Multi-factor Authentication for Citrix XenDesktop / NetScaler against Azure AD

In my last post about secure access to XenDesktop virtual workspaces I tried to give an overview of the different ways to implement multi-factor authentication with Citrix NetScaler and XenDesktop. I came to the conclusion that integrating the remote access with Azure AD and using the Microsoft MFA feature is a very end user friendly way to accomplish this goal, especially when you already have Azure AD in your setup. In this post I will outline a walkthrough to the setup and configuration steps needed.

Advertisements

In my last post about secure access to XenDesktop virtual workspaces I tried to give an overview of the different ways to implement multi-factor authentication with Citrix NetScaler and XenDesktop. I came to the conclusion that integrating the remote access with Azure AD and using the Microsoft MFA feature is a very end user friendly way to accomplish this goal, especially when you already have Azure AD in your setup. In this post I will outline a walkthrough to the setup and configuration steps needed.

Settings and Configuration in Microsoft Azure AD

In a first step we need to create a new enterprise application in Azure Active Directory.

  1. Log in to your Azure management portal (portal.azure.com) and go to the Azure Active Directory

    AzurePortal_AzureAD
    Select the Azure Active Directory management
  2. Select Enterprise applications and create a new application. Choose to create a non-gallery application and give it a name
    non-galleryApp
    Add a new Non-gallery application

    enterprise_app_name
    Name your application – This is the name of the application your users will see on their access panel
  3. After your enterprise application has successfully been created, you will see the Quick start panel.

    enterprise_app_quick_start
    Quick start pane of the new enterprise application
  4. In the properties of the enterprise app you may change the name of the application and assign a custom logo. Here you also can globally enable or disable the application and choose if a user assignment is required for the application. If this option is set to yes, users must first be assigned to this application before being able to access it. If this option is set to no, then any users who navigate to the application will be granted access.

    enterprise_app_properties
    Enterprise application properties
  5. Add users and groups you want to grant access to the application
    enterprise_app_users_groups
    Assign users and groups to your application
    enterprise_app_assign_user
    Assign users and groups

    enterprise_app_user_assigned
    Assigned user to the enterprise application
  6. Move on to the Single sign-on settings and enable SAML-based sign-on

    enterprise_app_sso_settings
    Enable SAML-based Sign-on
  7. Set the Identifier to the URL of your NetScaler gateway
  8. Set the Reply URL to the URL of your NetScaler gateway and append /cgi/samlauth
  9. Set the Sign on URL to your NetScaler gateway address
  10. Select user.userprincipalname for the User Identifier
  11. Make the new certificate active and set a notification email. When the active signing certificate approaches its expiration date, notifications are sent to this email address with instructions on how to update the certificate.

    enterprise_app_sso_certificate_settings
    Make new certificate active and set a notification email
  12. Download the SAML signing certificate (Base64). We need this later on our NetScaler to set up the SAML authentication.
Citrix NetScaler Configuration

The configuration on the NetScaler side is quite straight forward. We just need to edit an existing virtual gateway to reflect our new SAML authentication against Azure AD.

  1. Upload and install the SAML signing certificate to your NetScaler’s CA certificates. This can be done under Traffic Management -> SSL -> Certificates -> CA Certificates.
    ns_upload_saml_cert
    Upload SAML signing certificate

    ns_install_saml_cert
    Install SAML signing certificate
  2. Add the SAML authentication server via Authentication -> Dashboard

    ns_add_authentication_server
    Add SAML authentication server
  3. Choose SAML for the server type and select the uploaded IDP certificate. For the signing certificate you may select your NetScaler server certificate. The Issuer Name has to match the Identifier you have set in your Azure enterprise app.

    ns_create_authentication_server
    Configure authentication server
  4. Now you need to provide the Redirect URL and the Single Logout URL, which you can lookup in your enterprise app on Azure AD (Configure Citrix Gateway at the bottom of the page).
    enterprise_app_config
    Lookup redirect and single logout URLs

    enterprise_app_urls
    SAML Single Sign-On Service URL and Sign-Out URL
  5. Take note of the SAML Single Sign-On Service URL (Redirect URL) and the Sign-Out URL (Single Logout URL) and put the values in your authentication server configuration of the NetScaler.

    ns_config_authentication_urls
    Set Redirect and Single Logout URLs
  6.  As a last step before hitting create, set the Signature Algorithm and Digest Method to SHA256.

    ns_config_authenticaton_algorithm
    Set SHA256
  7. Head over to your existing NetScaler Gateway Virtual Server configuration. Remove existing Active Directory authentication policies under Basic Authentication and replace them by creating a new SAML Policy for the Primary Authentication.
    ns_config_gateway_authentication
    Edit Basic Authentication to SAML
    ns_config_gateway_authentication_policy
    Bind SAML policy

