Jump to content
Welcome to our new Citrix community!

Why would Workspace app match an auth policy for Web browsers?


Recommended Posts

Hello all,

 

We have 3 authentication policies bound to an authentication virtual server:

 

Priority 70 (web w/ nFactor decision): HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

 

Priority 100 (receiver w/ only radius):  HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

 

Priority 110  (web w/ only radius): HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

-----------------------------------------------------------------------------------------------------------------------------------------------

 

I'm somewhat perplexed b/c when I use the Workspace installed application, I appear to be hitting the first web policy.

 

From my understanding, I should not match on Priority 70 and move down to the Priority 100 policy, simply because I'm not using a web browser. 

 

The reason I say it appears to be matching the first web policy is because the nFactor decision is made and I get the login schema according to that decision.

 

There are no AD group decisions to be made on the bottom two policies...

 

I can also see my nFactor decision policy being hit when I tail NS.log

 

Any ideas what may be happening here? Is it possible to match on multiple policies? 

 

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

1 hour ago, Carl Stalhood1709151912 said:

nFactor in Workspace app uses a browser (and its user-agent header) to perform authentication. You can do a network trace to see what user-agent is reported by Workspace app when authentication is performed.

 

Ah, yes, now I remember reading about that a while back. I had forgotten nFactor actually uses a browser within the app. 

 

Appreciate the tip about network trace. That will help me build a better policy. 

 

Thanks Carl!

Link to comment
Share on other sites

On 2/2/2023 at 5:34 PM, Keith Giles1709159890 said:

 

Ah, yes, now I remember reading about that a while back. I had forgotten nFactor actually uses a browser within the app. 

 

Appreciate the tip about network trace. That will help me build a better policy. 

 

Thanks Carl!


I had the same problem, so I did a trace from different client OS / Devices and list these in a post, see https://www.julianjakob.com/citrix-adc-nfactor-user-certificate-authentication-or-the-demystifying-of-user-agent-header/ 

 

The Header for Workspace App‘s Browser Engine is CWAWEBVIEW

  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...
On 2/4/2023 at 5:51 AM, Julian Jakob said:


I had the same problem, so I did a trace from different client OS / Devices and list these in a post, see https://www.julianjakob.com/citrix-adc-nfactor-user-certificate-authentication-or-the-demystifying-of-user-agent-header/ 

 

The Header for Workspace App‘s Browser Engine is CWAWEBVIEW

 

Most excellent information, Julian! Thank you for sharing. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...