Jens Ostkamp
-
Posts
84 -
Joined
-
Last visited
-
Days Won
1
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Jens Ostkamp
-
-
Hey everyone,
I have already opened a support case with Citrix for this issue, but as it takes really long for them to answer and go through logs (already had some calls with them and it doesn't really seem to go forward), I thought to simultaneously ask here.
We have a pretty basic configuration for Exchange publishing - Content Switch in Frontend -> Loadbalancing (with Authentication enabled for webmail LB) -> LDAP Authentication -> SSO (with Traffic Profiles and Form SSO Profile) towards Webmail
This configuration worked perfectly with 12.1 major releases, after applying 13.1 most recent release, the SSO does not work anymore, ns.log tells me "Could not find Response Size in form of 60000" (i have configured the response size with 60000 as it is best practice from Citrix for Exchange 2016 and upwards). Authentication Policies are already advanced and error message points towards something with the Form SSO Profile. I have already tried out different values (mostly bigger ones) with no success (same error message). When connecting directly towards OWA and checking Content-Length values, it always is below 60000 (mostly 58xxx).
After authenticating at AAA Server the OWA Logonpage is displayed where I can enter credentials again and then I am logged into my webmail - but this is obviously not the best user experience
Did anyone encounter this issue after upgrading? When failovering towards the other appliance (active passive HA) where still 12.1 is installed, everything works just fine again.
Doing the same configuration from scratch didn't change anything.
Thanks a lot in advance ?
Best Regards
Jens -
I've had this issue with various special characters (§ ß ° for example) and somewhere I found, that NetScaler has issue with certain special characters regarding the escape of those characters. Im not sure if that's true, but I just stick to tell user to avoid using these characters.
-
Hello everyone,
we recently got informed by our local ministry of cyberdefense, that there are currently high risk apache vulnerabilities:
CVE-2022-22719
CVE-2022-23943
CVE-2022-22720
CVE-2022-22721https://httpd.apache.org/security/vulnerabilities_24.html
As far as I know, Citrix ADC uses Apache Webserver for its Webinterfaces - as Citrix didn't yet send out any security advisories, my guess is, that Citrix ADC is not affected, but I wanted to make sure, if anyone knows different or if maybe it is still under investigation.
Thanks a lot in advance, if anyone knows more!
Best regards
-
Same for one of my clients for latest 13.0 release to mitigate the critical CVE. While troubleshooting and comparing different setups one more information:
when connecting to a Desktop directly via RDP Proxy, everything works (even with the two additional lines within the rdp file downloaded, when downgrading the netscaler again, these lines are not inserted into the rdp file!!). When connecting to a Terminalserver Desktop (server with terminal server role installed) the connection fails with the mentioned issues regarding DefaultAltShell. So this issue only persists when using Terminalserver Desktops. Static Desktops without terminalserver role are not affected as far as I could test everything
deleting the two additional lines within the rdp file worked, but obviously thats not a workaround suitable for clients
-
delete please ,wrong thread
-
I have configured this kind of solution a couple of times like this:
you create non addressable aaa vserver with your desired authentication policies. as authentication fqdn on your lb vserver you enter the same dns record as you would use for your owa external record (e.g. owa.company.com).
this dns record must point towards a content switch vserver. configure content switch action to point towards the non addressable aaa vserver. create policy with associated action like this:
(http.REQ.URL.CONTAINS("/cgi/tm") || http.REQ.HEADER("Cookie").CONTAINS("NSC_TASS"))
This way you get redirected towards the desired AAA vserver without hostname changing. it is basically the same as julian wrote, with some shortcuts (you wont need dummy lb vsrv or responder policy).
-
1
-
-
what kind of rdp bookmark are you publishing? just normal rdp connections towards single machines or a whole rds farm with apps/desktops?
