Jump to content
Welcome to our new Citrix community!

Workspace App on IOS keeps asking for Client Certificate


Recommended Posts

Hi,

 

we configured a nFactor Authentication flow with optional Certificate based Authentication. Fallback to login without a client Certificate is configured correctly and works with browsers.

Therefore we had to set client Authentication ON and Client Certificate to OPTIONAL in the SSL Profile.

 

For now, Workspace App on IOS is unusable (Version 21.6.0.2 / 2106). Workspace App keeps asking for a Client Certificate or importing one - no chance to simply skip this for logging in without a client certificate.

Is there any chance to solve that?

 

Best regards

Thomas

Link to comment
Share on other sites

Hello Thomas,

 

you have to Filter your certauth policy for only working user-agents, because an auto fallback for non-certauth-working ways (like iOS workspace app) isn’t working on adc. 
 

Checkout my Blogpost (I’m using user-certs but this should also work with client-certs) for the filtering details:

 

https://citrixguyblog.com/2021/05/28/citrix-adc-nfactor-user-certificate-authentication-or-the-demystifying-of-user-agent-header/

 

Hope this is helping for your implementation. 
 

Best Regards

Julian

Link to comment
Share on other sites

  • 2 months later...

HI Julian,

 

sorry that i didn't respond, many thanks for your answer!

 

The Problem still exists and it seems, that Workspace App for iOS is alreay requesting a Client Certificate, if "Client Certificate" in the matching SSL Profile is set to "optional". Even if the nFactor flow doesn't contain any Certificate checks.

 

Seems to be slightly buggy from Workspace App in iOS.... i think next step will be to open a Support Case :)

 

Many thanks!

Best regards

Thomas

Link to comment
Share on other sites

  • 1 year later...

Two things are important when doing client-cert-auth:

1. The Client Authentication ON with Client Certificate set to OPTIONAL settings - SSLProfile should only bound to the AAA vServer, NOT to your corresponding GW vServer, as you will get double or loop certauth requests. Make sure your GW vServer has another SSLProfile bound where Client Authentication isn't enabled.

2. Your CERT-Auth Policy should never use an expression like true (or classic auth ns_true) you have to set the matching expression for clients / browsers, where certauth is supported, an example where the Workspace App for iOS is surely excluded is: 
HTTP.REQ.HEADER("User-Agent").CONTAINS("Edg")||HTTP.REQ.HEADER("User-Agent").CONTAINS("Chrome")||HTTP.REQ.HEADER("User-Agent").CONTAINS("Firefox")||HTTP.REQ.HEADER("User-Agent").CONTAINS("CWAWEBVIEW")

This includes the following Clients, where Certauth is supported:

Browser MS Edge

Browser Google Chrome

Browser Mozilla Firefox

Workspace App for Windows and Mac at a minimum of Version 1809 and higher (as there comes the browser engine with)

Would be happy to get feedback about your tests.

Regards

Julian

Link to comment
Share on other sites

Hi Julian

 

I am using the client certificate to extract the ISSUER in the cert. and based on that information, i am redirecting the user to a specific azure tenant to get authenticated.

the FQDN for the gateway, is a shared FQDN, so the expression is something like, CLIENT.SSL.CERT.ISSUER.CONTAINS("custom root ca1")

The machines are enrolled in azure, so even the username is not required in the certificate.

 

the AAA vserver, is ipless (0.0.0.0) selected via an authprofile, although i'll test the settings just to confirm.

Link to comment
Share on other sites

1 hour ago, Morten Kallesoslashe said:

just fyi,

 

if i disable client auth optioanl on the Gateway server, and only have it on my AAAvs. Client cert auth is NOT triggered. (as i would expect)

(i am not using profiles)

the aaavs is selected via an authentication profile.


Very strange, I'm always using this procedure to avoid double certauth popups. Only on my AAA (also NA) certauth is enabled and on my GW vServers I'm only linking all root / intermediate / policy CAs of the matching PKI, but certauth is disabled and the certauth popup is coming one time from the AAA as it's linked via authentication profile, like in your scenario.

What happens when you're extending your certauth expression "CLIENT.SSL.CERT.ISSUER.CONTAINS("custom root ca1")" with "&&HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver-iPhone").NOT" ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...