SAML Authentication between Citrix & Microsoft with Azure MFA

Extension of the existing article with further troubleshooting cases.

As a result of increasing projects, here is a little how-to with the summary of my previous articles. The main points are:

  • Azure AD Seamless Single Sign-On (PTA / PHS)
  • SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)
  • Citrix Federated Authentication Service (FAS)
  • Microsoft Azure Multi-Factor-Authentication with Conditional Access

Requirements

  • Fully working Citrix Virtual Apps and Desktop Environment (StoreFront & DDC Minimum Version 7.9)
  • Citrix ADC with successful base configuration & activated Enterprise or Platinum license (Minimum Version 12.1 Build 50+ for native workspace app, for browser Minimum Version 11.1)
  • Configured Unified Gateway vServer
  • Internal and external DNS entries for Unified Gateway vServer (e.g. citrix.deyda.net)
  • Certificates for DNS entries (wildcard certificates are the easiest)
  • Existing Azure Tenant with Azure-AD base configuration (Domain, AAD Sync) & activated Azure AD Premium license
  • AD Connect version installed and configured (Minimum Version 1.1.644.0)
  • Firewall release for *.msappproxy.net on port 443
  • Domain administrator credentials for the domains that connected to Azure AD via AD Connect
  • Installed Authenticator App on Test User Mobile Phone

Azure AD Seamless SSO (PTA / PHS)

You can find more detailed background information on this topic here.

Activation Seamless SSO – AD Connect

I will now show you how to enable Pass-through authentication and Password Hash Synchronization. Only one feature is needed to use Seamless SSO.

Activating Pass-through authentication

To enable Pass-through authentication, connect to the AD member on which AD Connect is installed.

  • Start Azure AD Connect
Azure AD Connect
  • Click on Configure in the Welcome Screen
Welcome to Azure AD Connect
  • Now click on Change user sign-in and confirm this with Next
Additional tasks Change user sign-in
  • Enter the credentials of the Global Administrator and confirm the entry with Next
Connect to Azure AD Global Administrator
  • Possibly another login mask is requested because of an MFA
Bei ihrem Konto anmelden
  • Select Pass-through authentication and then Enable single sign-on. Confirm with Next
User sign-in Pass-through authentication
  • Under Single single-on click on Enter credentials
Single sign-on Enable single sign-on Enter credentials
  • In the following windows, enter the credentials of a local domain administrator and click OK
Forest Credentials Domain
  • Click on Configure to perform the described actions
Configure Ready to configure
  • Confirm the successful execution in the Configuration complete window with Exit
Configuration complete

Activating Password Hash Synchronization

To activate Password Hash Synchronization connect to the AD member on which AD Connect is installed.

  • Start Azure AD Connect
Azure AD Connect
  • Click on Configure in the Welcome Screen
Welcome to Azure AD Connect
  • Now click on Change user sign-in and confirm this with Next
Additional tasks Change user sign-in
  • Enter the credentials of the Global Administrator and confirm the entry with Next
Connect to Azure AD Global Administrator
  • Possibly another login mask is requested because of an MFA
Bei ihrem Konto anmelden
  • Select Password Hash Synchronization and then Enable single sign-on. Confirm with Next
User sign-in Password Hash Synchronization
  • Under Single single-on click on Enter credentials
Single sign-on Enable single sign-on Enter credentials
  • In the following windows, enter the credentials of a local domain administrator and click OK
Forest Credentials Domain
  • Click on Configure to perform the described actions
Configure Ready to configure
  • Confirm the successful execution in the Configuration complete window with Exit
Configuration complete

Local Active Directory

In the local Active Directory, you can now find a new computer object called AZUREADSSOACC. This object should be protected from deletion.

Active Directory Users and COmputers AZUREADSSOACC

Azure Portal

In the Azure Portal you can also see the activated Seamless SSO methods.

  • In the Azure Portal, click on Azure Active Directory > Azure AD Connect
Azure Portal Azure Active Directory Azure AD Connect
  • Now click on the method set up via Azure AD Connect
Azure AD Connect User Sign-In

Under Seamless single sign-on you can see the domains created with Password Hash Synchronization.

Seamless single sign-on

With Pass-through authentication, a Warning Symbol is displayed because the agent is only stored on one server.

Pass-through Authentication

According to Microsoft this should be distributed on 3 internal servers.

Pass-through Authentication

Group Policy Object

In order for Seamless SSO to work on the end devices, some settings still have to be distributed via GPOs.

  • Connect to a computer that has the Group Policy Management Console installed.
Group Policy Management
  • Now adds the following settings to an existing or a new GPO
    • In the GPO, go to User / Computer Configuration > Adminstrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • Edit the Site to Zone Assignment List with the following values
Value NameValue
login.microsoftonline.com3
aadg.windows.net.nsatc.net1
autologon.microsoftazuread-sso.com1
secure.aadcdn.microsoftonline-p.com1

Note: If Seamless SSO is to be disabled for individual groups or users, the GPO must be turned to the Value 4 for these people.

Site to Zone Assignment List
  • Then go to the path User / Computer Configuration > Adminstrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
  • Set the Allow updates to status bar via script entry to Enabled
Allow updates to status bar via script

Renew the Kerberos Decryption Key

Microsoft recommends rolling out the Kerberos Decyption Key at least every 30 days.

This reduces the risk of spying on the Kerberos Decryption Key.

