KDC and CVPN bookmark troubleshooting

[mryan966]

Hi All,

 

Under SAML I can't get KCD working for a CVPN bookmark where kerberos is enable in IIS on the webserver. Currently I get a generic 401 response from the webserver once the KDC account has been configured and applied in the session policy (Previously it was prompting using IWA). 

 

Scenario:

- SAML Gateway Auth fed with Azure

- CVPN bookmark (IIS basic website requiring Kerberos)

- Application visibility controlled with authorization policies looking at group membership from the SAML conversation.

- KCD Account assigned to session profile and setup as per article - https://support.citrix.com/article/CTX236593/how-to-configure-netscaler-gateway-for-kerberos-constrained-delegation

-  No changes against TM VIPs

 

Kerberos itself is working fine, I can access the bookmark when CVPN turned off, it auths fine without prompts when inside the network. Ideally, upon SAML login to the Netscaler GW, tokens are requested, or requested when the CVPN bookmark is launched without interrupting the use, but something tells me there is more to it?

 

What's the best way to troubleshoot? Likely I don't have the setup right.

 

Thanks!

 

 

[Emil Pandocchi]

Keep in mind that SAML does not transport the user's password and is unable to authenticate against anything without help.

In fact, to achive SAML authentication for the Citrix Farm you need the Citrix FAS to handle incoming requests from Azure-Authenticated users. FAS generates a user-based certificate to authenticate against Windows Infrastructures (StoreFront, DDC, VDA, etc...)

So my initial though is that you can't achive this with a SAML authenticated user.

 

You should be able to verify this by changing the authentication method from SAML to FormBased authentication in the Gateway (handled by NetScaler with LDAP query)

[mryan966]

Thanks Emil!

 

Citrix FAS works great for the CVAD side of things in the gateway providing SSO as needed.

 

I'm looking to provide a similar experience for any CVPN published bookmarks within the gateway portal where Kerberos is required. Non-Kerberos shortcuts (Forms/Anon) are working as expected. 

 

If you are not on a domain joined machine or away from the network, IWA prompts and it would be great if the gateway could request a token on behalf of the user providing the same experience as if you were on a domain machine on the network. 

 

I'm hoping to tie KCD to the logged in user UPN to have the token requested upon launching the targeted CVPN Kerberos shortcut or similar whilst using SAML as the only auth method at the gateway.

 

I can't find too much around this and am hoping to provide the same experience for these shortcuts no matter where it's launched from. I was hoping this was pretty common but can't find much on it so far!

 

 

 

 

 

 

 

 

 

 

[Emil Pandocchi]

I was looking for the same behavior and ended up configuring SAML on both the gateway and the published application