We recently hosted another ACE (Ask the Cloud Experts) meetup, a monthly series focused on giving you an additional channel to talk to Citrix experts and get answers to your Citrix Cloud questions. Our most recent meetup, on August 21, focused on authentication methods for your Citrix Workspace solution.
Here are questions our attendees asked, along with the corresponding answers. We’ve also made the complete meetup (and past meetups) available on-demand here. Just scroll to the bottom of the page.
Our September 21 ACE meetup will cover three things you should know about Citrix Content Collaboration.
What’s the difference between the cloud-enabled Federated Authentication Service (FAS) and the on-premises FAS?
The on-premises FAS is supported by your StoreFront server. FAS and StoreFront servers need to be joined to the same Active Directory domain as the VDAs for the FAS to request an authentication certificate on behalf of the user accessing it. With cloud-enabled FAS, the same FAS infrastructure is used (it is on-premises), but a trust relationship with Citrix Workspace in Citrix Cloud (instead of StoreFront) has been set up with FAS.
We also redesigned the UI to look much cleaner than the regular on-premises FAS. The flows are meant to be more friendly for the IT admin for them to better understand what they do and what’s going on. The key difference is the use of a cloud rule. You can use both on-prem and cloud-enabled FAS at the same time, so one FAS server can be used for both. You just need an on-prem rule and a cloud rule.
I’m unable to connect/add Citrix Cloud to Azure AD. What are the possible reasons?
From a troubleshooting standpoint, we recommend you perform some verifications to ensure we can connect Citrix Cloud to Azure AD. The most common issue is an incorrect level of permissions assigned to the admin who will create a link to Azure AD. The user must be a Global Admin so we can connect Citrix Cloud to the Azure AD Tenant. The purpose of having this master role is that it allows you to create a delegated administrator set of rights.
When does Gateway as IdP (tech preview) go live?
We’re currently in tech preview. The tentative date for release matches each ADC version release date. To be able to use the Gateway as IdP feature in this general availability (GA) capacity, you need the latest versions that are coming out for either 12.1 or 13.0.
We’re getting a second authentication prompt at the VDA published screen when using AAD with Citrix Workspace. How can we fix this?
This is addressed by the cloud-enabled FAS, which will take care of the double logon prompt if you’re using Okta, Gateway, or any federated IdP. This feature is currently in private tech preview. If you’d like to join it, you can reach out to your CSM.
Users from a particular AD domain are unable to authenticate to Citrix Workspace. We have a complex on-prem AD setup with several AD forests.
In order to authenticate users from your Active Directory, the first thing we need to do is make sure that your Active Directory domain is linked with Citrix Cloud. This part is done with the help of a microservice that is deployed via Cloud Connectors in the customer’s domain. For complex environments, if you have multiple Active Directory forests, we need to ensure that every forest has a Cloud Connector (at least two Cloud Connectors are recommended for load balancing and fault-tolerance purposes).
The job of the Cloud Connector is to discover the Active Directory information and link that information to Citrix Cloud. Once that’s been established, the users can authenticate to Citrix Cloud. If you have a complex Active Directory setup (for example forest A and forest B), the Cloud Connectors have to be installed in each forest because Cloud Connectors cannot traverse forest level trust. Even if you have a two-way trust between the two Active Directory forests, the Cloud Connectors from forest A cannot see the domain from forest B, regardless of the trust you have between the two domains or the two forests.
Is there a requirement for FAS support?
You have to have the following to implement FAS:
- A FAS server in the same location with your VDA resources
- A certificate authority (CA) set up
Then do a little bit of certificate work, setting up the templates for the authentication and authorizing the FAS server to request certificates on behalf of the user to authenticate to the VDA.
What are the requirements to use AAD Connect?
There are a couple requirements:
- Send an invite to your admin. In the past you had to have a property for your administrator’s email address in the email field. But a little-known feature has been released, and you can now type the address yourself and send the invite, which admins can then accept just as any other regular invite.
- The rest of the requirements are mostly related to Azure. For instance, you must have an Azure AD tenant, and you can add and verify your domain or domains in Azure AD. Also, for more than 500,000 objects in Azure AD you need to have a valid license (whether it’s an O365 license, AAD Basic, AAD Premium, Enterprise Mobility and Security). For more details you can visit Microsoft’s official documentation on this topic.
