Jump to content
Welcome to our new Citrix community!

Windows Login Prompt when using Azure AD SAML Integration

Xavier Cleto

Recommended Posts

Hello everybody, currently running a CVAD 1912LTSR CU6 farm with Citrix Gateway for remote access. 

I'm trying to implement Azure AD integration so what I did is: 


1. Create new Citrix Gateway vServer

2. Create new AAA vServer and nFactor Flow with:

a. OnlyUser schema with LDAP Factor for group extraction

b. Decision factor that checks group membership of "USE_MFA" group

c. if member: SAML Auth Policy to Azure then LDAP policy to convert email into sAMAccountName (with Authentication disabled)

d. if not member: OnlyPassowrd schema with LDAP Policy and authentication 

3. Create new Store on Storefront with FAS Enabled, Passthrough authentication from Gateway and full delegation for authentication

4. Configure FAS 

5. Configure FAS GPOs



Everything works fine when user is not member of USE_MFA group, but when I use Azure AD integration and I launch a VDA I get prompted for user credentials (both username and password, not only the password). 

Seems like the Storefront is not passing the credentials to the VDA. 

I can't understand what is going wrong. 


No logs in Storefront, DDC and VDA.



Link to comment
Share on other sites

Hello Arnaud and thanks for your reply. 

1. Yes, I can see registry key "Addresses"  correctly configured on VDAs, Storefronts and FAS Servers. 

2. Yes, I ran these commands on every Storefront and propagated from the master one:  


Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/STORENAME"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""


Is it necessary to have 443 port open from VDAs to Gateway vServer in order for credentials passthrough to work? 

I see this port is not open but credentials are being correctly passed from GW to StoreFronts, so I guess VDA will retrieve the username from the storefront itself.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...