AlwaysOn before logon with a user persona

AlwaysOn before logon with a user persona provides the following capabilities.

  • Administrator provides a one-time password to the first time users working remotely using which users can connect to domain controller to change their password.
  • Administrator remotely manages/enforces AD policies to the device even before the user logs in.
  • Administrator provides a granular level of control to users based on the user group after the user logs on. For example, using user-level tunnel, restricting or providing access for a resource to a particular user group is possible.
  • The user tunnel can be configured for MFA as per user requirements.
  • Same machine can be used by multiple users, the access to selective resources are provided based on the user profile. For example in kiosk, a machine can be used by multiple users without hassle.
  • Users working remotely connect to domain controller to change their password.

Understanding AlwaysOn before logon for Windows with a user persona

The following is the flow of events for the AlwaysOn before logon for Windows with a user persona.

Alwayson with user personal flow

  • User turns on the laptop, machine-level tunnel is established towards Citrix Gateway using device certificate as identity.
  • User logs in to the laptop with AD credentials.
  • Post login, user is challenged with MFA.
  • Upon successful authentication machine-level tunnel is replaced with a user-level tunnel.
  • Once user logs out, the user-level tunnel is replaced with the machine-level tunnel.

Configure Citrix ADC for AlwaysOn service with a user persona by using the GUI

You can configure Citrix ADC for AlwaysOn service with a user persona only by using advanced policies.

Note: Citrix ADC Advanced Edition is required for the solution to work.

The AlwaysOn before logon for Windows with a user persona configuration involves the following high-level steps:

  • Create an authentication profile
  • Create an authentication virtual server
  • Create authentication policies
  • Bind the policies to the authentication profile

To configure AlwaysOn before logon using the GUI

  1. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. On the VPN Virtual Servers page, under Authentication Profile section, click Add.
  4. On the Create Authentication Profile page, provide a name for the authentication profile, and click Add. Create auth profile
  5. On the Authentication Virtual Server page, provide a name for the authentication virtual server, select IP Address Type as Non-Addressable, and click OK. Select nonaddressable IP type
  6. Under Advanced Authentication Policies, click inside Authentication Policy.
  7. On the Policy Binding page click Add next to Select Policy.
  8. On the Create Authentication Policy page;
    1. Enter a name for the advance authentication policy.
    2. Select EPA from the Action Type list.
    3. Click Add next to Action. Select epa action type
  9. On the Create Authentication EPA Action page;
    1. Enter a name for the EPA action to be created.
    2. Enter sys.client_expr(“device-cert_0_0”) in the Expression field.
    3. Click Create.

    Create expression

  10. On the Create Authentication Policy page;
    1. Enter a name for the authentication policy.
    2. Enter is_aoservice in the Expression field.
    3. Click Create.

    Note: The expression is_aoservice is valid from Citrix Gateway version 13.0 build 41.20 and later.

    Create expression2

  11. On the Policy Binding page, enter 100 in Priority and click Bind. Bind policy
  12. On the Authentication Virtual Server page, click inside Authentication Policy.
  13. On the Authentication Policy page, click the Add Binding tab.
  14. On the Policy Binding page, click Add next to Select Policy. Bind policy2
  15. On the Create Authentication Policy page;
    1. Enter a name for the “no authentication” policy to be created.
    2. Select action type as No_AUTHN.
    3. Enter is_aoservice.not in the Expression field.
    4. Click Create.

      Note: The expression is_aoservice.not is valid from Citrix Gateway version 13.0 build 41.20 and later.

    Select noauth action type

  16. On the Policy Binding page, enter 110 in Priority, click Add next to Select Next Factor.
  17. On Authentication Policy Label page, create LDAP authentication policy. Refer to the following article to create LDAP authentication policy. For more details see To configure LDAP authentication by using the configuration utility.
  18. Click Bind on the Policy Binding page.