Microsoft is working on the introduction of an automated function to perform this task.

To renew the Kerberos Decryption Key of the AZUREADSSOACC computer account, you must first download the Azure AD PowerShell module from the PowerShell Gallery.

  • Start PowerShell as the administrator on the computer on which AD Connect is installed and run the following command:
Install-Module MSOnline
  • Navigate to the path C:\Program Files\Microsoft Azure Active Directory Connect and import the module AzureADSSO.psd1
AzureADSSO.psd1
  • Execute the New-AzureADSSOAuthenticationContext command
New-AzureADSSOAuthenticationContext
  • Enter the credentials of an Azure administrator in the following window.
  • Then run Get-AzureADSSOStatus. This checks which domains are stored and activated in the Seamless SSO tenant.
Get-AzureADSSOStatus
  • Then run the command $passwd = Get-Credential and enter the credentials of a local domain administrator in the following window.
$passwd = Get-Credential
  • Finally, executes the following command to complete the update of the Decryption Key of the AZUREADSSOACC computer account.
Update-AzureADSSOForest -OnPremCredentials $passwd

This must be done for all domains configured for Seamless SSO.

SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)

You can find more detailed background information on this topic here.

Active Directory

If you do not use the same UPN in Azure AD and in the local Active Directory, you still have to adjust it.

  • To do this, open the Active Directory Domains and Trusts tool.
Active Directory Domains and Trusts
  • In the tool, right-click on the top item (Active Directory Domains and Trusts) and select Properties.
Active Directory Domains and Trusts Properties
  • In the following window enter the desired domain (e.g. deyda.net) under Alternative UPN Suffixes and confirm the entry via Add.
Add Alternative UPN Suffixes
  • Check that the domain name has been inserted correctly and confirm with OK.
UPN Suffixes
  • Now you can bulk edit or manually adjust the UPN of the required users to the Azure-AD domain.
Edit UPN

Azure Active Directory

To connect our upcoming Service Provider, we now need to create a Enterprise application in the Azure Active Directory.

  • To configure the Azure Active Directory, log in to portal.azure.com.
portal.azure.com logon Microsoft Azure
  • In the Azure Navigation Panel, we click on Azure Active Directory.
Microsoft Azure Navigation Panel Azure Active Directory
  • In the Azure Active Directory window, click on Enterprise Applications.
Azure Active Directory Enterprise Application
  • Now click New Application.
Enterprise Application New Application Azure
  • And click on the information bar above “…Click here to switch back to the legacy app gallery experience.
Legacy app gallery experience Enterprise Application Azure
  • After that click on Non-gallery application
Non-Gallery Application Enterprise Application Azure
  • In the Add an application window, configure the name of the application visible for the end user, e.g. OnPrem CVAD and click Add.
Non-Gallery Application Enterprise Application Azure Name SAML based
  • Wait for the application to be created. Information is obtained via the Notifications item at the top.
Notifications New Application
  • After successful creation of the application, you will be redirected to the Overview page of the application.
Enterprise Applications redirect
  • If this does not happen, simply go to Azure Active Directory > Enterprise applications > All applications, find the new application you just created (e.g. OnPrem CVAD) and click on it
Enterprise Application All Application OnPRem CVAD
  • In the Enterprise application click on Single sign-on or 2. Set up single sign on
Add Application Configure Single Sign on
  • Under Select a single sign-on method click on SAML
SSO Method SAML Single-Signon Citrix FAS

The following window configures the communication between the Identity Provider and Service Provider.

Single-Signon SSO SAML Application
  • Click on the pencil icon in the upper area with the number 1 to edit the Basic SAML Configuration.
Basic SAML Configuration Application Single-Signon
  • Enter here the following:
    • Identifier (Citrix Gateway Address, e.g. https://citrix.deyda.net)
    • Reply URL (Citrix Gateway Address with /cgi/samlauth, e.g. https://citrix.deyda.net/cgi/samlauth)
  • Confirm your input with Save.
Basic SAML Configuration Entity ID Assertion URL
  • The settings under point 2 Attributes & claims can remain in the existing standard.
User Atribute Unique User ID
  • Under SAML Signing Certificate (Item 3), download the Certificate (Base 64) for the Service Provider (Citrix ADC).
SAML Signing Certificate Certificate (Base64) Download

Important!
The SAML Signing Certificate is valid for 3 years and must be renewed in time. Instructions can be found under Renewing the SAML Certificate.

Certificate Base64 Signature Identity Provider
  • From area 4 (Set up OnPrem CVAD), copy the displayed URLs (Login URL, Azure AD Identifier & Logout URL) to a local file.
SAML SSO Login URL Azure AD Identifier Logout URL
  • Click on the confirmation checkbox at the bottom and click Next.

To allow users to use SAML authentication for Citrix, they must be assigned to the application.

  • Click on Users and groups.
Azure AD Application Users and Groups
  • Now click on Add user/group
Add Users to Application
  • Now select from the list the users who should be granted access (or select all users) and confirm this with Assign.
Assign User or Group to Application
  • I only authorized one test user (Test User 01) for this.
Assign User or Group to Application

Citrix ADC

Finally, the Citrix ADC must be configured to communicate with the Identity Provider (Azure-AD).