-
i think you will need to configure another vpn vserver for that. for alwayson you configure machine cert based auth directly on the vserver, hence it will be applied to all incoming authentications for this vserver. im not sure if nfactor would work here, but one idea would be to configure the always on vpn vserver on a different port (e.g 8443) and re-use the same ip address for your other configuration on default port 443 where you need the MFA enabled - that way the users using mfa logon won't need to change to a different port when connecting and the always on VPN can be pre-configured with the corresponding ports, so no user action is needed.
doing both on the same vserver is not possible, atleast not without nfactor. and i don't think (although im not 100% sure) that nfactor will work with always on ssl vpn
-
1
-
-
have you tried adjusting "credential index" option within session profile?
what kind of mfa you are using? builtin native otp from netscaler itself or some third party solution?
-
just to add:
theoretically it is possible to have a firmware version difference - but just as martin said: the netscaler appliances will automatically disable any configuration sync, so if you didn't have the HA established before, you won't be able to get the same configuration on both nodes. If you have a HA with a sync established on same firmware versions and upgrade one of them, the HA itself still works (such as failover) but as soon as you do any configuration changes, they won't get synced to the secondary appliance
-
Hi,
tbh i have not seen that before. when you configure an NTP server - does the time sync itself work correctly? (show ntp status)
Do you have a virtual appliance or hardware appliance? If it is virtual - does any other VM on the same hypervisor host have the same issue unrecognized?
-
I just recently set this up with 2019 ADFS and I used some guide from 2013, so that wasn't a problem. Im not really ADFS-pro, but the most important part on ADC side is to implement rewrite policies so the ADC injects x-ms-proxy header.
https://www.deyda.net/index.php/en/2019/02/26/citrix-adc-version-12-as-ad-fs-proxy/#Setup_AD_FS_Proxy use this one, that covers everything important
-
Yes thats what citrix support told me in the last remote call. if they change stuff in 13.0 build it will automatically get implemented in newer 12.1 as well
-
Well it was mostly about the RelayState Rule. Before Upgrade there wasnt a RelayState RUle (as the option didnt exist) and after upgrade i followed the Citrix Support article on how to configure that rule. after doing so i could put in any expression within the rule, where the relay state should come from and it worked everytime. now funny enough i am having the problem that some clients are working and some not. some seems to be browser chace related, but its all very unclear. still investigating.
for example, one single application which is reachable through SSL VPN is not reachable anymore, without any configuration changes on any side. only after upgrading Citrix ADC to newest version the connection to this one specific application doesnt work anymore. to other applications in the same subnet it works. so yeah, i dont really know whats causing it, but everyting seems update-related issue
-
Hey everyone,
i have a question regarding SAML configuration when Citrix ADC is configured as SP (for example, doing SAML Redirect for Citrix CVAD authentication towards some SAML IdP) - as mentioned in official support article (https://support.citrix.com/article/CTX316577) I have configured the appropriate RelayStateRule (since we come from a Gateway I used following expression: "AAA.LOGIN.RELAYSTATE.EQ("https://vpngateway.domain.com/")" where "vpngateway.domain.com" is the external DNS a user will connect to via Browser before getting a redirect to the SAML IdP. The configuration just works fine, but when I am testing it and for example enter "https://thiswontwork.com/" in the Expression, everything still works just as before. So I am curious if this is expected or if I am missing something here.
The configuration when Citrix ADC is IdP (ShareFile for example) everything is fine, when I configure the ACS Rule with some gibberish I get an error when trying to authenticate which is obviously just fine.
thanks a lot!
best regards
-
After digging deeper and a call with Citrix Support the SSO problems with ActiveSync could've been solved. Issue was, that configuration was still using Session Profile/Policy to achieve SSO to backend basic authentication (Exchange Server).
This causes SSO (only for ActiveSync though, for example /mapi or /oab still works with Session Profile) to fail (you can see in ns.log something like "SSO Fail/SSO weak user"). After configuring a traffic profile/policy this could've been solved. Corresponding Citrix post: https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html this only mentions 13.0 versions but apparently it affects newest 12.1 aswell (also when configuring session profile you can see "
The SSO setting does not honor the following authentication types. BASIC, DIGEST, and NTLM (without Negotiate NTLM2 Key or Negotiate Sign Flag). Use Traffic profile to configure SSO for these authentication types." under SSO configuration, which points to this issue basically).
