I recently worked with a Public Sector customer on setting up SmartCard authentication with Netscaler Gateway and StoreFront 2.5. As anyone that has done a SmartCard (PIV\CAC\SIPR Token) implementation knows, it can be challenging. After getting past the initial setup and configuration, we had SmartCard working through the Netscaler Gateway and StoreFront. However, we were getting 3 PIN prompts while authenticating and trying to connect.
The desired behavior is to be prompted initially at Netscaler and then again at the Windows GINA. However, we were getting an additional PIN prompt after launching a virtual desktop before the GINA. Essentially, when first hitting the web site, the user would get an initial PIN prompt (this was coming from Netscaler and is expected). After the PIN prompt, StoreFront Receiver for Web would load and enumerate the icons for the users. After clicking on the virtual desktop, the Desktop Viewer would start to load. Before getting to the Windows GINA, another PIN request would prompt. This is not expected behavior. After entering this PIN, the user would then be presented with a third and final PIN at the Windows GINA (this is expected behavior).
First things first, I am not going to cover all the details on how to setup Netscaler Gateway with StoreFront because my colleague, Adam Oliver, has already done a wonderful job covering that in his blog, “CAC/PIV/SIPR Token with NetScaler Gateway and StoreFront”. If you haven’t already setup Netscaler Gateway with StoreFront, I highly recommend starting there.
Now, Adam’s blog is for StoreFront 2.1 and not 2.5. StoreFront 2.1 only allowed for SmartCard authentication for a full Receiver client (not Receiver for Web). StoreFront 2.5 added SmartCard support for Receiver for Web. However, his article still very much applies to the basic setup for adding SmartCard authentication to StoreFront and Netscaler Gateway. The one new addition since StoreFront 2.5 is to add SmartCard authentication to the Receiver for Web website.
It should also be noted that since SmartCard was added to StoreFront for Web, things are a lot easier than in the Web Interface days. First, you no longer need to add “Client Certificate Mapping Authentication” as a Web Server feature. Also, checking the box for Smart Card does all the IIS work that had to be done manually before. For example, in the Web Interface days you had to go to SSL Settings and check “Require SSL” and set Client Certificates to Ignore. Those days are gone as StoreFront does that for you now.
So, now on to what caused the multiple PIN prompts while using SmartCard authentication. As seen in Adam Oliver’s blog post, an important step is configuring the Callback URL.
This call back is a Netscaler Gateway VIP. The Netscaler Gateway VIP is not configured with any authentication or policies. The only thing it should have is the STA’s for your environment and a certificate that corresponds to the FQDN.
The main part I was missing, I couldn’t find any documentation for is an option to configure Optimal Gateway settings It turns out the Callback URL is used for authentication purposes only. For actual ICA proxy traffic, the Optimal Gateway setting is used. To reduce PIN prompts this should be the same as the Callback URL. The Optimal Gateway settings are configured in the web.conf file of the StoreFront Store. This is not the StoreFront for Web Store. The official eDoc for configuring Optimal Gateway settings can be found here: http://support.citrix.com/proddocs/topic/dws-storefront-21/dws-configure-ha-optimal.html
Below is an example of what I configured in my web.conf file. (Unfortunately, WordPress removes my tabbed formatting for the XML file)
<em><optimalGatewayForFarmsCollection></em> <em> <optimalGatewayForFarms enabledOnDirectAccess="false"> \\This value determines if internal users connect directly to StoreFront will launch Apps through the Gateway.</em> <em> <farms> </em><em><farm name="XA" /> \\The farm value must match the Name of the Delivery controllers found in the Store configuration.</em> <em> <farm name="XD7" /> \\The optimal Gateway will only be applied to resources that are listed here.</em> <em> </farms></em>
<em><optimalGateway key="_" name="GatewayForICA" stasUseLoadBalancing="false" stasBypassDuration="01:00:00" enableSessionReliability="true" useTwoTickets="false"> \\The key value can be left default "_". The name value can be anything. stasUserLoadBalancing is optional. stasBypassduration is option (just follow the format). enableSessionReliability is optional.</em>
<em></em><em> <hostnames></em> <em> <add hostname="callback.domain.com:443" /> \\This is the Gateway URL that will be used in the launch.ica file as the SSLProxyHost</em> <em> </hostnames></em> <em> <staUrls></em> <em> <add staUrl="http://192.168.1.10/scripts/ctxsta.dll" /> \\This is the STA server StoreFront will use to create the STA ticket</em> <em> </staUrls></em> <em> </optimalGateway></em> <em> </optimalGatewayForFarms></em>