Citrix Gateway

Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication

To configure a Citrix Gateway virtual server for monitoring Microsoft ADAL token authentication, you need the following information:

  • certEndpoint: the URL of the endpoint that contains the JSON Web Key (JWK) for ADAL token verification.
  • Audience: FQDN of the Citrix ADC virtual server to which the app sends the ADAL token.
  • Issuer: Name of the AAD issuer. Gets populated by default.
  • TenantID: Tenant ID for Azure ADAL registration.
  • ClientID: A unique ID given to the Gateway app as part of ADAL registration.
  • ClientSecret: A secret key given to the Gateway app as part of ADAL registration.
  1. Create an OAuthAction:

    add authentication OAuthAction \<oauth\_action\_name\> -OAuthType INTUNE –clientid \<client\_id\> - clientsecret \<client\_secret\> -audience \<audience\> -tenantid \<tenantID\> -issuer \<issuer\_name\> - userNameField upn-certEndpoint \<certEndpoint\_name\>

    Example:

    add authentication OAuthAction tmp\_action -OAuthType INTUNE -clientid id 1204 -clientsecret a -audience " [http://hello](http://hello/)" -tenantid xxxx -issuer " [https://hello](https://hello/)" -userNameField upn -certEndpoint <https://login.microsoftonline.com/common/discovery/v2.0/keys>

  2. Create an authentication policy to associate with the newly created OAuth:

    add authentication Policy \<policy\_name\> -rule true -action \<oauth intune action\>

    Example:

    add authentication Policy oauth\_intune\_pol -rule true -action tmp\_action

  3. Bind the newly created OAuth to AuthVS:

    bind authentication vserver \<auth\_vserver\> -policy \<oauth\_intune\_policy\> -priority 2 -gotoPriorityExpression END

    Example:

    bind authentication vserver auth\_vs\_for\_gw1\_intune -policy oauth\_pol -priority 2 -gotoPriorityExpression END

  4. Create a LoginSchema:

    add authentication loginSchema \<loginSchemaName\> -authenticationSchema \<authenticationSchema”location”\>

    add authentication loginSchemaPolicy \<loginSchemaPolicyName\> -rule true -action \<loginSchemaName\>

    Example:

    add authentication loginSchema oauth\_loginschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyOAuthToken.xml"

    add authentication loginSchemaPolicy oauth\_loginschema\_pol -rule true -action oauth\_loginschema​

  5. Bind AuthVS with LoginSchema:

    bind authentication vserver \<auth\_vs\> -policy \<oauth \_pol\> -priority 2 -gotoPriorityExpression END

    Example:

    bind authentication vserver auth\_vs\_for\_gw1\_intune -policy oauth\_loginschema\_pol -priority 2 -gotoPriorityExpression END

  6. Add an authnprofile and assign it to a VPN virtual server:

    add authnprofile \<nfactor\_profile\_name\>-authnvsName \<authvserver\>

    set vpn vserver \<vserverName\>-authnprofile \<nfactor\_profile\_name​\>

    Example:

    add authnprofile nfactor\_prof\_intune -authnvsName auth\_vs\_for\_gw1\_intune

    set vpn vserver gw1\_intune-authnprofile nfactor\_prof\_intune

Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication