Jump to content
Welcome to our new Citrix community!
  • 0

Issue getting PRT From Azure AD for SSO


MItchell Broadway

Question

Issue with not getting a PRT from Azure AD for SSO. Any help is much appriciated.

 

We’ve successfully setup Azure AD Hybrid Join for Citrix machines which looks to be working properly.  Once we have a user login to the desktop, we’re failing to get a PRT for the user which is synced up to Azure AD and the PRT is required for SSO to work.  We see the following when running a ‘dsregcmd /status’:

 

image.thumb.png.a33abde872baef2b3ee1cf7e46937687.png

 

image.thumb.png.f270c85092214714f271b57ddba4c28d.png

Link to comment

17 answers to this question

Recommended Posts

  • 1

We ran into this similar issue and then eventually went with implementing Seamless SSO, which was enabled at the Tenant level and there was no need to disable FAS. Received update from Engineering team that FAS would still work with Seamless SSO.

Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Learn

This is not just it I had to enable to additional registry keys on the Client side to make SSO work successfully for all the enterprise apps integrated with MFA within organization. Below are the keys for your reference - 
Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Learn

This was being treated as the short-term solution, however there is conversation going back and forth with MS and Citrix on Azure AD CBA to be the long-term solution for HAAD Join and Azure AD Join machines fully integrated with FAS, which would allow devices to obtain a Primary Refresh Token.

  • Like 1
Link to comment
  • 1

In our scenario VDAs are hybrid joined - And if you follow the Citrix guidance for Hybrid joined machines - and have Certificate based Auth enabled in your Azure AD - then SSO works successfully and you will have a PRT.  The MCS catalog needs to be created as "Hybrid Azure AD joined" - that way citrix would handle machine certificates via domjoin account.  

The master does need to "/leave" AAD as part of the master sealing process, and the scheduled task on the machine does need to be set to "join" on start.  One other gotcha here is once you create the catalog and the machine accounts for onprem AD - give it time to replicate to AAD as SSO won't work until that happens.  But once all is synced - VDA would come up and hybrid join AAD immediately, and when user logs in they'd be able to use FAS cert to get KRB TGT, and use that for cert auth to AAD and get the PRT.  All SSO apps that rely on PRT token would work at this point.

 

  • Like 1
Link to comment
  • 0

I've been fighting this same issue for 3 months.  No SSO state or PRT in Citrix but it works fine in RDP to the same VDA.  I'm using AD Connect, no ADFS, with FAS.  Gold masters get a dsregcmd /leave before being sealed and deployed via MCS.  I've spent hours working with Microsoft and Citrix support.  Microsoft says it's a Citrix issue considering it works fine via RDP and on our physical devices.  And Citrix claims the SSO/PRT states do not come through.  However, there are products that advertise working with SSO in Citrix such as IAMCloud's Cloud Drive Mapper.  What gives?  Any luck anyone?

 

Ultimately, how do you get SSO to work within a VDA published desktop and published application?  If FAS prevents PRT from working, then how do we get it to work?

Link to comment
  • 0

From multiple sources we got this information:

•    Hybrid joined machines can obtain a PRT ("primary refresh token", which achieves SSO to AAD) if the user authenticates to the machine with a password or a hello key. 
o    Microsoft achieves this SSO by "replaying" the password or key to authenticate to AD and to authenticate to AAD.
•    However, as yet there is no way of obtaining a PRT using a FAS certificate 
CBA from a browser is currently in Microsoft public tech preview: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication .
The FAS in-session certificate can  be used to authenticate to AAD from a browser within a VDA session, but we are not currently recommending this:
•    the user experience is not ideal
•    in-session certificates do not support failover
•    a PRT is not generated for the user's windows session
 

Also Microsoft is very soon to release a beta of certificate auth for AAD. This is actual PKI-based certificate auth (not naked keys), so it seems like it might be usable by FAS as a means of doing SSO to AAD for hybrid joined VMs.

Assuming all goes well, this upcoming feature will allow FAS to do SSO to AD and AAD at VDA logon time for a hybrid-joined VDA, and a PRT will be generated.
 

Link to comment
  • 0

Thanks Phaneesh!

 

Everything you've stated here is in alignment with my experience fighting with AzureAD/ADConnect/FAS (No ADFS) and in-session seamless SSO.  We tested the Azure AD Cert authentication but as you stated, it is not true SSO since the user has to know to click on certificate authentication in the browser when prompted for authentication before selecting their cert.  And of course this doesn't work at all for seamless SSO to o365/OneDrive/etc.

 

You did catch my attention on your following statement:

        "Hybrid joined machines can obtain a PRT ("primary refresh token", which achieves SSO to AAD) if the user authenticates to the machine with a password or a hello key

 

I've heard of others getting seamless SSO to work within a VDA session and the one thing that seems to be different is they are using Windows Hello for Business where as we are not.  Any chance you can elaborate on this point?  And how it might work with FAS?  For example, if FAS is losing the PRT/SSO token/states now, how is adding Windows Hello for Business changing this?  Does FAS pass the Hello 'key/cert'?  Or is it that the VDA registers seamlessly with Windows Hello for the user at first login and sort of creates PRT/SSO info for the client independent of what's passed from FAS?