     

  8. Make sure to remove the Single Sign-on Domain from the Session Profile bound to the virtual server

    ns_config_gateway_session_sso
    Remove Single Sign-on Domain from Session Profile
Installation and setup of Citrix Federated Authentication Service

The next step is to implement Citrix Federated Authentication Service in your Citrix XenDesktop / XenApp environment. Without Citrix FAS your NetScaler SAML authentication will work, but your users would have to re-authenticate when starting desktops and apps from StoreFront, which is definitively not what you want since we aim to build a true Singe Sign-On solution for our users.

There is a great blog posts from awesome Citrix CTP Carl Stalhood on how to set up Citrix Federated Authentication Service. You find his detailed setup guide under http://www.carlstalhood.com/citrix-federated-authentication-service-saml/. It’s a very straight forward process and I encourage you to follow his guide for the setup.

Citrix StoreFront Configuration

In a last step we need to enable Federated Authentication on your StoreFront servers and fully delegate credential validation to NetScaler Gateway. Enable Federated Authentication Service integration on StoreFront by running the following PowerShell commands:

Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Store"

replace with your corresponding Store name!

$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

To delegate the credential validation to NetScaler Gateway, in the StoreFront management console go to Manage Authentication Methods of your Store, and select the settings of Pass-through from NetScaler Gateway, where you can enable Delegated Authentication.

sf_config_delegated_authentication
Fully delegate credential validation to NetScaler Gateway
Enabling and configuring Azure MFA for your Citrix Gateway enterprise app

That’s it, you are almost done! The very last step is to enable and configure multi-factor authentication for your newly created Azure enterprise app.

  1. Create a new Conditional Access Policy

    conditional_access
    Create a new conditional access policy
  2. Specify the users and groups to be included and / or excluded from the policy

    conditional_access_users
    Users and groups in the directory that the policy applies to
  3. Set the conditions which define when the policy will apply. You can specify conditions based on
    1. Device platforms (Android, iOS, Windows Phone, Windows, macOS)

      conditional_access_devices
      Platform the user is signing in from
    2. Location (determined using IP address range the user is signing in from)

      conditional_access_location
      Location the user is signing in from
  4. Set Access Controls to block access or enforce additional requirements which need to be satisfied to allow access. You can enforce the following additional requirements
    conditional_access_controls
    Select the controls to be enforced
    1. Require multi-factor authentication – User must complete additional security requirements like phone call, text, authentication app challenge
    2. Require device to be marked as compliant – Device must be Intune compliant. If the device is non-compliant, the user will be prompted to bring the device under compliance
    3. Require domain joined (Hybrid Azure AD) – Devices must be Hybrid Azure  AD joined
  5. Enable the Conditional Access Policy

    conditional_access_enable_policy
    Enable the Conditional Access Policy

 

Finally all done and you have implemented a highly user friendly way to provide your  end-users with a secure remote access to your company’s Citrix XenDesktop / XenApp environment.

See it in action in the following video clip and enjoy the outcome of your hard work!

10 thoughts on “Multi-factor Authentication for Citrix XenDesktop / NetScaler against Azure AD”

  1. Hoi Rene

    What about password changes? We’re using that scenario and don’t see the “change password” option when logging in to Receiver for Web within a browser. Citrix says it’s only supported when NOT using a NS – and I can see the change option when connecting directly to the Storefront address internally.

    Any ideas?

    Thanks
    Udo

    Like

    1. Hi Udo,
      As discussed on Twitter with enabled password writeback from Azure AD to the on-prem AD the users are given to change their passwords trough the corresponding Azure feature. After a change the new password is written back to the local active directory. The feature has to be enabled on the Azure AD Connectors (see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback).
      The built in Citrix feature to change passwords as described in https://support.citrix.com/article/CTX219939 will not work in a SAML setup, because there is no password exchange between the SAML IdP (Azure) and the SP (NetScaler). Hope this helps.

      Like

  2. Hi Rene,

    Thanks for the steps above.
    I have a quick question for you as I am currently configuring this, when I tried to create the SAML Authentication Server, after clicking on Create I got an error message:
    Arguments cannot both be specified [samlIdPCertName, metadataUrl]

    Do you have any idea of what could be the issue?

    Thanks
    Arnaud

    Like

  3. Great post! When I get to the Netscaler part–mine doesn’t look the same. Its missing some fields? We have a vpx 1000. Anyone ever seen this?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s