NetScaler Gateway 12 – StoreFrontAuth, and XenDesktop Wizard

Last Modified: Oct 11, 2017 @ 5:57 am

Navigation

Overview

NetScaler Gateway 12 supports a new form of authentication called StoreFrontAuth, which delegates Active Directory authentication to a StoreFront server.¬†StoreFrontAuth replaces LDAP on NetScaler Gateway. You usually don’t need both.

  • StoreFrontAuth uses nFactor, which means NetScaler must be licensed for Enterprise Edition or Platinum Edition.

The easiest method of enabling StoreFrontAuth is to use the XenApp and XenDesktop Wizard. The Wizard lets you select from several different authentication methods, including multi-factor.

Prerequisites

License – make sure the appliance is licensed for Enterprise Edition or Platinum Edition.

DNS Servers – make sure DNS Servers are configured on the NetScaler.

The Wizard creates a whole new Gateway vServer. You’ll need the following:

  • DNS name for the Gateway
  • VIP for the Gateway
  • Certificate for the Gateway

URL to the StoreFront servers – must be reachable from NetScaler SNIP

  • To retrieve the list of stores, NSIP must be able to reach the StoreFront URL
  • StoreFront must be version 3.11 or newer

RADIUS – If you are doing multi-factor authentication, then you’ll need RADIUS information, including adding NetScaler NSIP and/or SNIP as RADIUS Clients.

Also see Citrix¬†CTX223882¬†FAQ – Configuring Authentication at StoreFront using NetScaler Gateway¬† ūüí°

XenApp and XenDesktop Wizard

  1. In NetScaler, click XenApp and XenDesktop on the bottom left.
  2. On the right, click Get Started.
  3. In the NetScaler Gateway section, enter the FQDN for the new Gateway.
  4. Enter the VIP for the new Gateway.
  5. Check the box next to Redirect requests from port 80 to secure port, and click Continue.
  6. In the Server Certificate section, if you already have a certificate on this appliance that matches the new Gateway FQDN, then select it. Or, change the selection to Install Certificate, and import a .pfx file. Click Continue when done.
  7. In the StoreFront section, enter the URL to StoreFront, and click Retrieve Stores.
  8. In the Receiver for Web Path drop-down, select a RfWeb Path.
  9. Enter a Secure Ticket Authority URL, including http:// or https://.
    1. Use the plus icon to add more than one STA server. STAs are usually your XenDesktop Controllers.
  10. Check the box next to Use this StoreFront for Authentication, and click Continue.
  11. In the Authentication section, in the Choose Authentication Type drop-down, notice that there are several options. Multi-factor will be detailed later.
  12. Click the button to Retrieve Auth Enabled Stores.
  13. Use the Authentication Service URI drop-down to select a store.
  14. The Domain field can be used to enter a default domain. Note: the domain name entered here must match one of the domain names permitted by StoreFront. This will be explained below in the Multiple Domains section.
  15. Click Continue
  16. Review the summary screen, and click Done.
  17. If Default SSL Profiles are not enabled, then edit the Gateway vServer, and configure standard SSL vServer Settings.