Link to comment
  • 0
On 8/16/2022 at 5:34 PM, MItchell Broadway said:

Issue with not getting a PRT from Azure AD for SSO. Any help is much appriciated.

 

We’ve successfully setup Azure AD Hybrid Join for Citrix machines which looks to be working properly.  Once we have a user login to the desktop, we’re failing to get a PRT for the user which is synced up to Azure AD and the PRT is required for SSO to work.  We see the following when running a ‘dsregcmd /status’:

 

image.thumb.png.a33abde872baef2b3ee1cf7e46937687.png

 

image.thumb.png.f270c85092214714f271b57ddba4c28d.png

We see the exact same on our Cloud VDI environment.  If we turn FAS off and then proceed with a double login prompt the PRT works as expected.  When FAS is on it also prompts the user over and over for work or school account leading to a poor user experience.  We have been working on this since January of 2022 and still have no fix as we cannot make changes such as Hello or ADFS.

Link to comment
  • 0

I'd like to thank everyone for there contributions to this discussion, you've just saved me a great deal of time and what remains of my hair!

 

I'm currently mulling over if I want (or will be able) to go for the Azure AD certificate-based authentication, it will be difficult to get the security team to buy into allowing the CRL to be public web facing.

 

We don't tend to use Azure/M365 for the external Citrix gateway users, but do for the internal network users. Would it be possible to have 2 stores, one for internal that uses pass-through auth and one for external that uses the FAS? Is it possible to keep the stores in sync, so that the user's workspace doesn't change from one to the other?

 

Thanks for any help you might be able to provide.

Link to comment
  • 0

Thanks for the tip @UDDAVE JAJOO

 

We currently have our tenant federated with a 3rd party, but are planning to move to direct authentication with M365 and seamless SSO. We are testing with PRT SSO for a few accounts and I ran into this issue when I was testing a new app deployment in Citrix. We don't normally need to use Office apps, but the new deployment needs Excel to open some of the content.

Link to comment
  • 0
On 11/17/2022 at 1:01 PM, Mark Riley1709163409 said:

Thanks for the tip @UDDAVE JAJOO

 

We currently have our tenant federated with a 3rd party, but are planning to move to direct authentication with M365 and seamless SSO. We are testing with PRT SSO for a few accounts and I ran into this issue when I was testing a new app deployment in Citrix. We don't normally need to use Office apps, but the new deployment needs Excel to open some of the content.

Hello Mark, Our identity team were reluctant of implementing the Azure AD CBA right away so based on recommendation from MS they have also implemented SSO within Azure AD, so now all the authentication for Enterprise apps and M365 is handled by Seamless SSO implemented by AD team. You would not have to perform any specific changes on the VDA end. Just make sure to check on the respective Device state within Azure AD as with SSO implement the device state gets change Azure AD registered compared to Azure Hybrid Join or Azure AD Join.
 

Link to comment
  • 0
On 11/17/2022 at 2:27 AM, UDDAVE JAJOO said:

We ran into this similar issue and then eventually went with implementing Seamless SSO, which was enabled at the Tenant level and there was no need to disable FAS. Received update from Engineering team that FAS would still work with Seamless SSO.

Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Learn

This is not just it I had to enable to additional registry keys on the Client side to make SSO work successfully for all the enterprise apps integrated with MFA within organization. Below are the keys for your reference - 
Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Learn

This was being treated as the short-term solution, however there is conversation going back and forth with MS and Citrix on Azure AD CBA to be the long-term solution for HAAD Join and Azure AD Join machines fully integrated with FAS, which would allow devices to obtain a Primary Refresh Token.

 

Hi all,

 

any news on this?

 

we ran into the same problem. Since we're using Auzure AD SAML on our ADC (Netscaler in future ?) and FAS for local login, our SSO to enterprise Apps stopped working. Our devices are succesfully hybrid joined but no AzureAD PRT ist set. 

If you lock your workstation and unlock it with Password, we receive the AzureAD PRT. But that is not an option. You can manually authenticate in the browser session, but this is not an option neither.

 

@UDDAVE JAJOO i dont understand your Post "FAS would still work with Seamless SSO" - because we have all preconditions set and it's not working without a Password Login. 

 

we also tried Azure CBA - its working in the browser "somehow" - but not automatically in the background. It will be impossible for our users to pick the right certificate - so it's not an option. Citrix, please help.

 

Link to comment
  • 0

Hello,
I'm battling with this PRT issue for days now.

I have created an HAADJ Machine Catalog and implemented Azure CBA.

Masters are NOT HAADJ.

GPO set to run a dsregcmd /join at VDAs start up.

I almost shouted victory when it worked for my account. When I asked someone else to test, it doesn't get a PRT and the dsregcmd /status shows MY account name under SSO State / User Identity.

I have to log off and the user to lock and unlock the session with a password for getting a PRT. 

I'm really confused since I don't know who either from MS or Citrix can help!

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...