Jump to content

Recommended Posts

Posted

A basic LDAP authentication policy directly bound to my gateway is working perfectly from CWA. However, when I use an advanced policy bound to an authentication vserver -> authentication profile and bind that to my gateway then SSO stops working. CWA asks for credentials which eventually lets me log in. Both the basic and advanced policy are using the very same LDAP server. What am I missing here?

Posted

Hello @RobinM

 

Advance authentication is working different to basic. But maybe it’s a very easy thing if only CWA make problems.  
 

Advanced authentication don’t work with X1 theme or older. Did you bind an RfWebUI theme? This is important for CWA. 
 

Otherwise, you wrote it’s an singlr sign on problem. If so the authentication is finished on the NetScaler but SSO to StoreFront brakes. Then you will find a vent lock entries with hints of the problem on the SF. 
 

But your description sounds like a SSO problem. I understand that you are hanging on the  authentication on the NetScale. Please check this also.
 

Best regards,

 Michael 

 

 

Posted

Hi Michael,

Thanks for your reply. I tried the RfWebUI theme bit no change. When I switch to SAML instead of LDAP using the exact same setup then SSO works. Also lots of activity in ns.log.

Kind regards,

Robin

Posted

Hello @RobinM

 

is it now a problem with SSO to Storefront or Authentication problem on NetScaler 😉 If it`s a problem an Storefront take a look at the Eventlog in the Machine. Here you find a hint what is going on. If it`s a problem with Authentication on NetScaler you are on the right way with ns.log.

 

Regards,
Michael 

 

Posted

Hi Michael,

No, it's not StoreFront but NetScaler. The StoreFront eventlog shows no errors. When I login manually then I see lots of activity in ns.log and login succeeds, That same activity in ns.log is shown when I switch to SAML where SSO works.

Kind regards,

Robin

Posted

Hello @RobinM

 

 If this lack of information it’s not easy to help.  If you want help from the community, then share more information with us eg nslog from the failed authentication. 
 

Or open a Citrix support call. 
 

Best regards,

Michael 

Posted
On 9/22/2024 at 9:39 PM, RobinM said:

A basic LDAP authentication policy directly bound to my gateway is working perfectly from CWA. However, when I use an advanced policy bound to an authentication vserver -> authentication profile and bind that to my gateway then SSO stops working. CWA asks for credentials which eventually lets me log in. Both the basic and advanced policy are using the very same LDAP server. What am I missing here?

At least on Citrix Secure Access (CSA) the classic authentication allowed users to store their credentials to the plugin making it appear "SSO", which it really wasn't.

If you want to SSO with CWA with Gateway, you'll need to implement modern authentication with an external IdP (like SAML & Entra ID). The other option is to authenticate the CWA directly with StoreFront and then leverage HDX Optimal routing to make sure the connections are piped through a Gateway server rather than directly to the VDA, but as Michael said, more information is required on what exactly you're trying to achieve.

Posted

Can you paste your config for the AAA info and the session policies?  Feel free to blank out any public FQDN, IPs, usernames and passwords.  This sounds like either the storefront is not delegating auth to the gateway, or the gateway is sending samaccountname with no domain name, or could be using a Login schema without the SSON setting set.  There is a lot of things that can cause this to take place.

Posted

Ok. Here it is. First off the SAML method which works. No user intervention needed as SSO is working. Output in ns.log:

Sep 24 19:15:51 <local0.info> 1.2.3.4  09/24/2024:17:15:51 GMT S-ADC-1 0-PPE-0 : default AAATM Message 4391 0 :  "SAML: ParseAssertion: Response status Success found !" 
Sep 24 19:15:51 <local0.info> 1.2.3.4  09/24/2024:17:15:51 GMT S-ADC-1 0-PPE-0 : default AAATM Message 4392 0 :  "SAML: ParseAssertion: Response status Success found !" 
Sep 24 19:15:51 <local0.info> 1.2.3.4  09/24/2024:17:15:51 GMT S-ADC-1 0-PPE-0 : default AAATM Message 4393 0 :  "aaatm_handler successfully parsed assertion client ip is 8e075054, username is user@domain.nl" 
Sep 24 19:15:51 <local0.info> 1.2.3.4  09/24/2024:17:15:51 GMT S-ADC-1 0-PPE-0 : default SSLVPN Message 4394 0 :  "get_session user: <user@domain.nl>, aaa_info flags 1 flags2 41000, new webview 1, sess flags2 0, flags3 0 flags4 8000 ssoDomain <domain.nl>, ssoUsername: <user@domain.nl>, ssoUsername2: <user@domain.nl>" 
Sep 24 19:15:51 <local0.info> 1.2.3.4  09/24/2024:17:15:51 GMT S-ADC-1 0-PPE-0 : default SSLVPN Message 4395 0 :  "SAMLSP: LOGIN SUCCESS; Core <0>, Copying logout url <https://login.microsoftonline.com/1234567890...