When will the Citrix Gateway service (in the Citrix Cloud) be able to differentiate between internal and external traffic in Citrix Workspace? Currently it cannot differentiate between internal traffic and external traffic in Citrix Workspace (hairpin traffic routing). Organizations need this functionality and the ability to attach different authentication methods depending on whether it’s internal or external traffic. This functionality needs to be native in within the Citrix Gateway service (in the Citrix Cloud), with no on-premises NetScaler (Citrix ADC) and no on-premises Storefront requirements. Are there any plans to do this?
There’s a feature in tech preview and currently under development that is the base of a framework that enables this use case. Called the Network Location Service within Citrix Cloud, it enables a couple of different use cases. One of them includes the internal/external network for authentication purposes. For example, if you’re outside of the network, prompt for 2FA, but if you’re inside the network, then don’t prompt. There’s also optimal gateway routing so you don’t go over the internet when it’s not needed, along with many other different use cases. This base framework is currently in tech preview but the authentication portion has not been included yet.
There are no exact timelines, and native support is still in the works. In the meantime, there are some alternatives. If you’d like to enable this use case, you can use any of the federated identity providers that allow you to set conditional policies or you can use the on-premises gateway feature and set that up, as well.
Which authentication methods does Citrix Cloud support without additional hardware? Which ones are supported with additional hardware?
Without additional hardware, we have traditional Active Directory (which is the on-premises Active Directory and the default-authentication method). We also have AD + Token (time-based one-time password), and we have AAD and even Okta, which is in preview right now. (If you’re already using it as an IdP, you can now integrate it with Citrix Cloud.)
Authentication methods that require hardware like Citrix ADC can be used for the Gateway as an IdP functionality to leverage any IdP that you currently have configured as part of your ADC deployment (and as long as this is bound to the corresponding AAA virtual server). You must also create the OAuth policy and OAuth profile and then bind the certificate globally. Keep in mind that, depending on your license type for ADC, AAA might not be readily available. But if you have this feature included, then you can use it right away.
We have published resources to a set of users via Security Groups on the Delivery Group. Users can authenticate using Azure AD but do not see the published apps. If we assign publish apps directly to the user, it works fine.
The number one reason for an issue like this would revolve around the object SID or the security identifier. The requirement for Citrix Cloud is that the security principal (SPN), which can be a user or a group, must be created in Active Directory Domain Services so we can assign an attribute called the SID, which gives a unique value to the object. There are a couple of things that can happen here:
- If the groups that we have assigned on the delivery group were created in Azure portal and not in Active Directory Domain Services, it is not going to work. Why? Because SID is a requirement for this to work, but when you create an object like a user or group directly in Azure, we do not get the SID. Instead we get an object ID.
- Another reason could be the group’s SID is not being synced to Azure AD. When you have an on-premises Active Directory, you use a tool called AAD Connect to sync your on-prem identity to the Cloud, which is going to be AAD. But at times the group syncing might not be happening or it wasn’t configured correctly in the AAD Connect tool. Make sure the object is created in Active Directory Domain Services and then confirm that the group SID is being synced to Azure AD.
What are some common issues encountered with FAS?
The most common one is probably users seeing the error message “The request is not supported” during log on via Windows single sign-on. This happens because the domain controller that the VDA hit during the logon process doesn’t have a domain controller authentication certificate on it for the certificate authority (CA) that’s issuing the search for the user. This will be logged as event ID 19 in the event logs on your domain controllers. This can happen because you’ve added another domain controller to your environment but you forgot to update it with a certificate or add it into the FAS configuration, for example.
We use an Azure ADDS that is synced to Azure AD. We also have custom domains that are designated as primary logon UPNs in Azure. However, users are unable to logon to Workspace using the custom domain.
This is a known design limitation in our current version of Citrix Cloud. The workaround or the supported method would be to use the default logon UPN that was used to create or link your Azure domain services to Citrix Cloud. This might change in the future, but right now we cannot use custom domains with Azure ADDS.
I am trying to implement Okta authentation for Workspace in Citrix Cloud. It almost completely works except that it does not log on to the VDA. It stops at the logon screen of the VDA. If you chose Other User and log on (with the same user you brokered with) it will sign on fine. This is very similar to setting up Okta via an on-prem gateway. In this case I get this symptom if FAS is not proper configured. I feel like I need to go the StoreFront store and enable FAS. But, of course, there is no StoreFront for me to do this on. I must be missing something. Do you have any suggestions?
If you are using FAS, there is that exact button that you’re referring to, where you have to go into the Workspace configuration under the Authentication tab. Right under Okta there is going to be a button that says “Enable FAS.” You’ll have to click on it. If the issue continues there may be something wrong with your mappings (meaning how the users map). We can look into it further if you reach out to the person who requested a tech preview for you.
For a federal government customer, would you recommend FAS in Azure Gov Cloud if StoreFront remains on-prem?
If the Storefront server is still on-prem, we suggest putting FAS on-prem. Most likely your certificate server is on-prem and you’re going to be configuring StoreFront via a PowerShell commandlet that authorizes the FAS server to request user authentication certificates on behalf of the user. It’s best to keep all that in one location. You probably could run it across an Express route from Azure, but it’s best not to.
Which features/services are sold on Citrix Cloud that might mitigate my need for one of these physical appliances?
You would be able to use multifactor two-factor authentication by means of Active Directory + Token. This is a good option for admins who don’t really want to acquire additional hardware or invest in an IdP. Other than that, if you wish to use a different type of authentication method, AAD does not require additional hardware if you already have an Azure account and infrastructure configured, as well. The Citrix Gateway service will eliminate the need to have an ADC appliance if you’re not looking to leverage the more complex features offered by Citrix ADC (content switching, certain types of GSLB, intelligent load balancing, and services monitoring, among many others).
Can I use single sign-on with Azure AD authentication?
When you’re using either AD for authentication, what we are offering is basically a federated sign-in and not exactly a single sign-on. That’s why when users log into the cloud workspace and launch the app, they might see a second authentication prompt. Specifically referring to Azure AD, this is by design, but now you can implement FAS to achieve single sign-on.
Is there a way to see when the validity period of the FAS RA certificate ends?
Yes, there is. Although it’s not something that’s displayed through the GUI you can dig deeper to get that information in the corresponding registry key. This key is stored under the HKEY_USERS\S-1-5-20\SOFTWARE\Citrix\TrustFabric\TrustAreas\79b05e78-33f3-494b-8ae4-3ede6cb2eaa7\Software\Microsoft\SystemCertificates\My\Certificates.
To view it, export it from here, and import it to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates. Then you can view it and see what the expiration is.
Can you talk about requirements and limitations when it comes to multiple domains? And bonus points for multiple forests, too.
Think of domains as your user domains. If I have a complex Active Directory setup where I have domains, subdomains, and child domains, I need to make sure that whatever domain the users live in or reside are visible and connected to Citrix Cloud, which is done with the help of Cloud Connectors.
For example, you have a domain A and a domain B, which is a child domain of A. You need to install Cloud Connectors only in the parent domain, and it will automatically discover all the child domains within that AD forest and connect it to Citrix Cloud.
You can verify this by going into the Citrix Cloud dashboard and checking the domains tab under Identity and Access Management, where you can see the domains connected to Citrix Cloud. Once this part is done, everything beyond it is seamless. Now the users can use Citrix Cloud services because the domain is linked, and they’ll be able to authenticate and launch apps and so on.
Without FAS, will you get a second authentication window each time you open another session? Or just the first one?
It depends on the authentication type. For example, whether you are using on-prem AD or Azure AD for authentication. If it’s an on-prem AD for authentication, then there is no second prompt. It’s a seamless single sign-on.
However, if you are using Azure AD for authentication to Workspace, you would see the second logon prompt when launching apps and desktops. The reason for this is Azure AD is actually a federated sign-in and it’s not a true single sign-on. This is by design, so if you want to use Azure AD but also want single sign-on, one of the things you can do is bring in FAS on the equation and then the FAS will basically communicate with Azure AD to provide you with that seamless logon without multiple prompts.
You can check out the on-demand recording of the meetup here. And please make sure to leverage your designated Customer Success Manager if you need any additional information, want to join a tech preview, or have any follow-up questions.
Thanks for reading, and make sure to sign up today for our next meetup, which will cover three things you should know about Citrix Content Collaboration!