Citrix ADC Logon Mask
  • To do this, we log in to the Admin web interface of the Citrix ADC and navigate to Traffic Management > SSL > Certificates > Server Certificates.
Traffic Management SSL Certificates Server Certificats SAML
  • There, click Install to import the previously downloaded certificate of the enterprise app
Server Certificates Install Azure Portal Signature Certificate
  • Enter the following and confirm the entry with Install
    • Certificate-Key Pair Name (Unique name for the SAML signature certificate, e.g. SAML-Azure-AD)
    • Certificate File Name (Downloaded signature certificate, e.g. Citrix FAS.cer)
Install Server Certificate NetScaler ADC
  • The installed certificate can not be found under Server or Client Certificates, but under Unknown Certificates.
Traffic Management SSL SSL Certificates Unknown Certificates SAML FAS
  • Then we navigate to Security > AAA – Application Traffic > Virtual Servers to create the SAML Authentication Policy and Authentication vServer.
NetScaler ADC SAML Security AAA - Application Traffic Virtual Servers
  • Under Authentication Virtual Servers, click Add to create a new vServer.
Authentication Virtual Servers AAA - Application Traffic FAS SAML
  • Now enter the following:
    • Name (Name of the vServer, e.g. Azure-AD_auth_VS
    • IP Address Type (Non Addressable)
  • Click on OK.
Authentication Virtual Server Basic Settings Non Addressable
  • In the following wizard click on No Server Certificate to connect your server certificate (not the IdP certificate).
No Server Certificate SAML Authentication Virtual Server
  • Click in the Click to select area.
Server Certificate Binding Wildcard
  • Select your Citrix ADC Server certificate (e.g. my wildcard certificate) and click Select.
Server Certificate Binding Server Certificates Wildcard
  • Click on Bind.
Server Certificate Binding Server Certificates Wildcard Bind
  • If the certificate is attached (1 Server Certificate) click Continue.
Server Certificate SAML Authentication Virtual Server
  • Under the menu item Advanced Authentication Policies click on No Authentication Policy.
Server Certificate SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy
  • Click on the + symbol under Select Policy.
Policy Binding SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy
  • Enter the following:
    • Name (Name of the Authentication Policy, e.g. saml_auth_pol)
    • Action Type (SAML)
    • Expression (HTTP.REQ.IS_VALID)
  • Click on the + symbol next to Action.
SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy Create
  • Now configure the Authentication SAML Server with the following parameters:
    • Name (Name of the SAML Authentication Server, e.g. saml_auth_server)
    • IDP Certificate Name (Certificate from the Azure-AD Application, e.g. SAML-Azure-AD)
    • Redirect URL (URL for logging in from the Azure AD application, e.g. https://login.microsoftonline.com/…/saml2)
    • Single Logout URL (URL for logging in from the Azure AD application, e.g. https://login.microsoftonline.com/…/saml2)
    • Signing Certificate Name (Server Certificate of the Citrix Gateway, e.g. my wildcard certificate)
    • Issuer Name (Identifier Entry of the Azure Enterprise App, e.g. https://citrix.deyda.net)
    • Reject Unsigned Assertion (Off)
SAML Authentication SAML Server Advanced Authentication Policies Authentication Action
  • Click on More and edit the following settings
    • Signature Algorithm (RSA-SHA256)
    • Digest Method (SHA256)
  • Confirm the entry with Create.
SAML Authentication SAML Server Advanced More Signature Algorithm Digest Method
  • Check the entries again and click Create.
SAML Authentication SAML Server Advanced Authentication Policies Authentication Action
  • Under Policy Binding controls the inputs and changes the following:
    • Goto Expression (END)

Confirm this with Bind.

SAML Authentication SAML Server Advanced Authentication Policies Authentication Action END
  • If the Authentication Policy is connected click on Continue and Done.
SAML Authentication SAML Server Advanced Authentication Policies
SAML Authentication SAML Server

In order to complete the configuration on the Citrix ADC, we only need to bind the newly created SAML Authentication Policy to our Gateway Virtual Server.

  • To do this, we navigate to NetScaler Gateway > Virtual Servers.
Citrix ADC Gateway NetScaler Gateway Virtual Servers
  • Select the gateway vServer previously configured for FAS in StoreFront (e.g. https://citrix.deyda.net = UG_VPN_ug_10.0.0.8_443) and click Edit.
NetScaler Gateway Virtual Servers Edit

Unbind all connected LDAP or RADIUS authentication policy from the vServer.

  • Click on the policies (1 LDAP Policy).
NetScaler Gateway Virtual Servers LDAP Policy
  • Select the policies and click Unbind.
Unbind LDAP Policy VPN Virtual Server Authentication
  • Confirm the window with Yes.
Confirm Pop Up Do you want to unbind the selected entitiy
  • Checks that neither a policy is connected in Basic Authentication nor in Advanced Authentication.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML IDP Policy
  • On the right side, click Authentication Profile under Advanced Settings.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML IDP Policy Authentication Profile
  • Click on the + symbol under Authentication Profile.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication Profile
  • Enter a name (e.g. saml_auth_profile) under Create Authentication Profile and click on Click to select under Authentication Virtual Server.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile
  • Select the previously created Authentication Virtual Server (Azure-AD_auth_VS) and click Select.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers
  • Confirm the entry by clicking on Create.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers
  • Click on OK and on Done.
NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers
  • Navigate to NetScaler Gateway > Global Settings to delete the single sign-on domain.
NetScaler Gateway Global Settings
  • Click on Change Global Settings.
NetScaler Gateway Global Settings Change Global Settings
  • Deletes the possible entry under Single Sign-on Domain.
NetScaler Gateway Global Settings Change Global Settings Single Sign-on Domain
  • If necessary, the policies of the Gateway vServer must also be adjusted for Single Sign-on Domain.
NetScaler Gateway Polices Session Cache
NetScaler Gateway Polices Session Cache

Important !
If Citrix ADC 13.1 (currently tested with build 12.51) is used and the Single Sign-on Domain field under Global Settings is filled, the configuration currently does not work.

