Julian Jakob

Hi Kari, just some notes / ideas. Citrix Cloud is a separate Entra ID Enterprise App (with App Registration linked because of OIDC Multi-Tenant, as you already noticed) and your OnPrem NSGW is also an Enterprise App. Are there different conditional access policies linked and are there authentication strenghts policies linked? Because: With authentication strenghts policies (configured unter the conditional access menue) you are able to define exactly which auth-methods are available. Link an authentication strenghts policy to a conditional access policy. Link that conditional access policy explicitly only to your Citrix Cloud / NSGW enterprise app. This should change / switch the possibilities Entra ID is showing when user's are trying to authenticate to. Hope this helps

Can you share some informations about the OAuth config? Is NetScaler OAuth SP and Entra ID (or another IdP?) is your IdP? If so, in the OAuth Action there is a User Name Field where you can use preferred_username which is the logon-name the User is typing into Entra ID which gets send to NetScaler

Which Firmware are you using? Is there a session policy bound directly to the gw vServer or to AAA groups / users? In session profile, the setting "Plug-In type" has to be set to Windows/MacOS and "Use mapped IP" should be set to NS and "Use Intranet IP" to NOSPILLOVER.

Agree 100%! The way the config is done in GLOBAL DNS-Suffix settings for doing the location detection of the CSA client is very very crappy. I had the same question and asked citrix support what's happening when there are multiple suffixes configured. This was the answer (but never verified in a setup of mine, so no guarantee!) „If multiple DSN Suffixes are configured, for example ".abc.com" ; ".xyz.com", the OS will attempt to resolve one by one. If it succeeds with one suffix, the remaining suffixes are skipped.“

Some things to add here from my side: - Kcd account config on NS, only use the Realm and Delegated User, leave User Realm and Service SPN blank. - Is your SharePoint Server on your LoadBalancer on NetScaler bound with FQDN or IP? Use FQDN for Kerberos to work - SNIP is able to reach your Domain Controllers via 88 TCP and 88 UDP? The delegation in your AD / SPN looks correct.

This shouldn't be a problem. What is the AOService-Log displaying on a CSA client? I know in a customer setup I did also configured the session timeout parameter, but didn't know this could prevent me from your issue.

Thanks for the update - I tried this also with a fake proxy and excluded the NetScaler GW-URL. After connecting, proxysettings looking fine, too. Nothing changed or getting resetted:

Hi Allan, highly interested in your issue. In one setup I'm using NS (13.0 92.21) for SSLVPN. Session-Profile Proxy is set to OFF: I know the customer is also deploying different pac-URLs via GPO. I'm using a non-corp device to set a testproxy config like that: When I logon via Windows CSA (23.8.1.11) the proxysetting consits and there are no changes to that. Just wondering if it's a bug in a NS-Build and or with a CSA-Build. Following for more :) Regards, Julian

Hi, I think the error is because of missing brackets between your AND expressions. This should work: (HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT && HTTP.REQ.HEADER("User-Agent").CONTAINS("Android")) || (HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("User-Agent").CONTAINS("iOS")) || (HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("User-Agent").CONTAINS("WindowsPhone"))

What I can say is, NetScaler is aware of that "problem" that at the moment, an OAuth IdP Policy has to be bound directly to a AAA vServer, not possible to integrate in a nFactor. This limits some auth-possibilities where NS is acting as IdP.

Hi all, I'm also facing a little delay and (depends on the performance of the Notebook) about 2-6 lost pings. I also think "it depends" on the Config. In one environment we are using a dedicated IIP-Subnet for the machine tunnel (which can only connect to SCCM, WSUS, Domain Controllers) for the Logon-mechanism. During the switch to the user tunnel via SSO, groups getting evaluated and other IIP-Subnets are assigned.

Hello Kai, what do you exactly need? I'm using NetScaler as OAuth SP (connected to a F5 BigIP as IdP) and OAuth IdP (connected to a Keycloak as SP) at some of my customer's instances. You can't bind an OAuth Policy directy to a VPN vServer, thats correct. You always have to use an auth profile, linked to an AAA vServer.

Thanks, great Info!