Citrix Federated Authentication Service: Azure AD as Identity Provider

Are you looking to provide a secure way for your users to access Citrix XenDesktop and / or XenApp resources? Do you already have Citrix NetScaler in your setup? Do you have an Azure AD subscription? Well, by combining this three building blocks in the right way, you can easily secure the remote access to your users workspaces, implement conditional access rules and enforce multi-factor authentication – all in a very user friendly manner with a consistent experience for your end users, they might be already familiar with from existing cloud services like Office 365.

This is how the final user experience looks after implementing the solution:

Of course there are many different ways to implement multi-factor authentication for your Citrix environment.

• With the release of NetScaler 12.0 build 51.24 native OTP support was added. Fellow CTA George Spiers has a very detailed post about this new feature on his blog (http://www.jgspiers.com/netscaler-native-otp/)
• Many commercial 3rd party multi-factor authentication solutions like Okta, Duo Security, etc. allow you to integrate their products with Citrix NetScaler.
• There is even a great free product, called SMS2 from WrightCCS that can be used to secure your NetScaler with two-factor authentication for remote access. (http://www.wrightccs.com)

But hey, if you already have your Azure AD subscription it comes with Microsoft’s own multi-factor authentication solution. To combine Microsoft MFA with your NetScaler access solution you have two possibilities:

Microsoft NPS Extension for Azure MFA

The NPS Extension for Azure MFA enables you to add cloud-based MFA to your RADIUS clients without the need to setup a full on-premises MFA server installation. Christian Brinkhoff, another great fellow Citrix CTA, has you covered in his blog post on how to configure Azure MFA as Citrix NetScaler RADIUS using the new NPS Extension, if you want to go down this road. (https://christiaanbrinkhoff.com/2017/02/17/how-to-configure-azure-mfa-for-citrix-netscaler-gateway-radius-by-using-the-new-nps-extension/).

It’s quite easy to set up, but also lacks some features when you want to implement conditional access policies and the end user experience in my opinion is not very good, because it doesn’t integrate nice with the NetScaler user interface, especially for the whole initial enrollment process and if a user wants to change or update his personal authentication method.

Combining Citrix Federated Authentication Services (FAS) with NetScaler Authentication against Azure AD via Security Assertion Markup Language (SAML) Single Sign-On

Wow, that’s quite a long title to describe the second possibility, but yes there are multiple moving parts that have to play together nicely for this to come to live. But I really think it’s worth the work and your end users will love you for the simplicity and user experience of this solution.

On a high level view the solution works as follows:

• The user calls the external Netscaler Gateway via browser (eq. gateway.domain.com)
• The Netscaler redirects to Azure for authentication and acts as the SAML SP, requests for and validates the SAML assertion token sent from Azure AD
• Azure acts as the SAML IdP and provides user authentication SAML token and validates the user against the Azure AD
• Upon successful authentication the Netscaler gateway presents the the internal StoreFront webstore (eq. storefront.domain.com) to the user from where he can start desktops or apps
• Since Netscaler only knows about the user name but not the password (authentication happened in Azure only), we need the Citrix Federated Authentication Service as further component to provide single sign-on to the user. The Federated Authentication Service (FAS) is a Citrix component that integrates with your Active Directory certificate authority (CA), allowing users to be seamlessly authenticated within a Citrix environment.
• The FAS is authorized to issue smart card class certificates automatically on behalf of Active Directory users who are authenticated by StoreFront. When a user is brokered to a Citrix XenApp or XenDesktop Virtual Delivery Agent (VDA), the certificate is attached to the machine, and the Windows domain sees the logon as a standard smart card authentication.

In the next part I will try to put together a walkthrough for all the necessary steps to have this working. This includes configuration steps on Netscaler, Azure AD, on-premises Active Directory as well as setting up and configuring Citrix Federated Authentication Services itself – stay tuned…