Jump to content

Recommended Posts

Posted

I have set up duo universal prompt with the duo guide (https://duo.com/docs/netscaler-web). Everything works nicely with the Webbrowser also the SSO. 

Now with Citrix Workspaceapp the authentication seems to work i get the DUO Push but then another old looking Login Prompt comes up with doman\username??

Even when i put the credentials there again it doesnt work. 
I have checked this Articel as well, and all seems correct
https://help.duo.com/s/article/9044
But I guess when it works with Web-Browser the Settings should be right. 
I also would like to see the Live Demo, but the watch on Demand doesnt work..


on the netscaler I get the following after authenticating
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8412 0 :  "Login request is not expected to be encrypted"
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8413 0 :  "AAA LOGIN : X509 cert not found "
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8414 0 :  "AAAD API: sending login req to aaad for <demotest>, factor <duo_oauth_server>, auth type 4129, trans id 18152"
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8415 0 :  "(0-69) send_authenticate_pdu: Sending Preamble"
Nov 21 12:14:32 <local0.notice> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8416 0 :  "SSLVPN aaad login : (0-69):  Reply Received, status from aaad: 2, aaad flags 81"
Nov 21 12:14:32 <local0.info> ADC-IP 11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAATM Message 8417 0 : "AAAD RESP: received resp, user: <demotest>, factor: <duo_oauth_server>, trans id 18152, pcb trans id 18152, q_flags 1879080960 aaad-resp 2 aaad-flags 81"
Nov 21 12:14:32 <local0.warn> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8418 0 :  "Created nFactor session for user demotest"
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8419 0 :  "AAAD API: sending login req to aaad for <demotest>, factor <duo_factor>, auth type 4161, trans id 18152"
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8420 0 :  "(0-69) send_authenticate_pdu: Sending Preamble"
Nov 21 12:14:32 <local0.notice> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8421 0 :  "SSLVPN aaad login : (0-69):  Reply Received, status from aaad: 12, aaad flags 0"
Nov 21 12:14:32 <local0.info> ADC-IP 11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAATM Message 8422 0 : "AAAD RESP: received resp, user: <demotest>, factor: <duo_factor>, trans id 18152, pcb trans id 18152, q_flags 1879080960 aaad-resp 12 aaad-flags 0"
Nov 21 12:14:32 <local0.info> ADC-IP  11/21/2024:11:14:32 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8423 0 :  "nFactor: serialized aainfo ctx_hint%3D0ZWaaWU8NSzFkO3Gi8QVVg%26SPpJbgfgm9c2yvDJhXoSq0zvXxUUiZ7cbtZik1vE4QVwWp4KDE9HzujE01Alf-JgmGfVDnh6p45fk5Naf0ocXPrEp8YxJvFrRImQPqT5ratCXAKB9v0t8hZaLGySFGxMlpBUKlNSw7lDCm5DN8mXHOm0Nzp7VMvNllX5KvndGBJcZrjkx0KOYWdjfYJgeLDj5O6Y9A8jyv01v2YE12YXNWQlBzRKgL2rKEwRotTFBZCNrjla_g "
Nov 21 12:14:33 <local0.info> ADC-IP  11/21/2024:11:14:33 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8424 0 :  "OAuth nFactor: context found in the url"
Nov 21 12:14:33 <local0.info> ADC-IP  11/21/2024:11:14:33 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8425 0 :  "OAuth nFactor: Derserializing context "
Nov 21 12:14:33 <local0.info> ADC-IP  11/21/2024:11:14:33 GMT Citrix-ADC 0-PPE-0 : default AAA Message 8426 0 :  "nFactor: deserialize aaa_info, action name copied to samlaction is [duo_oauth_server]"
 [duo_oauth_server]"
Nov 21 12:14:48 <local0.info> ADC-IP  11/21/2024:11:14:48 GMT Citrix-ADC 0-PPE-0 : default AAATM Message 8436 0 :  "OAUTH RP: idtoken length 1536, access token length 32, certendpoint len 0, conf-keys len 0"
Nov 21 12:14:48 <local0.info> ADC-IP  11/21/2024:11:14:48 GMT Citrix-ADC 0-PPE-0 : default AAATM Message 8437 0 :  "OAUTH RP: Successfully verified incoming token/code, username: <Anonymous>, client ip 0xfe070e2e"
Nov 21 12:14:48 <local0.info> ADC-IP  11/21/2024:11:14:48 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8438 0 :  "get_session user: <demotest>, sessionto: 30000, aaa_info flags 85 flags2 41000, new webview 1, sess flags2 20, flags3 0 flags4 400 ssoDomain <>, ssoUsername: <demotest>, ssoUsername2: <demotest>"
Nov 21 12:14:48 <local0.info> ADC-IP  11/21/2024:11:14:48 GMT Citrix-ADC 0-PPE-0 : default SSLVPN Message 8439 0 :  "WebView is complete; sending completion response; suspending session policy eval for user <demotest>, aaa flags 85, flags2 41000"
Nov 21 12:14:48 <local0.info> ADC-IP  11/21/2024:11:14:48 GMT Citrix-ADC 0-PPE-0 : default AAATM LOGOUT 8440 0 :  User demotest - Client_ip 46.14.7.254 - Nat_ip "Mapped Ip" - Vserver 10.10.10.19:443 - Start_time "11/21/2024:11:14:32 GMT" - End_time "11/21/2024:11:14:48 GMT" - Duration 00:00:16  - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "InternalError"

Posted
22 minutes ago, thili said:

After Login and DUO Push I get this login Promt...
I tried with and without the Traffice Policy with this guide https://help.duo.com/s/article/9044
I get the same resulte...

image.png.362f9fc115fe5f66369a7a551c5be67d.png

With the Traffic Policy set it doesnt work anymore through the webbrowser and i get the following error as decriped in the articel
image.png.83825826773385f5738729f0a28bf590.png
But without the Traffice Policy it works again with Web Browser just not with the Citrix Authentication App

Posted

You have to put the username and password credentials into higher index numbers like 15 and 16 in a login schema that renders the ldap request, then have your traffic policy use 15 and 16 for the login credentials.  Check the Storefront Citrix Delivery Services Log to see what error is being thrown.

Posted

So

With Netscaler Fimrware 14.1 34.42 You dont even need the Traffic Polcy. Trough Webbrowser it will work but still not through Citrix Workspace App.

With Netscaler Firmware 14.1. 29.72 You will need the Traiffic Policy. And then it will work with the webbrowser but not with the Citrix Workpace App.

 

I habe tried it with 15 and 16 with the Traffic Policy I will get the same result => not working with Citrix Workspace App => Webbrowser works. 

I dont even get a Log  in Storefront Citrix Delivery Services

Posted (edited)

What version of Workspace App?  Is there something with the Native Workspace policy on the NetScaler not passing the SSO correctly?

Edited by Jeff Riechers
Posted

Citrix Workspace 2405 - 24.5.11.31

but I see that as of Today there is a Citrix Workspace app 2409. i will try with that 

Posted
11 minutes ago, thili said:

Citrix Workspace 2405 - 24.5.11.31

but I see that as of Today there is a Citrix Workspace app 2409. i will try with that 

Also with the new Version it will not work. without Duo OAuth the authentication works with Citrix Workspace app just not with the DUO OAuth. 

Posted (edited)

In the Session Profile for Citrix Workspace

under Client Expirience Single Sig-on to web Application is active. 

under Published Application singel sign-on domain is also active with the correct domain

 

Edited by thili

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...