Here is the config:

# SAML Actions
# ------------
add authentication samlAction "Entra ID" -samlIdPCertName EntraIDSAML -samlSigningCertName DOMAIN.NL -samlRedirectUrl "https://login.microsoftonline.com/1234567890.../saml2" -samlIssuerName WorkSpace -Attribute1 emailaddress -logoutURL "https://login.microsoftonline.com/1234567890.../saml2" -logoutBinding REDIRECT -relaystateRule "aaa.LOGIN.RELAYSTATE.EQ(\"https://workspace.domain.nl/\")"

# SAML Authentication Policies
# ----------------------------
add authentication samlPolicy "Entra ID" ns_true "Entra ID"

# Advanced Authentication Policies
# --------------------------------
add authentication Policy "Entra ID Advanced" -rule true -action "Entra ID"

# Authentication Virtual Servers
# ------------------------------
add authentication vserver nFactor-EntraID-SAML SSL 0.0.0.0
bind authentication vserver nFactor-EntraID-SAML -policy "Entra ID Advanced" -priority 100 -gotoPriorityExpression NEXT

# Authentication Profiles
# -----------------------
add authentication authnProfile nFactor-EntraID-SAML -authnVsName nFactor-EntraID-SAML

# Citrix Gateway Virtual Servers
# ------------------------------
set vpn vserver GW -authnProfile nFactor-EntraID-SAML

And now the LDAP method which is not working. No other information in ns.log other than this:

:  "AAA Client Handler: Found extended error code 589827, ReqType 16386 request /AGServices/discover" 
Sep 24 19:24:42 <local0.info> 1.2.3.4  09/24/2024:17:24:42 GMT S-ADC-1 0-PPE-0 : default SSLVPN Message 6274 0 :  "WebView: ns_aaa_process_webview_for_authv3: starting webview for authv3 processing, context wv=1&" 
Sep 24 19:24:51 <local0.info> 1.2.3.4  09/24/2024:17:24:51 GMT S-ADC-1 0-PPE-0 : default SSLVPN LOGOUT 6275 0 :  User user@domain.nl - Client_ip 5.6.7.8 - Nat_ip "Mapped Ip" - Vserver 9.10.11.12:443 - Start_time "09/24/2024:16:50:46 GMT" - End_time "09/24/2024:17:24:51 GMT" - Duration 00:34:05  - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 57 - Total_UDP_flows 0 - Total_policies_allowed 57 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 78967 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A" 

Config:

# LDAP Actions
# ------------
add authentication ldapAction "Active Directory" -serverIP *.*.*.* -serverPort 636 -ldapBase "dc=domain,dc=lan" -ldapBindDn Administrator@domain.lan -ldapBindDnPassword 1234567890 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2024_09_01_15_12_53 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED

# LDAP Authentication Policies
# ----------------------------
add authentication Policy "Active Directory Advanced" -rule true -action "Active Directory"

# Authentication Virtual Servers
# ------------------------------
add authentication vserver nFactor-ActiveDirectory-LDAP SSL 0.0.0.0

# Authentication Profiles
# -----------------------
add authentication authnProfile nFactor-ActiveDirectory-LDAP -authnVsName nFactor-ActiveDirectory-LDAP
bind authentication vserver nFactor-ActiveDirectory-LDAP -policy "Active Directory Advanced" -priority 100 -gotoPriorityExpression NEXT

# Citrix Gateway Virtual Servers
# ------------------------------
set vpn vserver GW -authnProfile nFactor-ActiveDirectory-LDAP

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...