Under Citrix ADC 13.1 the Overide Global is not stored in the Session Policy if the field is empty. But this is needed for the SAML Auth.

Therefore, the Global Setting must be cleaned up under 13.1 and it must be checked that no Override Global has been stored under Single Sign-on Domain in the Session Policies of the Gateway vServer. Please check previously for any other gateway vServers, that the Global Setting for this field is not required and if so, enter it in the connected Session Policies.

  • Furthermore, the policies of the Gateway vServer must also be adjusted regarding Session Time-out
  • This value must be smaller than the timeout value of the connected store in StoreFront
NetScaler Gateway Polices Session Cache
NetScaler Gateway Policies Session Time-out

CLI Command

The certificate must first be uploaded to the Citrix ADC appliance via WinSCP. It must be stored under the path /nsconfig/ssl/

Example:

If the authentication policies are not known. These can be found out as follows (Red Border). With the blue border, we find the session policies.

Example:

Primary ldap authentication policy name

Now we know the session policies and have to find out the session profiles for the adjustment.

show vpn sessionaction

Citrix Federated Authentication Service (FAS)

Certificate Authority

Next, a PKI environment must be created, if there is no Microsoft Enterprise PKI in the domain. Go for this on the machine that should receive this role. In my example, it is the domain controller itself.

  • For this we go to the Server Manager and click Add Roles and Features.
Server Manager
  • Click through the wizard to the point Server Roles and select the item Active Directory Certificate Services.
  • Confirms the selection with Add Features.
Add Roles and Features Wizard
  • Then click Next in the Server Roles, Features and AD CS tab.
Active Directory Certificate Services
  • Under the heading Role Services you select the following points:
    • Certification Authority
    • Certification Authority Web Enrollment
AD CS Role Services
  • If pop-up windows with additional features appear, you also confirm these with Add Features.
Certification Authority Web Enrollment Add Features
  • Complete the installation with Install.
Confirm installation selections
  • Now select the Notifications item in Server Manager
  • Click on Configure Active Directory Certificate Services.
Notifications Configure ADCS
  • In the following configuration, the default settings can be confirmed with Next.
AD CS Configurations Credentials
  • Configuration used by me:
    • Setup Type (Enterprise CA)
    • CA Type (Root CA)
    • Private Key (Create a new private key)
    • CA Name (Name of the CA, e.g. Deyda-CA)
    • Validity Period (5 Years)
  • Confirm the configuration with Configure.
Configuration AD CS Confirmation

Now the domain controller must be issued a certificate of the local CA.

  • To do this, open the MMC on the domain controller.
start run mmc
  • Click on File and Add / Remove Snap-in …
Add Remove Snap-in
  • Now click on Certificates and on Add.
Certificates
  • In the following window select Computer account and confirm it with Next.
Certificates snap-in Computer account
  • Finally, close the window with OK.
Certificates Local Computer
  • Right-click on Personal and then on All Tasks > Request New Certificate…
Request New Certificate
  • In the Certificate Enrollment window, select your Active Directory Enrollment Policy and click Next.
Certificate Enrollment Before you begin
Certificate Enrollment Active Directory Enrollment Policy
  • Select Domain Controller Authentication and confirms this with Enroll.
Domain Controller Authentication Enroll

Citrix Federated Authentication Service

Now we can install and configure the FAS server. In my example, I install the FAS Part on the StoreFront server.

  • For this mount the ISO of your Virtual Apps & Desktops version and start autoselect.exe.
  • Then start the installation by clicking on Federated Authentication Service in the following window.
Federated Authentication Service Citrix Virtual Apps and Desktops 7 1912 LTSR
  • Click on “I have read, understand, and … ” and confirm it with Next.
Software License Agreement FAS
  • Now confirm the following default settings with Next.
Citrix Virtual Apps and Desktops 7  Core Components
  • And click Next again.
Citrix Virtual Apps and Desktops 7  Firewall
  • Starts the installation with Finish.
Citrix Virtual Apps and Desktops 7  Summary
Installing prerequisites and components
  • You may have to restart your server.
Citrix Virtual Apps and Desktops 7  Finish
  • To perform the basic configuration of the FAS through the GPO, copy the ADMX / ADML files from the specified path of your FAS server (C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions).
Federated Authentication Service GPO Policy Definitions
  • Add them to the PolicyDefinitions Store of your Active Directory
Federated Authentication Service GPO Policy Definitions Active Directory
  • Create a new one or edit an existing GPO, which will be activated on the following systems:
    • FAS Server
    • StoreFront Server
    • VDA Worker
GPO Group Policy FAS
  • In the GPO go to the path:
  • Enter your FAS server in Federated Authentication Service.
  • Update your local GPOs on the FAS server by running gpupdate /force in the CMD.
cmd gpupdate /force FAS
  • Then check the registry that the required entry has been written to the system:

Or / And

Registry Editor HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses
  • Now start the Citrix Federated Authentication Service Tool with the “run as administrator” parameter
Citrix Federated Authentication Service Tool with the "run as administrator" parameter
  • Here you can see, the list of FAS servers that have been configured via GPO. Click on OK.
Connect to the Federated Authentication Service

The following window configures the FAS.