Portal Theme and Login Schema

  1. If you point your browser to the Gateway URL, notice it’s an old theme.
  2. On the left, go to NetScaler Gateway > Virtual Servers.
  3. On the right, edit the Gateway that was created by the wizard.
  4. On the right, in the Advanced Settings column, click Portal Themes.
  5. On the left, scroll down, and change the Portal Theme selection to RfWebUI, or one of its derivatives. Click OK.
  6. Now when you visit the Gateway URL, it’s shown using a newer theme. However, there’s a “First Factor” text in the middle of the page. We can fix that.
  7. Back in your NetScaler Gateway, scroll down and find the Authentication Profile section. Click the pencil icon. This object enables nFactor.
  8. Click the pencil icon to edit the Authentication Profile.
  9. Note the name of the AAA vServer.
  10. Go back to the main NetScaler navigation, and go to Security > AAA РApplication Traffic > Virtual Servers.
  11. You’ll see a new AAA vServer in the list. It’s down because there’s no certificate bound to it, but it still works. If the red icon bothers you, you’re welcome to bind a certificate to it.
  12. Edit the AAA vServer.
  13. Scroll down, and click where it says 1 Login Schema.
  14. Right-click the Login Schema, and click Edit.
  15. Click the pencil next to the Profile field.
  16. Click the pencil in the Authentication Schema field.
  17. On the left, click the LoginSchema folder to open it.
  18. Move your mouse over the SingleAuth.xml file, and click the download icon. Save it somewhere.
  19. Edit the downloaded .xml file.
  20. Find the line containing the First factor text and delete the line. Save the file with a new name.
  21. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the edited file to upload it.
  22. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  23. On the left, click the new file to highlight it. On the right, click the blue Select icon.
  24. Notice that the file name has now changed to the new file. Click OK.
  25. Click OK again.
  26. Click Close.
  27. If you point your browser to the Gateway FQDN again, the extra text is gone. You’re welcome to make additional changes to the .xml file.

StoreFront Configuration for Gateway

  1. In NetScaler, on the bottom left, click XenApp and XenDesktop.
  2. On the top right, click Download file.
  3. In the Download StoreFront Settings page, you can either export all virtual servers, or just one of them. Click OK.
  4. Save the GatewayConfig.zip file somewhere.
  5. In StoreFront console, on the left, right-click the Stores node, and click Manage NetScaler Gateways.
  6. At the top of the window, click the blue link imported from file.
  7. Click the Browse button, and select the GatewayConfig.zip file you saved earlier.
  8. Click the Import button next to the Gateway vServer you want to import.
  9. In the Select Logon Type page, you can optionally enter a SmartAccess Callback URL that resolves to any NetScaler Gateway on the same appliance that authenticated the user. Click Verify.
  10. Click Next.
  11. In the Secure Ticket Authorities page, review the list of STAs, and click Next.
  12. In the Review Changes page, click Import.
  13. In the Summary page, click Finish.
  14. Click Close.
  15. The new Gateway is shown in the list. Notice that the new Gateway is already¬†Used by Store, so there’s no need to enable Remote Access on the Store yourself. Click¬†Close.
  16. Edit the newly imported Gateway object.
  17. On the Secure Ticket Authority page, check the box next to Enable session reliability. EDT protocol will not work unless you check this box. Click OK.

StoreFrontAuth and Multiple Domains

The wizard configures Session Profiles with a default domain name. Multiple domains won’t work until you remove this SSON Domain.

  1. At NetScaler Gateway > Virtual Servers, edit the Gateway Virtual Server created by the wizard.
  2. Scroll down, and click where it says 2 Session Policies.
  3. Right-click each Session Policy, and click Edit Profile.
  4. On the Published Applications tab, uncheck the box next to Single Sign-on Domain. Click OK.
  5. Repeat for the other Session Profile.

StoreFrontAuth authenticates users to StoreFront using normal StoreFront username syntax:

  • username only
  • Domain\username
  • username@domain.suffix (aka userPrincipalName)

If no domain name is specified, StoreFrontAuth can be configured with a default domain name.

  1. Go to Security > AAA > Virtual Servers, right-click the AAA vServer that has StoreFrontAuth enabled, and click Edit.
  2. Scroll down, and click where it says 1 Authentication Policy.
  3. Right-click the StoreFrontAuth policy, and click¬†Edit Policy. Unfortunately, Edit Action doesn’t seem to work.
  4. Click the pencil icon next to the Action.
  5. In the Domain field, enter a default domain name that will be used if the user does not specify a domain. Click OK.

