start: POST http://srvsf.itc.demo/Citrix/UDF_storeAuth/auth/v1/token
HTTP Request Response:
Citrix.DeliveryServices.Security.CitrixAuth.IssueChallengeActionResult
HTTP Request End
HTTP Request Start: POST http://srvsf.itc.demo/Citrix/UDF_storeAuth/auth/v1/protocols
Parsed xml content of type 'Citrix.DeliveryServices.Security.Messages.RequestToken':
<?xml version="1.0" encoding="utf-8"?><requesttoken xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken"><for-service>48d9f7d8-5a6d-45aa-a7da-e31b83e7c9ce</for-service><for-service-url>https://srvsf.itc.demo/Citrix/UDF_storeAuth/auth/v1/token</for-service-url><reqtokentemplate /><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>
CitrixAGBasicRequestFilter: Search for Gateway
AG Header: 
X-Forwarded-For: 10.1.10.7,10.1.20.4
REMOTE_ADDR: 127.0.0.1
X-Citrix-TrustCertRef: 
[ProtocolsController.Choices] Sending RequestTokenChoices with 2 choices
HTTP Request Response: Status MultipleChoices XML:
MultipleChoices
HTTP Request End
Returning XML response Status:MultipleChoices ContentType:'application/vnd.citrix.requesttokenchoices+xml' Encoding:System.Text.UTF8Encoding
Response XML content:
<?xml version="1.0" encoding="utf-8"?><requesttokenchoices xmlns="http://citrix.com/delivery-services/1-/auth/requesttokenchoices"><choices><choice><protocol>IntegratedWindows</protocol><location>https://srvsf.itc.demo/Citrix/UDF_storeAuth/Integrated/Authenticate</location></choice><choice><protocol>CitrixFederation</protocol><location>https://srvsf.itc.demo/Citrix/UDF_storeAuth/CitrixFederation/Authenticate</location></choice></choices></requesttokenchoices&gt

Link to comment
  • 0

After moving on from HTTP captures I started DNS captures from the client.  Strange enough, the external client is trying to resolve the internal base fqdn.  I have beacons set up for internal and external ensuring the external cannot resolve the internal name but for some reason it still tries to use the internal name.  Is there a way to configure citrix receiver to only use a specified url ?  

Link to comment
  • 0

I created a route and DNS record for my external client to communicate with Storefront to see why the communication was required.  The client is reaching out for /Citrix/Store/clientAssistance/getIcaFile in which the Storefront server responds.  All traffic still flows through my external gateway but for some reason just the /getIcaFile request is sent directly to my Storefront server.  How do I change this?

Link to comment
  • 0

I created a route and DNS record for my external client to communicate with Storefront to see why the communication was required.  The client is reaching out for /Citrix/Store/clientAssistant/getIcaFile in which the Storefront server responds.  All traffic still flows through my external gateway but for some reason just the /getIcaFile request is sent directly to my Storefront server.  How do I change this?

getIcaFile.PNG

 

Also, this does NOT occur when using IE.  All communication occurs through the external gateway.

Link to comment
  • 0

Running through the Store web.conf file, I see the order in which these events occur but it doesn't tell me why it uses the internal URL versus the URL the user is accessing the external gateway from.  This is the only event that attempts to use this URL.  All other traffic is passed through the original external gateway.

 

             <add name="endpointId" value="DataStoreUpdate" />
              <add name="endpointCapabilities" value="dataStoreUpdate" />
            </data>
          </route>
          <route name="clientAssistantReportDetectionStatus" order="20" url="clientAssistant/reportDetectionStatus">
            <defaults>
              <add param="controller" value="ClientAssistant" />
              <add param="action" value="ReportDetectionStatus" />
            </defaults>
            <data>
              <add name="endpointId" value="ClientAssistantReportDetectionStatus" />
              <add name="endpointCapabilities" value="clientAssistantReportDetectionStatus" />
            </data>
          </route>
          <route name="clientAssistantGetIcaFile" order="21" url="clientAssistant/getIcaFile">
            <defaults>
              <add param="controller" value="ClientAssistant" />
              <add param="action" value="GetIcaFile" />
            </defaults>
            <data>
              <add name="endpointId" value="ClientAssistantGetIcaFile" />
              <add name="endpointCapabilities" value="clientAssistantGetIcaFile" />

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...