  • Click on Deploy in the frame Deploy certificate templates
Citrix FAS Administration Console Deploy certificate templates
  • Click on OK, so that the configuration is carried out automatically, in the background.
Deploy Certificate Templates
FAS
  • After successful setup, a green tick appears next to the frame.
  • Then click on Publish in the second fram Set up a certificate authority
Citrix FAS Administration Console Set up certificate authority
  • Under Certificate Authority, select your CA configured / created for FAS (e.g. DC01.deyda.local\CA-DEYDA) and click OK.
Setup certificate authority FAS Server
  • Upon successful setup, also a green tick appears next to the second frame.
  • Now click on Authorize at the third frame Authorize this service
Authorize this service FAS Server
  • Here select your CA and click OK.
FAS Server Authorize service Certificate Authority
  • Next to the third frame now appears a blinking circle, because the certificate request must be approved.
Waiting for Approval Pending Certificate
  • Reconnect to the server with the FAS CA and open the Server Manager.
  • In Server Manager, click Tools > Certification Authority.
Server Manager CA Certification Authority
  • In the Certification Authority console, click on Pending Requests.
certsrv Certification Authority Local FAS
  • There you right click on the request of your FAS server (e.g. DEYDA \ CTX01) and click on All Tasks > Issue.
Pending Requests Issue All Tasks
  • Thereafter, the certificate appears under Issued Certificates.
Certification Authority Issued Certificates FAS Server

The now-approved certificate normally expires in 2 years.
Therefore, it is recommended to include this certificate in the monitoring so that you renew the certificate before it expires.

Here are the PowerShell commands to get the expiration date (Replace CTX01.deyda.local with your FAS server).

  • After approving, also a green tick appears next to the third frame
  • Now click on Create in the frame Create a Rule
Authorize this Service Citrix Federated Authentication Service
  • Click on Next to create the default rule
Create a rule fas Create the default rule
  • In the Template section select Citrix_SmartcardLogon and click Next
Create a rule fas Template Citrix_SmartcardLogon
  • In the Certificate authority section select your FAS CA (e.g. DC01.deyda.local\CA-DEYDA) and click Next
Create a rule fas Certificate Authority CA
  • Select Allow in-session use if you want to support double hop scenarios
  • Click on Next
Create a rule fas In-session use Allow in session use
  • Under Access control click on Manage StoreFront access permissions
Create a rule fas Access control Manage StoreFront access permissions
  • In the following window you delete the default group Domain Computers.
Permissions for StoreFront Servers Domain Computers
  • Then add your StoreFront servers and give them the Assert Identity (Allow) right.
  • Confirm this with OK.
Permissions for StoreFront Servers StoreFront Servers
  • Confirm with Next
Create a rule fas Access control Manage StoreFront access permissions
  • Under Restrictions you can define the user and the VDA for which certificate authentication via FAS should be allowed
Create a rule fas Restrictions Manage user permissions Manage VDA permissions
  • Click on Manage user permissions

You can restrict the users who can log in to Citrix via SAML. By default, the group Domain Users is stored here, which can stay that way.

Permissions for Users
  • Click on Manage VDA permissions

Under Manage VDA permissions you can narrow down the list of Citrix Workers to which you can log in via SAML. By default this stands on Domain Computers, which can stay that way.

Citrix Federated Authentication Service Configuration Security Access Control Lists Permission for VDAs FAS

After everything is defined click on Next and in the last window on Create

Summary Fas Create a rule
  • Now all points have a green tick
Citrix FAS

StoreFront

Now we configure the StoreFront server so that it can talk to the FAS server.

  • Go to your Citrix StoreFront console and make a note of your stores you want to configure for FAS (e.g. Store).
StoreFront Stores FAS PowerShell
  • Starts PowerShell as administrator on a StoreFront server.
Windows PowerShell Run as administrator StoreFront FAS
  • Execute the following commands in PowerShell (change the store path in line 2 to your store name):
Windows Power Shell FAS Get-STFAuthenticationService Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider
  • If you want to deactivate this again, e.g. for troubleshooting, you can do this with the following command:
  • Now open the Citrix StoreFront console again
  • Click on Manage Authentication Methods in the panel on the right side.
Manage Authentication Methods StoreFront Citrix
  • Enable Pass-through from Citrix Gateway, if it is not enabled.
Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway
  • Then click on the gear on Pass-through from Citrix Gateway and on Configure Delegated Authentication.
Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway Configure Delegated Authentication
  • In the following window, check the box next to Fully delegate credential validation to Citrix Gateway
  • Click OK two times to close the windows.
Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway Configure Delegated Authentication Fully delegate credential validation to Citrix Gateway
  • Click, back in the main window of the StoreFront console, on Manage Citrix Gateways.
Manage Authentication Methods StoreFront Citrix

In Manage Citrix Gateways, you add a new gateway or edit an existing one to connect to your Citrix Gateway which will later be used as SP.