Notes on domain names:

  • The¬†domain¬†names¬†entered¬†by¬†users (domain\username, or username@domain.suffix), must be accepted by StoreFront.
  • The default domain name entered in the StoreFrontAuth Action must be accepted by StoreFront.
  • After StoreFrontAuth authenticates the user, it sends back the user’s UPN. NetScaler Gateway then uses the UPN to Single Sign-on to StoreFront. Thus, the UPN suffixes must be accepted by StoreFront.

To configure the domain names accepted by StoreFront:

  1. In StoreFront Console, right-click your store, and click Manage Authentication Methods.
  2. Click the top gear icon, and click Configure Trusted Domains.
  3. If the selection is¬†Any domain, then you’re good, and you don’t need to change anything.
  4. If it’s set to¬†Trusted domains only, then make sure that UPN domain suffixes are in the list.
  5. To make it easier for users, add the NetBIOS domain names too. However, if you checked the box for Show domains list in logon page, then internal users will see both the NetBIOS domain names, and the UPN domain suffixes.
  6. Notice that there’s a drop-down to select the Default domain. This default domain is only used if the user does not specify a domain name, and if no domain name is configured in the StoreFrontAuth action.

Depending on how you configured the StoreFront trusted domains, users have several options for logging into NetScaler Gateway:

  • Username only – the default domain name configured in the StoreFrontAuth action is used. If StoreFrontAuth default domain is not configured, then it uses the default domain name configured in StoreFront.
  • Domain\username¬†– requires the¬†short¬†domain¬†name (NetBIOS) to be included in StoreFront’s list of trusted domains.
  • UPN.suffix\username – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  • username@UPN.suffix –¬†this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.

Multi-factor authentication

The XenApp and XenDesktop Wizard supports several authentication configurations:

  1. On the bottom left, click XenApp and XenDesktop.
  2. On the top right, move your cursor over the existing Gateway, and click click the pencil icon to edit it.
  3. If you earlier removed the Single Sign-On Domain to support multiple AD domains, then the wizard will prompt you to re-enter a Default Active Directory Domain. Unfortunately, this field is not optional. After entering a domain name, and completing the steps shown in this section, you can follow the above instructions to remove it again.
  4. In the Authentication section, click the pencil icon.
  5. At the top of the Authentication section, there’s a drop-down for¬†Choose Authentication Type. There are several options. Since this article is focused on StoreFront Auth, only RSA + StoreFront Auth will be detailed below.

    1. Note: the RSA + Domain option is equivalent to NetScaler Gateway RADIUS + LDAP.¬†The RADIUS + LDAP authentication is performed directly by NetScaler Gateway, which means it doesn’t use nFactor or a AAA vServer. Unfortunately, the wizard does not configure NetScaler Gateway correctly. See my¬†NetScaler Gateway RADIUS Authentication article to fix the authentication policies and Gateway binding configuration.

The RSA + StoreFront Auth option will ask you for RADIUS authentication information.

  1. Change the Choose Authentication Type drop-down to RSA + StoreFront Auth.
  2. Enter the RADIUS information, and click Test Connection.
  3. StoreFront Auth should already be configured, so just click Continue.
  4. Note, if you see any error messages, you might have to completely delete the Gateway, and run the wizard from scratch. Unfortunately, the XenApp and XenDesktop wizard seems to be quite buggy.
  5. After changing the Gateway authentication, download the configuration file again, and import to StoreFront.
  6. When you import to StoreFront, you can select an existing Gateway to overwrite.
  7. The Gateway that it imports to StoreFront is automatically configured with¬†Domain and security token, so you don’t have to configure this yourself.

If you point your browser to the Gateway URL, you will see two password fields. You would think that the first password field is where you enter the AD Password, but that’s incorrect. Actually, it wants Passcode in the first field, and AD Password in the second field.