SAML configuration issues (Citrix as SP for CVAD with Citrix FAS, Azure as IdP) are still there, support says this shouldn't get affected by the upgrade but it still doesn't work and did before upgrade. Will check this next week deeper and upgrade here, in case anyone facing same problem
-
Hey everyone,
does anyone experience issues (specifically with Pre-Auth mechanisms) after Upgrading to latest 12.1 build to fix CVE issues?
I am experiencing several problems (different appliances, similiar configuration):
-Pre-Auth with AAA module (not VPN/Gateway) fails completely after upgrade with following aaad.debug message:
"configuration not found with vsid 956" (the vsid changes with each log message) => after rebooting the appliance error went away and "most" pre-auth worked again, except:
-Pre Auth with Active Sync is not working anymore (still investigating the exact issue), even after reboot. Exact cause is still investigated
(everything behind one CSW vServer)
-SAML Configuration with FAS component (NetScaler does SAML towards Azure, SSO to StoreFront, FAS issues certificate for authentication to terminalserver/worker) => ironically NetScaler as an IdP for ShareFile works just fine, even after implementing the mentioned SAML configuration changes Citrix recommends
I've been using 12.1-58.18 and upgraded to 12.1-62.25.
Couldn't find anything relatable in release notes/known issues.
Any informations if someone is experiencing same issues (or maybe same scenarios regarding configurations but everything working with the upgrade) is greatly appreciated.
Will raise a ticket if I can't find the issue myself throughout the day, will this thread updated.
Thanks anyone in advance :)
Best regards
-
this is a bit old but i think it is still applicable. you basically need an AAA vServer where you bind an LDAP policy to it. then you create a dedicated LB vServer for only activesync and configure the "authentication" tab to do 401-based authentication and select your AAA vServer you created earlier. then (at least i would do it like that) you should create a content switching virtual server where you bind a policy for active sync (for example, http.req.hostname.eq.set_text_mode(ignorecase).eq("exchange.yourdomain.com") && http.req.url.set_text_mode.ignorecase.startswith("microsoft-server-activesync") and put an action for your lb vserver behind it.
this will make your clients requesting activesync towards your content switch to go to the authentication lb vserver.
if you need to troubleshoot authentication issues on netscaler you can always look into aaad.debug log (shell on CLI -> # cat /tmp/aaad.debug)
but there should be plenty guides for this kind of configuration, as it is rather common
-
hi,
i think this cipher got removed (along other CBC ciphers) from netscaler, as they are not secure anymore, so with upgrading your appliance you kinda "removed" the cipher from netscaler and obviously cannot bind it to a cipher group
-
Do you want to use NetScaler as an ADFS Proxy or as a Reverse Proxy which makes Microsoft ADFS available externally?
You can do both.
publishing microsoft adfs is probably easier, but you need to make protocols on netscaler on SSL_BRIDGE since ADFS doesn't support reverseproxy ssl-offloading.
further you need to take care of SNI certificate binding on both ends and probably need to edit certificate binding on IIS ADFS.
but this depends on ADFS configuration and general infrastructure configuration.
You also need to decide, if you just want to make your ADFS front-end publicly available or if you want your users to logon to the netscaler and netscaler does sso towards ADFS for the user. Thats also possible. so basically you need to decide between 3 scenarios (netscaler AS adfs, netscaler publishing adfs, netscaler as ADFS frontend -> sso to adfs backend). there should be plenty of guides on how to configure each scenario when googling it. there is no universal configuration since adfs/SAML configuration depends a lot on what you need and how your applications work with SAML authentication
-
What exactly do you mean as clientless bookmark?
Unified Gateway mode with clientless access where you create bookmarks and your clients log in to the htm5 portal where they can click "OWA" or "SharePoint" bookmark?
if yes: it shouldn't be that much different from a standard SP/Exchange Publishing. But you can only publish web-services, you probably won't be able to connect your Outlook-Client over unified gateway for example.
configration wise: depends what exactly you want, but usually you "just" need to create appropriate session profiles or traffic profiles to achieve SSO towards SP / Exchange.