Manage Citrix Gateways ADD EDIT FAS
  • In my case, I edited an existing Gaeway via Edit and configured the following under Authentication Settings:
    • Version (10.0 (Build69.4) or later)
    • VServer IP address (IP address of the Gateway VIP, e.g. 10.0.0.8)
    • Logon type (Domain)
    • Callback URL (Address of the Callback, e.g. https://citrix.deyda.net)
  • Confirm the settings with Finish.
StoreFront Authentication Settings Callback URL

Important here is that also in the internal DNS the callback address citrix.deyda.net is deposited.

DNS Lookup Fallback URL
  • In the main menu of the StoreFront console, click on Configure Remote Access Settings
  • Check that the item Allow users to access only resources delivered through StoreFront (No VPN tunnel) is activated.
Configure Remote Access Settings - Store Service Enable Remote Access

Delivery Controller

The XML Trust must still be activated on the Delivery Controller if this is not already activated.

  • To do this you start a PowerShell as administrator on a Delivery Controller.
Deliver Controller Citrix PowerShell Run as administrator
  • Now run the following command.
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true FAS Delivery Controller

In the newer version of CVAD (>1906) a Citrix Cloud window follows after executing the PowerShell commands, in which you have to deposit your credentials.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true FAS Delivery Controller Citrix Cloud

Microsoft Azure Multi-Factor-Authentication with Conditional Access

You can find more detailed background information on this topic here.

Conditional Access

  • First, we sign up with an administrative account in Azure Portal (https://portal.azure.com)
  • Click on Azure Active Directory > Security
Azure Active Directory Security
  • Click on Conditional Access
Conditional Access
  • Click on Named locations
Conditional Access Named locations
  • Click on New location
Conditional Access Named locations New location
  • Configure the following for your Azure Worker
    • Name (e.g. Azure Worker)
    • Define the location using (IP ranges)
    • Mark as trusted location (Checked)
    • IP ranges (IP range of the Worker, e.g. 10.0.0.1/24)
  • Click on Create
Conditional Access Named locations New named location
  • Click under Policies on New policy
Conditional Access Policies New policy
  • In the new window, enter a Name for the policy (e.g. External MFA)
  • Click on Users and groups
  • Click under Include on All users
Conditional Access Policies New Name Users and groups Include Exclude
  • Under Exclude click on Users and Groups
  • Click on Select excluded users
  • On the following window select the users that should not receive an MFA message, like the Break Glass User and the Sync Accounts
  • Confirm with Done
Conditional Access Policies New Name Users and groups Include Exclude Break Glass On-Premises Directory Synchronisation
  • Click on Cloud apps or actions
  • Click on Select apps and select the previously created Enterprise App (e.g. Citrix FAS)
  • Confirm with Done
Conditional Access Policies New Name Cloud apps or actions Select apps
  • Click on Conditions > Locations
  • Click under Configure on Yes
Conditional Access Policies New Conditions Locations Selected locations
  • Click under Exclude on Selected locations
  • Select the previously created Location (e.g. Azure Worker)
  • Confirm with Done
Conditional Access Policies New Conditions Locations Selected locations Azure Worker
  • Click under Access controls on Grant
  • Select Grant access and Require multi-factor authentication
  • Confirm with Select
Conditional Access Policies New Conditions Grant Require MFA Authentication
  • Click under Enable policy on On
  • Confirm with Create

Convert users from per-user MFA to Conditional Access based MFA

Before the following script works, a connection to Azure AD must be established. Execute the following lines.

Save the following code into a PS1 file and execute it to swivel the MFA method.

List of configured MFA users

List of unconfigured MFA users

Authentication App

We now log in to MFA Setup (https://aka.ms/mfasetup) with our test user to configure the Authentication App on the mobile device.

Office365 Anmeldung

If the test user does not yet have a configured second factor, the following message appears. The configuration can be started with Next.

Office365 Anmeldung Weitere Informationen
  • In the next window, select the type of the Second Factor (e.g, Mobile App)
  • To simplify the configuration, you select to receive notifications for verification and click Next
Office365 Zusätzliche Sicherheitsüberprüfung
  • In the following window, a QR code is displayed, with which the Authentication App can be configured
  • Open the Authenticator app on your device
  • Click on the + symbol to add another account
  • Select Business or School Account in the Accounts window
Authenticator App
  • With the following menu item Scan QR code you can scan the existing QR Code
QR-Code scannen
  • Now the test user is displayed in the account list
Authenticator App
  • In the browser you can confirm the configuration of the MFA service with Next and Finish
Office 365 MFA

Result

If we now open the FQDN of the gateway (https://citrix.deyda.net) via browser.

NetScaler with Unified Gateway

We will be forwarded directly to Azure-AD and can authenticate ourselves there.

Microsoft Login

We get our Citrix resources listed and can start them.

Citrix StoreFront
Successfull Logon

Troubleshooting

Lessons learned from the field.

Cannot start app / Cannot start desktop

The user gets his resources displayed, but cannot start them and only gets the error message:

Cannot start app

Citrix FAS Cannot start app

Cannot start desktop…

Cannot start desktop

If this message appears only after FAS has been implemented, the usual suspects (machines not in Maintenance Mode, VDA is not registered, machines are shut down and so on), must be checked later.

Scenario 1

Checking the event log on the StoreFront shows the following.

