The Complete Guide: AzureAD SAML Authentication into Citrix Virtual Apps and Desktops through Citrix Gateway

By Ryan Gallier posted 05-02-2019 01:36 PM

  

The Complete Guide: AzureAD SAML Authentication into Citrix Virtual Apps and Desktops through Citrix Gateway

Took me a while to get this blog post going. There is a lot of information out there. It took me looking over a bunch of other blogs to get this working. I figured I would write up everything I learned and found in this guide. Thanks to the following references. Aaron Parker, Carl Stalhood, Jason Samuel, and Anton Van Pelt.

I’m sure there were some other links I used, but these were the biggest contributors.

This article assumes a couple of things:

  • You already have a fully working Citrix Virtual Apps and Desktops environment
  • You have an Azure tenant with an Azure AD Premium P2 license
  • You have Citrix Gateway ADC 12.1 Enterprise license (or higher)

 

Azure AD Connect

This setup requires that you have your users setup in Azure already. In my case, I am using Azure AD Connect to sync my users up into my Azure AD tenant. I will walk through that setup here.  

The first thing I’m going to do is add my Azure UPN suffix into AD. You will likely be doing this with a real domain. In this example I’m just going to use the onmicrosoft.com domain given to me by Azure. Go into the Attribute Editor on the user and change the userPrincipalName (UPN) for this user.

1.png


Next, on your AD controller, download Azure AD Connect https://www.microsoft.com/en-us/download/details.aspx?id=47594 and run it.

PLEASE NOTE: Azure AD Connect is a very powerful tool that can have ramifications on your environment that you may NOT WANT. This is a simple example of sync’ing a couple OUs for just password hash. If you want to understand more about Azure AD Connect, please read through the docs from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity?toc=%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json

Click Customize

3.png


Click Install


4.png


Click Next


5.png


Next, you should setup a service account in Office365 to use as the Sync account. This user needs to be a global administrator.


6.png


After you create the user, you will need to login to portal.azure.com as that user so you can change the password.  

You likely want to set this sync user to never expire.  You can do this with the following PowerShell command.  


Get-AzureADUser -ObjectId o365sync@ryangalliervc3.onmicrosoft.com | Select-Object UserprincipalName,@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}


Then click Next


7.png


You can let AD Connect create an account, or you can create your own.  In this lab I just let AD Connect create it. Hit OK here.


8.png


Then click Next


9.png


In this example, I don’t have a verified domain name. So, click next here. (If you did, you will match up the UPN suffix with the Azure AD Domain name here.) 


10.png


In my example I’m going to limit sync to the OU of my users. 


11.png


Click Next here.

12.png


Click Next here


13.png


Click Next here


14.png


Lastly, hit Install.


15.png
16.png


When this is done, you should see your users in your Azure AD portal. My environment only has the one testuser right now. Notice the user has the matching UPN suffix ryangalliervc3.onmicrosoft.com.

 
17.png


Certificate Authority

 

After all of this is done, we need to setup an Enterprise CA in our environment. I’m going to put this on the AD Controller. You can pretty much put this wherever. Add this through Roles and Feature


18.png
19.png
20.png
21.png


I kept all the defaults here.


22.png


Install


23.png


Configure the CA now


24.png
25.png
26.png

27.png
28.png
29.png
30.png
31.png
32.png
33.png
34.png
35.png


After this is done you need to give a cert to the AD controller. On the domain controller, open up mmc.

Click File, Click Add/Remove Snap-in, Select Certificates, click Add, then select Computer account, Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.  Press Next.  Select Domain Controller Authentication and press Enroll.


36.png
37.png
38.png
39.png


FAS Server

 

After this is done, let’s setup FAS. You can reference Carl’s article, or you can just follow along here. 

Run autoselect.exe which ever method you like.  (Mount the ISO, extract the ISO, etc) Click:  “Federated Authentication Service”

 40.png
42.png
43.png
44.png
45.png


It may or may not ask you to reboot. Reboot if it asks you.

Grab the ADMX/ADML files and put them on your domain controller.


46.png


Create a GPO that will hit the FAS, StoreFront, and VDA servers that points them to the FAS server.


47.png

Run GPUPdate on the FAS/VDA/StoreFront and make sure the registry key shows up that points it to the FAS server.  HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses


48.png

 

Once this is in place, we can start configuring FAS. Make sure you “run as administrator”.


49.png


Step 1, start, ok. 


50.png

 
You may or may not want to disable AutoEnroll.  This is detailed in Carl’s article Under Step 5. 

 

Now click Step 2, start, ok.  It should find your CA that we configured above.


51.png


Step 3, start, ok.
 

52.png


Now go back to your CA.  Open up the CA console and look for the pending request. 


53.png


Issue it. Just right-click it, all tasks, and issue. Your FAS server should go green now.


54.png

Click on the User Rules Tab, add your CA and point the Template to the Citrix_SmartcardLogon


55.png

Edit the Storefront Servers rule, remove domain controllers, and point it to your storefront server(s).



56.png


You can change VDA list if you want. By default it allows domain computers, which should be fine. 

Click Apply and close the FAS console. 


Back ON the Storefront Server.

Run the following commands on the Storefront server. (Make sure you change “/Citrix/test” to your store name.)

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
$StoreVirtualPath = "/Citrix/test"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

 

On the Delivery Controller, run the following command.

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

 

On your StoreFront server, go to Manage Authentication Methods, and Pass-through from Citrix Gateway, and select Configure Delegated Authentication. 


58.png


Check this box and hit OK.


59.png

 

Now go to “Manage Citrix Gateways” and Authentication Settings. You will need to add your vServer IP Address and callback URL here for this to work. 


60.png


Make sure the Store points to this Citrix Gateway in (No VPN tunnel) mode.


61.png

 

 

Azure AD

 

Login to your Azure AD portal and go to Azure Active Directory. Click on Enterprise Applications and click + New Application.

Click on Non-Gallery Application. (You will need an Azure AD P2 SKU for this.)


62.png


Call it something.


63.png


When that’s done, click on “Single sign-on” on the left and click SAML in the middle. 
 

64.png


Edit “Basic SAML Configuration” under #1.


65.png


Identifier will be the URL to your NetScaler. In my example it’s https://galliertest.domain.com

Reply url is the same URL with /cgi/samlauth on the end. 

Enter all of that and click save.


66.png


Next, download the Certificate (Base64).  We will use this on the Citrix Gateway.



67.png


Then, copy the URLs in step 4 somewhere. We will need them for the Citrix Gateway.


68.png


Lastly, we need to assign users to this application. Click “Users and Groups” on the left. I recommend you create an AD Security group with all of your users and assign it here. In my example, I have only allowed my testuser.


69.png

 

Citrix Gateway Setup

 

I am running on 12.1-51.19 Citrix Gateway ADC with an Enterprise License. 

First, upload the SAML certificate we downloaded above.  Traffic Management / SSL / Certificates / Server Certificates. 


70.png


This will show up in “Unknown Certificates”


71.png



We now need to setup an Authentication vServer.  Go to Security / AAA – Application Traffic / Virtual Servers.  Click Add.



72.png

73.png


Bind your normal SSL certificate here.


74.png


Add an Authentication Policy

75.png

Add a policy.


76.png


Fill it out like this and Add an action (HTTP.REQ.IS_VALID).


77.png


First, uncheck “Import Metadata”

Fill it out like this and hit create. 

Redirect URL = the Login URL you saved from Azure

Single Logout URL = the Logout URL you saved from Azure

IDP Certificate Name = The cert we downloaded from Azure

Signing Certificate Name = Your normal cert

Issuer Name = Your URL to connect to Citrix Gateway


78.png


Apparently, there is a bug in the GUI on this screen.  This is going to bomb. You need to use the CLI to add at least the baseline information, then come back in here and edit it.  This is the command I used to get this to work.


add authentication samlaction SAML_Auth_Srv -samlIDPCertName AzureAD-SAML -samlSigningCertName wildcard.xxxxxxxxx.com -samlredirectUrl https://fqdn


It should look like this when you are done.

  79.png

 

Change Goto Expression to “END” and click Bind.


80.png

 
Lastly, hit Continue and Done to close out of the vServer creation. You should see a green dot next to this vServer now. 


81.png


Now we need to attach this policy to your Citrix Gateway vServer. In my scenario I have an existing vServer that already has an authentication policy. We are going to remove it and add this new SAML policy. 

82.png


Remove your “Basic Authentication” Policy if you have one.


83.png
84.png


Now that this is gone, Hit +Authentication Profile on the right. 


85.png


Name it something and select the SAML_vServer we created above. 


86.png


Hit Create, OK.

Next, edit your Receiver session profile to REMOVE “Single Sign-On Domain” from the Published Applications tab. (This example has a value in it. That value you will be removing.)

87.png


Hit OK, Close, and Done. 

Now let’s test. Start with the website. I enter my URL. https://galliertest.xxxxxxxxxx.com. This redirects me to AzureAD to login. I put in my testuser account. 

 
88.png

 

I login, and here are my apps/desktops! 


89.png

Now let’s test Workspace App.


90.png 

 91.png

 92.png

 

That's it! Have fun!  

​​​​​#Virtual_Apps_Desktops
#XenDesktop
#CitrixADC
#SAML​​​
#FAS
#Workspace
#Citrix_Receiver
​​​​