Citrix ADC as OAUTH SP for Azure Enterprise Application - Token Validation failed

[Jens Ostkamp]

Dear community,

 

I am currently having issues setting up CItrix ADC as OAUTH SP for an Azure Enterprise Application. 

Currently, there is a Web Server (IIS) with an Application configured to do OAUTH towards Azure AD where an enterprise application is configured accordingly - this setup works fine.

For security reasons we want to put Citrix ADC as reverse proxy in front and do the OAUTH flow on ADC (Client -> Content Switch -> Load Balancing, where AAA Auth Srv with OAUTH Action configured -> Azure Login -> Redirect to ADC  -> Backend IIS).

 

I have set up the OAUTH profile looking at following guides:

 

https://support.citrix.com/article/CTX234873/how-to-deploy-netscaler-as-both-oauth-sp-and-idp (only the SP part)

and

https://xenit.se/blog/2018/02/14/using-netscaler-as-openid-connect-sp-with-adfs-as-idp/

and

https://www.stuartc.net/blog/citrixadc/quick-post-configuring-citrix-adc-gateway-aaa-vserver-to-authenticate-against-azure-ad-using-oauth/

 

(I have tried different guides and try to fill out everything based on my understanding of OAUTH flow)

 

Currently I have setup following values in my OAUTH Profile:

OAuth Implementation Type - GENERIC

Client ID - ID of enterprise application

Client Secret - VALUE of the created Client Secret for ADC

Authentication - enabled

Authorization Endpoint - https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/authorize

Token Endpoint: https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/token

Cert Endpoint: https://login.microsoftonline.com/8bfee061-3780-4d59-8218-9126796e57e0/discovery/v2.0/keys

User Name Field: upn

Issuer: https://sts.windows.net/Tenant_ID

Grant Type - CODE

 

All hashing algorithms enabled (HS256, RS256, RS512)

 

 

Redirect to Azure works, Authentication in Azure works and as soon as the client is redirect to ADC again there is always the error message "Error validating Access Token, please contact your Administrator".

 

I have put all log level on debug and looked into ns.log, but I cannot find the exact reason why the validation is failing:

 

Feb 27 15:32:10 <local0.info> 10.240.3.100  02/27/2023:14:32:10 GMT  0-PPE-0 : default AAATM Message 123 0 :  "Sending authn request Oauth"
Feb 27 15:32:10 <local0.info> ns syslogd: last message repeated 1 times
Feb 27 15:32:37 <local0.info> 10.240.3.100  02/27/2023:14:32:37 GMT  0-PPE-0 : default AAA Message 124 0 :  "nFactor: deserialize aaa_info, action name copied to samlaction is [act_auth_oauth_rezeptposten]"
Feb 27 15:32:37 <local0.info> ns syslogd: last message repeated 1 times
Feb 27 15:32:37 <local0.info> 10.240.3.100  02/27/2023:14:32:37 GMT  0-PPE-0 : default AAATM Message 125 0 :  "OAUTH RESP: ns_aaa_oauth_resp_handler, response code 401 is not 200 OK, bailing out "
Feb 27 15:32:37 <local0.info> ns syslogd: last message repeated 1 times
Feb 27 15:32:37 <local0.info> 10.240.3.100  02/27/2023:14:32:37 GMT  0-PPE-0 : default AAATM Message 126 0 :  "AAATM Error Handler: Found extended error code 1310727, ReqType 16386 request /oauth/login?code=oauth_code_b64

 

 

 

I have searched for different troubleshooting possibilites (https://support.citrix.com/article/CTX234873/how-to-deploy-netscaler-as-both-oauth-sp-and-idp especially here), but nothing worked so far.

 

Used ADC Version is latest 13.1.

Any help or ideas are greatly appreciated. 

 

Thanks a lot in advance!

 

Best regards

Jens

[Julian Jakob]

Hi Jens,

 

I've also configured OAuth with Azure for Citrix Gateway like Stuart's Post https://www.stuartc.net/blog/citrixadc/quick-post-configuring-citrix-adc-gateway-aaa-vserver-to-authenticate-against-azure-ad-using-oauth/ but I'm always getting an "Anonymous" User logged into NetScaler Gateway / StoreFront with no Apps or Desktops (sure, as it's Anonymous and no Groups were hit...)

 

So I changed OAuth Profile and also set "User Name Field: upn" (like your setup) and configured UPN as additional Claim in the OAuth Enterprise App in Azure AD. Since that change I immediately also get a "Error validating Access Token". Atm I don't know why. 

 

If you disable the "User Name Field: upn" in your OAuth Profile and delete any additional claims in your Azure App, does it start to work?

 

Regards

Julian

[Yair Biton 2]

Hi jens, Did You Solved it ?

 

[Jens Ostkamp]

Hi,

 

yes I did manage to make it work - the issue was that in Azure the Application for OAuth was not configured correctly, but I currently don't remember the correct type as I do not have access to Azure GUI. I think the Application was configured as "Web SSO something" and it needed to be "Single Web SSO something". After changing that and putting the correct OAuth URLs into the Redirect URIs, everything worked fine. 

But I am not 100% convinced of that implementation as there are A LOT of struggles to configure inline token validation. For example, if you have different subdomains for one application with OAuth (e.g "frontend.domain.com" and "backend.domain.com") and authenticated for "frontend.domain.com" the ADC would redirect you again to authenticate if you need resources of "backend.domain.com". I understand why ADC is doing this, as the authentication realm/domain is a different one, but I'd like an option where you can configure that kind of token validation so you don't need to authenticate again. We made it work by reprogramming the backend application to not use different subdomains and then everything worked as expected, but it took some time to figure it out. In the end OAuth works similar as SAML