Event 28 Citrix Store Service Failed to launched the ressource '' using the Citrix XML Service at address An unknow error occured interacting with the Federated Authentication Service

Event 28 is generated when the application is started on the StoreFront server.

Failed to launch the resource ‘ ‘ using the Citrix XML Service at address ‘??’.

Failed to launch the resource ' ' using the Citrix XML Service at address '??'.

An unknown error occurred interacting with the Federated Autentication Service.

An unknown error occurred interacting with the Federated Autentication Service.

Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServerFault,…Access Denied

Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServerFault,…Access Denied

This error message indicates a discrepancy in the FAS rule configuration. Mostly a different rule name is distributed than the one used in the FAS.

To check this, check the set Rule Name in the GPO or directly on the StoreFront in the registry.

To do this, go to the registry path and check the contents of DefaultRole:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\DefaultRule

Compares the rule name with the one stored in FAS under User Rules.

Citrix Federated Authentication Service Configuration User Rules

In my example, there was a discrepancy (GPO was configured to myRule and FAS to default) and this needs to be adjusted by editing the GPO and running a gpupdate /force on the StoreFront.

Scenario 2

If no event with ID 28 can be found on the StoreFront, the event log on the FAS server should be checked next.

[S104] Server [] failed to assert UPN [] (UPN not allowed by role [default])

Event 104 is generated when the application is started on the FAS server.

[S104] Server [] failed to assert UPN [] (UPN not allowed by role [default])

This indicates a misconfiguration in the specified FAS rule (here default). The StoreFront server (here SF1) is not authorized to make requests to the FAS server. But also the user could not be authorized in the FAS Rule.

To check this, check the settings in the FAS console regarding Manage StoreFront access permissions and Manage user permissions.

Create a rule fas Access control Manage StoreFront access permissions

Here you can see that the StoreFront servers are not stored.

Permissions for StoreFront Servers Domain Computers

Expands the list of deposited machines with the required StoreFront servers.

Permissions for StoreFront Servers StoreFront Servers

Also check the Manage user permissions.

Create a rule fas Restrictions Manage user permissions Manage VDA permissions

If the user or one of its groups is listed here and set to Deny, this should be corrected.

Permissions for Users

The request is not supported

The user gets his resources displayed and only gets the error message on the resource:

The request is not supported

The request is not supported

Since we get to the VDA and there the message appears, check the event log on the target VDA.

Event Id 3 Error Code: 0x10 Event Id 9 KDC_ERR_PADATA_TYPE_NOSUPP

Scenario 1

If event 3 occurs in the event log with the following content.

A Kerberos error message was received: on logon session

Event Id 3 Error Code: 0x10 … KDC_ERR_PADATA_TYPE_NOSUPP

Error Code: 0x10 KDC_ERR_PADATA_TYPE_NOSUPP

Error Code: 0x10 KDC_ERR_PADATA_TYPE_NOSUPP

This indicates that the domain controllers are missing the Domain Controller Authentication Certificate and/or the Kerberos Authentication Certificate. In the figure below you can see how it has to look like.

Authentication Domain Controller Authentication

To do this, connect to the domain controller and check whether the above-mentioned certificates are available in the computer context. If not, simply add them so that the smart card logon works.

Certificate Request Kerberos Authentication Domain Controller Authentication

Szenario 2

If event 9 occurs in the event log.

The client has failed to validate the domain controller certificate for . The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

The client has failed to validate the domain controller certificate for domaincontroller@domain.com. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

Check the registry on the affected VDA at:

Normally, several CAs should be stored here.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

If this is the case, export the internal CAs in DER format.

Certificate Local Computer

Then import the individual files on the VDA with the following command.

Then check via the registry that the CAs are now listed.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

AADSTS50020: User account

After authentication, the user receives the following message.

AADSTS50020: User account

Sorry, but we're having trouble signing you in AADSTS50020: User account
AADSTS50020: User account

We can’t get to the Citrix farm and so check the Azure AD under Sign-in logs.

Monitoring Azure AD Sign-in logs
Activity Details: Sign-ins

We find there the error code 50020, which matches the displayed error of the user.

Invalid username or password or Inval….

SIGN-IN ERROR CODE 50020 Invalid username or password or Inval....

From the error message it is obvious that the entered user data does not match the Active Directory.

Scenario 1

Checking the user principal name (UPN) in the local Active Directory.

User logon name Userprincipalname UPN

The local UPN (here User01@deyda.local) does not match the data entered and stored in Azure AD (here User01@deyda.net). This must be adjusted.

Scenario 2

If the UPN matches, check the Session Policies of the Citrix Gateway vServer, which is responsible for SAML authentication.

Session Policy SAML Auth vServer Single Sign-on Domain

The Single sign-on domain must be empty in the session policies so that the correct username can be passed.

The user name or password is incorrect

The user gets the error message after starting the resource on the VDA.

The user name or password is incorrect

Since we get to the VDA and the message appears there, check the event log on the target VDA. There we find again the event ID 3 in the system log.

Event 3 Error Code: 0x3e .. KDC_ERR_CLIENT_NOT_TRUSTED

Event 3 declares:

A Kerberos error message was received: on logon session

Error Code: 0x3e KDC_ERR_CLIENT_NOT_TRUSTED

Error Code: 0x3e KDC_ERR_CLIENT_NOT_TRUSTED

This indicates that the Certificate Revocation List has expired or is not accessible.

