Jump to content
Welcome to our new Citrix community!
  • 0

BCR: Youtube with authentication does not work


Question

BCR working with youtube as expected, unless the user has logged in with a google-account.

When logged in, all youtube videos were blocked and youtube URL was not redirected.
Also logon in Youtube isn't possible (a message appears with browser or app is unsecure).
Logging off from google, youtube was correctly redirected and BCR works fine.

 

We've added these URLs to the BCR Authentication Sites:


https://accounts.google.com/*

https://consent.youtube.com/*
https://clientservices.googleapis.com/*
https://www.google-analytics.com/*
https://clients2.google.com/*

 

Hope someone can help us ?

blocked without bcr.png

Link to comment

10 answers to this question

Recommended Posts

  • 0

@KEN
No, we're not using proxy-pac. Its only direct access.

@JENIFER
No, this issue occurs since using BCR. 

 

So I don't know how's the best practise for google/youtube in BCR ? I've found only these settings for authentication sites:
 

https://accounts.google.com/*

https://consent.youtube.com/*
https://clientservices.googleapis.com/*
https://www.google-analytics.com/*
https://clients2.google.com/*

Are there any additionaly entries ?

Link to comment
  • 0

Jons

 

that article corresponds to a specific issue being experienced...

 

A Proxy pac file was being used for access to the internet with authentication, 

Server Fetch / Client render was the requirement.

 

Normally with Server Fetch Client render and an authenticating proxy pac config, the Workspace App on the client device should display a popup for authentication to the proxy, but because of the way the proxy server was configured this didn't work. See 

 

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/browser-content-redirection-policy-settings.html#browser-content-redirection-server-fetch-web-proxy-authentication-setting

 

Browser content redirection server fetch web proxy authentication setting

This setting routes HTTP traffic originating at an overlay through a downstream web proxy. The downstream web proxy authorizes and authenticates HTTP traffic using the VDA user’s domain credentials through the Negotiate authentication scheme.

You must configure browser content redirection for server fetch mode in the PAC file using the Browser content redirection proxy configuration policy. In the PAC script, provide instructions to route the overlay traffic through a downstream web proxy. Then configure the downstream web proxy to authenticate the VDA users through the Negotiate authentication scheme.

When set to Allowed, the web proxy responds with a 407 Negotiate challenge, including a Proxy-Authenticate: Negotiate header. Browser content redirection then obtains a Kerberos service ticket by using the VDA user’s domain credentials. Also, include the service ticket in later requests to the web proxy.

When set to Prohibited, the browser content redirection proxies all TCP traffic between the overlay and the web proxy without interfering. The overlay uses basic authentication credentials or any other available credentials to authenticate to the web proxy.

By default, this setting is Prohibited.

 

Additionally, we had to upgrade to 1912 CU5 (contains fixes for BCR) and 2207 or newer Workspace App (again fixes for BCR)

 

regards

 

Ken Z

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...