Jump to content
Welcome to our new Citrix community!

Citrix SSO, nFactor (LDAPS + DUO) & Citrix Gateway Full VPN issues


Justin Delpero

Recommended Posts

Hi All,

 

I'm looking for assistance to setup a MacOS Big Sur ready Citrix Gateway VPN configuration. From what I understand, to maintain full 2FA for Citrix SSO I need to setup the Gateway to use nFactor instead of basic authentication.

 

I've brought up an identical test gateway using my existing configuration with the exception of switching basic authentication policies for an nFactor advanced policy. The nFactor AAA was configured as per Duo's documentation to facilitate LDAPS & Duo RADIUS authentication.

- This test gateway configuration is working when using Receiver & Receiver for Web. I can authenticate to AD, confirm my Duo 2FA request, then Storefront is presented and I can launch apps.

- The traditional Citrix VPN client (Windows 10) works when using the client choices page but doesn't when using the app itself, seems to get stuck on the Duo iFrame with a script error? - But I'm not overly concerned by this if the web method works.

 

However I can't connect to the VPN using the Citrix SSO App from both MacOS & Android:

- Using the Citrix SSO client on my Android device, (provided I set Duo to bypass) I can connect to the VPN on the original gateway but not on the new nFactor enabled test gateway. Clearly nFactor has broken the ability to use the VPN via Citrix SSO App? 

 

So I'm a bit stuck, I've got a Gateway running with nFactor & Duo but Citrix SSO is still not functional.

 

Notable Diagnostics from Citrix SSO log:

2021-01-29T16:25:34.983+1100AuthV3ModelINFO      ( 4)AuthV3 support disabled via feature flag, using legacy auth...1622816579Citrix SSO

2021-01-29T16:25:35.033+1100CtxVpnManagerDEBUG2    ( 7)AuthV3 support not found, falling back to legacy auth1622816228Citrix SSO

2021-01-29T16:25:35.118+1100ClassicAuthSvcWARNING   ( 3)Valid pwcount cookie not found, checking if we got an expired one from gateway1622816578Citrix SSO

2021-01-29T16:25:35.119+1100ClassicAuthSvcWARNING   ( 3)pwcount cookie not found1622816578Citrix SSO

2021-01-29T16:25:35.119+1100ClassicAuthSvcWARNING   ( 3)pwcount should be a number: 1622816578Citrix SSO

2021-01-29T16:25:35.119+1100ClassicAuthSvcINFO      ( 4)Using pwcount=01622816578Citrix SSO

2021-01-29T16:25:37.261+1100CtxVpnManagerINFO      ( 4)Classic auth state: UserCredentialsRequired1622816228Citrix SSO

2021-01-29T16:25:37.261+1100CtxVpnManagerINFO      ( 4)User credentials needed, asking user...1622816228Citrix SSO

2021-01-29T16:25:37.261+1100m2DEBUG1    ( 6)start authentication activity1622816228Citrix SSO

2021-01-29T16:25:50.218+1100CtxVpnManagerINFO      ( 4)Classic auth state: AuthFailed(DialogModeNotSupported)1622816228Citrix SSO

2021-01-29T16:25:50.218+1100CtxVpnManagerERROR     ( 2)Server not reachable. Check connection1622816228Citrix SSO

 

Link to comment
Share on other sites

  • 3 weeks later...

Just an update, whilst Android Citrix SSO client doesn't work. I have no issues with MacOS Citrix SSO which was our primary objective so I'll probably just park the defects until their is a requirement for Android Citrix SSO to work. 

- I'm really hoping that Citrix / Duo Security get together and make all this a bit easier at some point. iFrames are such a PITA when used within Citrix Apps.

Link to comment
Share on other sites

  • 4 weeks later...

Support for nFactor authentication is currently in tech preview for Android Citrix SSO and is being enabled based for select customers willing to participate in tech preview. You may want to contact Citrix Gateway support for enabling it for your gateway. They will need your Gateway's FQDN (e.g., vpn.mycompnay.com) to enable it. Here is feature comparison matrix for Citrix Gateway clients.

https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/gateway-clients-feature-parity.html

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...