For OWA there is already a pre-configured Frame you can use ("Mail" you need to fill in when creating the session profile), but there is a LOT to consider regarding access control etc., you should work with authorization policies and AAA groups if you need to split bookmark availability for different AD-groups.
Depending on how good you are with netscaler in general, you can use Unified Gateway Wizard on Netscaler (which I don't recommend, because you don't really know what's happening and probably need to edit a lot of these pre-configured settings afterwards). If you know what you are doing, create everything on your own.
Refer to https://www.carlstalhood.com/category/netscaler/netscaler-12/netscaler-gateway-12/
-
ActiveSync is not supported for MFA anyways as far as I know.
Basically you should configure pre-authentication (401 based) for Active Sync and publish it with Content Switching module and appropriate policies.
Depending if you already have Exchange services published through ADC, you will also need to publish autodiscover most likely.
Please note, that Microsoft says it doesn't support any form of proxy/pre-authentication in front of any Exchange service EXCEPT /owa.
Haven't had any issues so far though
-
I can confirm Carls statement, 12.1 is for the most stable major release so far. 13.0 had so many bugs and issues throughout the versions, even though some cool features were implemented.
If there are not any major security issues with your current build, you can just stay on the build you are. Latest 12.1 works fine for me.
But be aware that with release of 13.1 there will be major changes regarding expressions, I don't know if Citrix will offer some automatic script which will correct all old syntaxes into advanced syntax, but you should definitely keep that in mind when 13.1 gets released.
when doing upgrade I'd always go with shell/console and not with web gui, have had some issues using the web-feature to upgrade the appliance.
-
Hello everyone,
so I have had this weird but at least very interesting request, where I got a bit stuck now and wanted to know, if anyone has ever had an idea like this or know if it is even remotely possible to achieve.
Request is as follows:
A specific ("self coded") application needs to authenticate to SQL-Server and only supports SQL Authentication and not Windows Integrated.
For security compliance, the target SQL Server does not support SQL Authentication - only Windows Integrated (Kerberos/NTLM Fallback). The customer doesn't want to change this and we tried to figure out, if NetScaler can help here.
The idea is: the application connects and authenticates against LB vSrv on NetScaler (with MSSQL protocol) where a db-profile is bound with a KCD-account attached to it. So basically the NetScaler would proxy the authentication, offering SQL auth in front end to the mentioned application and does KCD itself towards backend SQL server.
For reference I have used this article(s):
https://support.citrix.com/article/CTX202004
https://docplayer.net/6873814-Configuration-of-kerberos-constrained-delegation-on-netscaler-revision-history.html ( a bit more detailed but more or less the same)
I know that the intention of these articles is a different one, but I hope to use advantages for my purpose.
The only point I am stuck right now is the frontend authentication. Even though I can create a "database user" on NetScaler (which for me represents SQL User/Auth) I cannot "bind" it to anything. Meaning I cannot tell the NetScaler to accept the credentials of this Database user, I can only set a kcd-account in my database profile which i bind to the LB vSrv.
So I'm not sure if it is just not possible to achieve what I want to do or if I am missing something in my thought-process / configuration.
I know this is a special request where probably not much ppl have experience with and I don't need a "full" solution, I basically just want to know if I am wasting my time trying to achieve the configuration or if it's possible with some configuration adjustments.
Thanks a lot in advance!
best regards
Jens
Rewite Policy
in Core ADC use cases
Posted
Are you sure it is necessary to do URL Transformation?
You can just add the Backend server ip-based, point the external DNS towards the Virtual IP of your Content Switch (or Loadbalancer, depending how you want to publish it) and bind the corresponding openshift service there. Only if Openshift Backend requires the request in internal domain format you would need URL Transformation.
Ideally you would use Service Groups on Loadbalancing, you can do Port Translation (e.g publish your Virtual Server with https:443 and connect towards backend server with http:80, you will need to implement certificates on NetScaler though)