Jens Ostkamp Posted February 27, 2023 Share Posted February 27, 2023 Dear community, I am currently having issues setting up CItrix ADC as OAUTH SP for an Azure Enterprise Application. Currently, there is a Web Server (IIS) with an Application configured to do OAUTH towards Azure AD where an enterprise application is configured accordingly - this setup works fine. For security reasons we want to put Citrix ADC as reverse proxy in front and do the OAUTH flow on ADC (Client -> Content Switch -> Load Balancing, where AAA Auth Srv with OAUTH Action configured -> Azure Login -> Redirect to ADC -> Backend IIS). I have set up the OAUTH profile looking at following guides: https://support.citrix.com/article/CTX234873/how-to-deploy-netscaler-as-both-oauth-sp-and-idp (only the SP part) and https://xenit.se/blog/2018/02/14/using-netscaler-as-openid-connect-sp-with-adfs-as-idp/ and https://www.stuartc.net/blog/citrixadc/quick-post-configuring-citrix-adc-gateway-aaa-vserver-to-authenticate-against-azure-ad-using-oauth/ (I have tried different guides and try to fill out everything based on my understanding of OAUTH flow) Currently I have setup following values in my OAUTH Profile: OAuth Implementation Type - GENERIC Client ID - ID of enterprise application Client Secret - VALUE of the created Client Secret for ADC Authentication - enabled Authorization Endpoint - https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/authorize Token Endpoint: https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/token Cert Endpoint: https://login.microsoftonline.com/8bfee061-3780-4d59-8218-9126796e57e0/discovery/v2.0/keys User Name Field: upn Issuer: https://sts.windows.net/Tenant_ID Grant Type - CODE All hashing algorithms enabled (HS256, RS256, RS512) Redirect to Azure works, Authentication in Azure works and as soon as the client is redirect to ADC again there is always the error message "Error validating Access Token, please contact your Administrator". I have put all log level on debug and looked into ns.log, but I cannot find the exact reason why the validation is failing: Feb 27 15:32:10 <local0.info> 10.240.3.100 02/27/2023:14:32:10 GMT 0-PPE-0 : default AAATM Message 123 0 : "Sending authn request Oauth" Feb 27 15:32:10 <local0.info> ns syslogd: last message repeated 1 times Feb 27 15:32:37 <local0.info> 10.240.3.100 02/27/2023:14:32:37 GMT 0-PPE-0 : default AAA Message 124 0 : "nFactor: deserialize aaa_info, action name copied to samlaction is [act_auth_oauth_rezeptposten]" Feb 27 15:32:37 <local0.info> ns syslogd: last message repeated 1 times Feb 27 15:32:37 <local0.info> 10.240.3.100 02/27/2023:14:32:37 GMT 0-PPE-0 : default AAATM Message 125 0 : "OAUTH RESP: ns_aaa_oauth_resp_handler, response code 401 is not 200 OK, bailing out " Feb 27 15:32:37 <local0.info> ns syslogd: last message repeated 1 times Feb 27 15:32:37 <local0.info> 10.240.3.100 02/27/2023:14:32:37 GMT 0-PPE-0 : default AAATM Message 126 0 : "AAATM Error Handler: Found extended error code 1310727, ReqType 16386 request /oauth/login?code=oauth_code_b64 I have searched for different troubleshooting possibilites (https://support.citrix.com/article/CTX234873/how-to-deploy-netscaler-as-both-oauth-sp-and-idp especially here), but nothing worked so far. Used ADC Version is latest 13.1. Any help or ideas are greatly appreciated. Thanks a lot in advance! Best regards Jens Link to comment Share on other sites More sharing options...
Julian Jakob Posted March 26, 2023 Share Posted March 26, 2023 Hi Jens, I've also configured OAuth with Azure for Citrix Gateway like Stuart's Post https://www.stuartc.net/blog/citrixadc/quick-post-configuring-citrix-adc-gateway-aaa-vserver-to-authenticate-against-azure-ad-using-oauth/ but I'm always getting an "Anonymous" User logged into NetScaler Gateway / StoreFront with no Apps or Desktops (sure, as it's Anonymous and no Groups were hit...) So I changed OAuth Profile and also set "User Name Field: upn" (like your setup) and configured UPN as additional Claim in the OAuth Enterprise App in Azure AD. Since that change I immediately also get a "Error validating Access Token". Atm I don't know why. If you disable the "User Name Field: upn" in your OAuth Profile and delete any additional claims in your Azure App, does it start to work? Regards Julian Link to comment Share on other sites More sharing options...
Yair Biton 2 Posted May 14, 2023 Share Posted May 14, 2023 Hi jens, Did You Solved it ? Link to comment Share on other sites More sharing options...
Jens Ostkamp Posted May 16, 2023 Author Share Posted May 16, 2023 Hi, yes I did manage to make it work - the issue was that in Azure the Application for OAuth was not configured correctly, but I currently don't remember the correct type as I do not have access to Azure GUI. I think the Application was configured as "Web SSO something" and it needed to be "Single Web SSO something". After changing that and putting the correct OAuth URLs into the Redirect URIs, everything worked fine. But I am not 100% convinced of that implementation as there are A LOT of struggles to configure inline token validation. For example, if you have different subdomains for one application with OAuth (e.g "frontend.domain.com" and "backend.domain.com") and authenticated for "frontend.domain.com" the ADC would redirect you again to authenticate if you need resources of "backend.domain.com". I understand why ADC is doing this, as the authentication realm/domain is a different one, but I'd like an option where you can configure that kind of token validation so you don't need to authenticate again. We made it work by reprogramming the backend application to not use different subdomains and then everything worked as expected, but it took some time to figure it out. In the end OAuth works similar as SAML Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now