AlwaysOn before logon without a user persona

AlwaysOn before logon without a user persona provides the following capabilities.

  • Administrator provides a one-time password to the first time users working remotely using which users can connect to domain controller to change their password.
  • Administrator remotely manages/enforces AD policies to the device even before the user logs in.
  • Users working remotely connect to domain controller to change their password.

Understanding AlwaysOn before logon for Windows without a user persona

  • User turns on the laptop, machine-level tunnel is established towards Citrix Gateway using device certificate or client certificate as identity.
  • User logs in to the laptop with AD credentials.
  • Upon successful authentication, machine-level tunnel is still active.
  • On machine shutdown, machine level tunnel is torn down.

Configure Citrix ADC for AlwaysOn service without a user persona by using the GUI

AlwaysOn service without user persona supports two configurations:

  • Device certificate authentication
  • Client Certificate Authentication

You can configure Citrix ADC for AlwaysOn service without a user persona using classic policies or advanced policies.

Configuration using classic policies

Device certificate based authentication

  1. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. On the VPN Virtual Servers page, under Basic Settings section, click Edit.
  4. Clear the Enable Authentication box to disable authentication and enable device certificate by checking the Enable Device Certificate box. Enable device certificate
  5. Click Add to add available device certificate issuer’s CA certificate name to the list.
  6. Press OK to save the configuration.

Client Certificate based authentication

  1. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. In the navigation pane, under Authentication, click CERT.
  4. In the details pane, click Add.
  5. In Name field, type a name for the policy.
  6. Click New next to the server.
  7. In Name, type a name for the profile.
  8. Select OFF next to Two Factor.
  9. In User Name and Group Name, select the values and then click Create.
  10. In the Create Authentication Policy dialog, next to Named Expressions, select the expression, click Add Expression, click Create and then click Close.
  11. Bind the expression to the virtual server.
  12. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
    1. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
    2. In the configure Citrix Gateway Virtual Server dialog box, click the Authentication tab.
    3. Click Primary and under Details, click Insert Policy.
    4. In Policy Name, select the policy and then click OK.
    5. On the VPN Virtual Servers page, create an SSL profile.
    6. In Deny SSL Renegotiation, select NONSECURE for non-secure requests only. SSL profile
  13. Click OK.

Configuration using advanced policies

Device certificate based authentication

  1. Navigate to Configuration > Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select the virtual server to be modified and click Edit.
  3. On the VPN Virtual Server page, click the edit icon.
  4. Click Add next to the CA for Device Certificate section and click OK.

    Add ca for device certificate

    Note: Do not select the Enable Device Certificate check box. Enabling it enables the Device Certificate validation in the classic EPA.

  5. Navigate to Configuration> Security > AAAApplication Traffic>Policies>Authentication>Advanced Policies>Actions > EPA>.
    1. On the Authentication EPA Action page, click Add. You can click Edit to edit an existing EPA action.
    2. On the Create Authentication EPA Action page, provide the values for the required fields to create an authentication EPA action, and click the EPA Editor link.
    3. Select Common from the Expression Editor list. Expression editor list
    4. Select Device Certificate from the list that appears next and then click Done.

Client certificate based authentication

  1. Navigate to Configuration > Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. On the VPN Virtual Servers page, under Authentication Profile section, click Add.
  4. On the Create Authentication Profile page, provide a name for the authentication profile and click Add. Add cert
  5. On the Authentication Virtual Server page, provide a name for the authentication virtual server, select IP Address Type as Non-Addressable and click OK. Select nonaddressable ip type
  6. Under Advanced Authentication Policies, click inside Authentication Policy.
  7. On the Policy Binding page click Add next to Select Policy.
  8. On the Create Authentication Policy page provide a name for the advance authentication policy, select CERT from the Action Type list and click Add next to Action. create auth of type cert
  9. On the Create Authentication CERT Action page, provide a name for the CERT action to be created, enter values for the other fields and click OK. create auth of type cert
  10. On the Policy Binding page, enter 100 in Priority, and click Bind. Bind policy
  11. On the Authentication Virtual Server page, click inside Authentication Policy.
  12. On the Authentication Policy page, click Add Binding.
  13. On the Policy Binding page, click Add next to Select Policy. Bind policy
  14. On the VPN Virtual Servers page, create a SSL profile.
  15. In Deny SSL Renegotiation, select NONSECURE for non-secure requests only. SSL profile
  16. Click OK.