Jump to content
Welcome to our new Citrix community!
  • 0

Azure AD Guest access with FAS and on premises VDA


Janne Laumlhteenmaumlki

Question

I'm trying to find a sample documentation on how to make Azure AD Guest accounts like firstname.lastname_guest.domain#EXT#@serviceprovider.onmicrosoft.com to be able to logon/launch on premises VDA application. However, I don't see the application even in /Citrix/StoreWeb.
When using normal hybrid accounts of serviceprovider.com application is visible to AD-Group members and launches normally. Currently using on premises FAS.

 

I went so far as adding suffix serviceprovider.onmicrosoft.com to serviceprovider.com domain and then created shadow account of firstname.lastname_guest.domain#EXT# with UPN suffix serviceprovider.onmicrosoft.com and added shadow account as member to required AD-Group. But so far no success or errors. Just empty StoreWeb. No certificate created for shadow account either.

 

Any links of suggestions is greatly appreciated.

 

Janne

Link to comment

2 answers to this question

Recommended Posts

  • 0
On 11/25/2021 at 7:30 PM, Janne Laumlhteenmaumlki said:

Answering my own question. I have come to conclusion that granting B2B users in Azure AD access to your on-premises applications with Citrix Cloud with Azure AD authentication and FAS is currently (11/2021) not possible. One has to use Citrix Gateway for authentication and SAML federation with Azure AD for getting Kerberos Constrained Delegation to work for on-premises application.

If someone has better understanding on subject please correct if I'm wrong.

Janne

 

###

I'm trying to find a sample documentation on how to make Azure AD Guest accounts like firstname.lastname_guest.domain#EXT#@serviceprovider.onmicrosoft.com to be able to logon/launch on premises VDA application. However, I don't see the application even in /Citrix/StoreWeb.
When using normal hybrid accounts of serviceprovider.com application is visible to AD-Group members and launches normally. Currently using on premises FAS.

 

I went so far as adding suffix serviceprovider.onmicrosoft.com to serviceprovider.com domain and then created shadow account of firstname.lastname_guest.domain#EXT# with UPN suffix serviceprovider.onmicrosoft.com and added shadow account as member to required AD-Group. But so far no success or errors. Just empty StoreWeb. No certificate created for shadow account either.

 

Any links of suggestions is greatly appreciated.

 

Janne

 

Link to comment
  • 0

Hi,

 

it can be done, by using "Citrix Cloud SAML SSO":
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial

Short description:
For your regular users you need to Sync the objectGUID as Directory Extension:

 

image.thumb.png.56a24b406122dc99b32742ab56ca631d.png

 

Now you can follow the above tutorial. You need to use this extension in "cip_oid":

 

image.thumb.png.7da97f27481e7eca0f69bdf1b8ab51a3.png

 

For guest users:
-  Create a shadow-account for your guest user in your local AD.

-  Prevent the shadow-account from being synced to Azure AD.

-  The UPN of the shadow-account should be "firstname.lastname_guest.domain#EXT#@serviceprovider.onmicrosoft.com"

-  Now we need the shadow-accounts ObjectGUID and SID in Azure.  For the ObjectGuid i used the new extension. 
    For the SID i only get it to work with a string attribute, so i used "extensionAttribute1" for this.
    I have created this little PS-script to fill the attributes (use at your own risk):

cls

$AzureGuestUserUpn='firstname.lastname_guest.domain#EXT#@serviceprovider.onmicrosoft.com'
$OnPremSamaccountName='firstname.lastname_guest.domain'

Connect-AzureAD

# +++ Get GUID-attribute from Azure AD:
$app = Get-AzureADApplication | where displayName -eq "Tenant Schema Extension App"
$GuidAttrib=(get-AzureADApplicationExtensionProperty -ObjectId $app.ObjectId|?{$_.Name -like '*_objectGUID'}).name

# +++ SID attribute in Azure AD
$SidAttrib='extensionAttribute1'

# get SID from local AD:
$AdSid=(Get-ADUser -Identity $OnPremSamaccountName).SID.Value

# Get GUID from local AD and convert it to Base64:
$AdGuid=(Get-ADUser -Identity $OnPremSamaccountName).objectGUID.guid
$ADGuidBase64=[system.convert]::ToBase64String(([GUID]$AdGuid).ToByteArray())

# Set GUID and SID in Azure AD:
Set-AzureADUserExtension -ObjectId $AzureGuestUserUpn -ExtensionName $GuidAttrib -ExtensionValue $ADGuidBase64
Set-AzureADUserExtension -ObjectId $AzureGuestUserUpn -ExtensionName $SidAttrib -ExtensionValue $AdSid

- Now i changed the "cip_sid" into a Transform:
image.thumb.png.b7911df1d870419691553618c0b0b766.png

Transform:

image.thumb.png.53d043a3af5f7e6c67ead9bcefb9533b.png

 

Now, with FAS enabled, it should work as expected.
After testing this, we decided against using it (at the moment). In some cases, we need to license the external users (M365 E3), which should use a published Desktop. 

So syncing them is more easy ;-).

But the SAML fixed an other issue for us. Nested groups are working, which was not with "Azure Active Directory" authentication...
 

greetings

Tobi

Edited by Tobias Lücke
Corrected a little mistake in the script
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...