To swap the fields, do the following:

  1. Go to Security > AAA РApplication Traffic > Virtual Servers.
  2. Edit the AAA vServer that is linked to the Gateway vServer.
  3. Scroll down, and click where it says 1 Login Schema.
  4. Right-click the Login Schema, and click Edit.
  5. Click the pencil next to the Profile field.
  6. Notice the DualAuth.xml file selection. Click the pencil in the Authentication Schema field.
  7. On the left, click the LoginSchema folder to open it.
  8. Move your mouse over the DualAuth.xml file, and click the download icon. Save it somewhere.
  9. Edit the downloaded .xml file.
  10. Look for the two lines containing passwd. Swap the passwd1 and passwd IDs. In other words, remove the 1 from passwd in line 27, and add it to the passwd in line 22. There are two ID tags in each line. Save the file with a new name.
  11. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the new file to upload it.
  12. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  13. On the left, click the new file to highlight it. On the top right, click the blue Select icon.
  14. Notice that the file name has now changed to the new file. Click OK.
  15. Click OK again.
  16. Click Close.
  17. Now when you go to the Gateway URL, the fields should work as expected.

11 thoughts on “NetScaler Gateway 12 – StoreFrontAuth, and XenDesktop Wizard”

  1. Hi Carl, Thanks for your article.
    I have an existing PoC setup where users are connecting directly to Storefront with Pass-through authentication turned on.
    In new setup, we have AG setup for internal users (to force all traffic through SNIP). This means users need to type their credentials to authenticate at NetScaler.
    Users want to be able to use Pass-through authentication (similar to their Poc). I understand Pass-through authentication is not supported in NetScaler Gateway
    If I configure Storefront-auth as described, Is it possible to make pass-through working?
    Bottom line: Users want to automatically logged in from their domain-joined machines using Pass-through, even when connecting from NetScaler AG.
    Note: I have enabled the Pre-reqs for Passthrough to work already (Receiver GPO, TrustingXML etc)

  2. Is there a specific step needed to enable “Storefront Auth” on step 12 (Click the button to Retrieve Auth Enabled Stores)?
    When I click the button, I get an error stating: “There are no auth enabled stores on the specified StoreFront”

    1. I usually have to click it a couple times.

      Or, maybe you’ve upgraded StoreFront several times and don’t have a store with integrated auth.

  3. Hi Carl,

    i change from LDAP Auth to the new StoreAuth methode, after i change it i become an Error on Storefront

    Eventlog: Citrix Authentication Service ID:1 (1008) /UserDomain

    ” Beim Verarbeiten einer expliziten JSON-Anforderung ist ein Fehler aufgetreten.
    System.ArgumentNullException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Der Wert darf nicht NULL sein.
    Parametername: userDomain
    bei Citrix.DeliveryServices.Security.Claims.Specializations.Directory.Client.DelegatedDirectoryClaimFactory.CreateDirectoryClaimForAllUserGroups(String userSecurityIdentifier, String userDomain, String issuer, String original, IEnumerable`1 requiredProperties, Boolean searchGC)
    bei Citrix.DeliveryServices.Authentication.Explicit.ExplicitJson.Controllers.ExplicitJsonController.AuthenticateUsernamePassword(UsernamePasswordRequest upr)
    bei Citrix.DeliveryServices.Authentication.Explicit.ExplicitJson.Controllers.ExplicitJsonController.Authenticate(JsonRequestHolder holder)

    I hope you can help me.

    Thx
    Thomas

  4. HI Carl do you thing Netscaller v12 is ready for production deployment at a Green Field Site or should I be sticking to V11.1.

    Alan

  5. Hey Carl, testing Storefront Auth and running into an issue using RfWebUi, other themes work. After loging no apps are disabled. My account also is only showing my samaccount and not full name. Sf without NetScaler works fine as does the X1 theme. Any ideas? Used the wizard to configure everything. SF is set to any domain.

    1. Hi Chuck,
      I have the same problem here. NS 11.1. with RfWebUI against SF 3.5 is working. Update NS to 12.0.53.6 and RfWebUI aganist SF3.5 produce a error “no apps aor desktops available at this time”. Switching Theme to X1 and login again, it’s working as expceted. Any Ideas where the problem is?

Leave a Reply