Jump to content
Welcome to our new Citrix community!
  • 0

Unwanted authentication prompt within the Windows Receiver and Workspace apps

Stewart Michie


Hi All


Am stuck on a bit of a weird problem with an unwanted authentication prompt within the Windows Receiver and Workspace apps. 


We're using ADC/Netscaler v12.1.60.x for remote access to Citrix.

We're using nFactor Auth: 

1st Factor: Azure AD SAML

2nd Factor: LDAP.


The LDAP 2nd factor is being used as we don't want to use FAS and it was the only way to keep Storefront happy with logon via Netscaler.


The login process flows as follows:


  1.  User accesses NetScaler URL https://citrix.company.com
  2.  User is  redirected from NetScaler (SP) to SAML IDP
  3.  User completes SAML IDP and if successful, are redirected back to NetScaler (SP)
  4.  User is prompted for their AD password - We're using the PrefilUserFromExpr.xml schema so the username (in UPN format) is pre-filled from the SAML response. The LDAP profile is configured to only accept a UPN as as username. 
  5.  User enters AD password and if successful, Storefront opens and users can access their apps


This works brilliantly from the web browser and iPad Workplace appBut for some reason on the Windows Receiver or Workplace application, after the successful SAML and LDAP authentication steps, users are being prompted for credentials again by a Receiver/Workspace dialog box. Weirdly, this dialog box only successfully authenticates when using a the pre-Windows2000 login name (not UPN). I suspect it is something to do with Storefront Configuration, but not sure where to start. Attached is a screenshot of the final, unwanted credentials prompt. The only LDAP profile associated with the VS is configured to only accept UPN, so I don't think it is related to the NetScaler LDAP configuration. 


Appreciate any help or guidance! 




Link to comment

1 answer to this question

Recommended Posts

  • 0

Workspace app uses the Internal Beacon to determine if the client device is internal or not. If internal, then Workspace app will try to connect directly to the StoreFront URL and bypass Citrix Gateway. However, if that logon prompt was coming from StoreFront then there's usually a Save Password checkbox.


When you enter credentials, do you see it in "cat /tmp/aad.debug" on your ADC?


Is StoreFront configured to accept the UPN suffix in its list of Trusted Domains?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...