To check this, start the URL Retrieval Tool and check the CRLs from the Active Directory.

Ensures that the CRLs are up-to-date and provided (see figure).

CRL Certificate Revocation List

Temporarily, the CRL query can also be disabled by entering the following registry key on the VDA.

Important !!!!
Remove this after testing.

Cannot complete your request

The user gets the error message after being connected for a while.

Cannot complete your request

Cannot complete your request Anforderung kann nicht abgeschlossen werden

This indicates that the timeout in StoreFront is set shorter than in Citrix ADC Gateway vServer.

Session Policy SAML Auth vServer Session Time-out

To do this, adjust the timeout in either StoreFront or Citrix ADC so that the value in Citrix ADC is less than that in StoreFront (here StoreFront 20 minutes and Citrix Gateway 15 minutes).

StoreFront Store Edit Receiver for Web site

The StoreFront Store settings are accessible in the specific store under Manage Receiver for Web Sites.

You cannot login using smart card

The user gets the error message after trying to access the gateway page. Mostly when the user has previously authenticated against another Azure service.

You cannot login using smart card

You cannot login using smart card

To solve this, the script.js file must be customized on all StoreFront servers. This can be found under C:\Windows\inetpub\wwroot\Citrix\<Store Name>Web\custom.

script.js

Insert the following line at the end of the file and save it.

CTXS.allowReloginWithoutBrowserClose = true

Afterwards the IIS must be restarted. Start a CMD and execute the following command:

iisreset

This must be executed on all StoreFront servers, on which the store connected in Citrix Gateway is stored.

Renewing the SAML certificate

Since my first article on this topic, is now almost 3 years ago, I have also come to the point of what needs to happen to the SAML certificate from the Azure AD Enterprise App when it expires. This needs to be reissued in Azure AD and then replaced in the Citrix ADC SAML Server Actions.

Azure Active Directory

To renew the certificate, this must be requested and downloaded under Enterprise application in Azure Active Directory.

  • For this go to portal.azure.com
portal.azure.com logon Microsoft Azure
  • In the Azure Navigation Panel, click on Azure Active Directory
Microsoft Azure Navigation Panel Azure Active Directory
  • In Azure Active Directory, click on Enterprise applications > All applications
Azure Active Directory Enterprise Application
  • Search for the previously created application (e.g. OnPrem CVAD) and click on it.
Enterprise Application All Application OnPRem CVAD
  • In the Enterprise application click on Single sign-on or on 2. Set up single sign on
Add Application Configure Single Sign on
  • Under SAML Signing Certificate (area 3) the expiration date of the certificate for the service provider (Citrix ADC) can be checked (here 2.6.2022)
  • Click on Edit
SAML Signing Certificate Certificate (Base64) Download
  • In the following window click New Certificate to create a new certificate
SAML Signing Certificate New Certificate
  • Now a new certificate with the status n/a appears under the existing certificate. Click Save to finally create the certificate. Then a certificate thumbprint is also displayed.
SAML Signing Certificate New Certificate Save Will be deployed on save Thumbprint n/a
  • After confirming the new certificate via Save, the thumbprint appears and the status changes to Inactive.
SAML Signing Certificate New Certificate Save Updating your certificate Inactive
  • To activate the new certificate, click on the three dots () in the row of the new inactive certificate
  • In the following drop down window click on Make certificate active
SAML Signing Certificate New Certificate Make certificate active
  • A message follows that with the confirmation of this message, the old certificate is deactivated and no SAML authentications can be signed with this certificate any longer

Important!
The certificate can also be downloaded before activation and imported / activated in Citrix ADC. I only go through system by system in these instructions.

Activating your certificate
  • The new certificate is now active and the old one can no longer be used
Rolling over your certificate
  • Now the new certificate can be downloaded via Certificate (Base64)
Download the new certificate
  • After the certificate is downloaded, it has been renamed to Citrix FAS New, for better clarity.
Certificate Base64 Signature Identity Provider

Citrix ADC

Finally, the newly downloaded certificate must also be imported on the Citrix ADC.

Citrix ADC Logon Mask
  • Open the admin web interface of the Citrix ADC and navigate to Traffic Management > SSL > Certificates > Server Certificates
Traffic Management SSL Certificates Server Certificats SAML
  • Click Install there to import the new certificate
Server Certificates Install Azure Portal Signature Certificate
  • Enter the following and confirm with Install
    • Certificate-Key Pair Name (Unique name for the SAML signing certificate, e.g. Citrix FAS NEW)
    • Certificate File Name (Downloaded signature certificate, e.g. Citrix FAS – NEW.cer)
Install Server Certificate NetScaler ADC
  • The installed certificate is not found under Server or Client Certificates, but under Unknown Certificates.
  • Then navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Actions > SAML Actions to edit the existing SAML server action (here saml_auth_server)
NetScaler ADC Security AAA - Application Traffic Policies Authentication Advanced Policies Actions SAML Actions
  • Now replace the certificate under IDP Certificate Name and select the newly downloaded one (here Citrix FAS NEW).

2 thoughts on “SAML Authentication between Citrix & Microsoft with Azure MFA”

Leave a Reply

Your email address will not be published.

* I consent to having this website store my submitted information so they can respond to my inquiry.

%d bloggers like this: