Always On before Windows Logon

The Secure Private Access Always On connectivity ensures that a managed device is always connected to an enterprise network before (machine tunnel only) and after Windows Logon. The Always On feature establishes a machine-level VPN tunnel before a user logs in to a Windows system. After the user logs on, the machine-level VPN tunnel is replaced by a user-level VPN tunnel. The application access is based on policies assigned to the machine for the machine-level tunnel and to the user for the user-level tunnel.

The Secure Private Access Always On before Windows Logon (machine-tunnel) feature is supported on the following machines:

  • Active Directory domain joined Windows machines
  • Entra hybrid domain joined Windows machines

The Always On before Windows Logon is authenticated by using the computer device certificate-based authentication with Active Directory.

The device certificate is issued by an Active Directory Enterprise Certificate Authority (CA). The device certificate is unique for each domain joined Windows machine.

Note:

  • The one-tier to multi-tier Microsoft Enterprise Certification Authority is supported.
  • The Secure Private Access Always On after Windows Logon (user tunnel) is achieved by one of the following auto logon authentication methods for Active Directory:

  • The Secure Private Access Always On after Windows Logon (user tunnel) is achieved by the following autologon authentication method for Entra hybrid joined machines, SSO with Primary Refresh Token (PRT) of Microsoft Entra authentication.

    Disable ADFS by navigating to Workspace Configuration\Customize\Preferences-Federated Identity Provider Sessions and disable the toggle.

How does Always On work?

The following diagram illustrates the workflow of the Always On before Windows Logon feature.

Always on workflow

  • The Citrix Identity Broker verifies the device certificate to authenticate the device immediately after bootup. The following are the device certificate verification steps:
    • The client presents the device certificate based on CA certificates uploaded to the Secure Private Access admin console.
    • The Citrix identity provider does device certificate-based authentication.
    • The Citrix identity provider verifies the following details:
      • Device certificate signature
      • CRL-based device certificate revocation check
      • Validate device certificate against Active Directory Computer object
  • On successful verification of the device certificate, a secure machine tunnel is established between the device and the resources in the corporate premises based on the access policy.
  • On allowing access to Active Directory, Windows Logon authenticates user credentials with Active Directory and supports password expiry and password change.
  • After Windows Logon, the machine-level tunnel is automatically replaced by the user tunnel with autologon. On user tunnel failure/disconnect, the connection falls back to the machine tunnel.
  • The autologin feature is supported for the Active Directory and Hybrid Entra ID environment.

Active Directory and Entra Hybrid AD configuration

The Windows machines must be Active Directory or Entra Hybrid joined as a prerequisite for Always On. The Active Directory Enterprise Certificate Authority is required to issue the device certificate for Always On machine authentication. The certificate revocation is verified based on the CDP extension with LDAP URL configuration in the certificate authority.

Device certificate enrollment configuration

The following steps are involved in device certificate enrollment:

  1. The Active Directory Enterprise Certificate Authority issues a Device Certificate for machine authentication.
  2. The certificate authority must have the LDAP URL published for the CRL distribution point (CDP) extension.

    Always on CRL CDP

  3. A certificate template in this certificate authority must be created to enroll the device certificate with the following details.

    1. Open the certification template snap-in and duplicate either the Computer or Workstation Authentication (preferred) template.
    2. Provide a new name for the certificate.
    3. Switch to the Subject Name tab, change the Subject name format setting to Common name, and check User Principal Name (UPN) to be included in the alternate subject name.

      Always on Subject name

    4. Switch to the Security tab and add a security group (containing only computer accounts) to which you want to autoenroll the new certificate template. Select the added group and select Allow for Autoenroll.

      Always on authenticated users

      Note:

      In the preceding image, Authenticated Users (all computer objects) are permitted to enroll/autoenroll the new certificate template.

    5. (Optional) Create a group policy object (GPO) that allows for auto certificate enrollment and bind it to an organization unit (OU) or at the domain level.

    Always on autoenroll certificate

Secure Private Access configuration

Configure Always On before Windows Logon (machine tunnel)

  1. Navigate to Secure Private Access > Settings and click Machine Based Authentication.
  2. Enable the Always On before Windows Logon feature by sliding the Enforce machine level tunnel before users log on toggle switch.
  3. Upload a CA certificate: Click Upload CA Certificate, select the certificate, and click Open.

    • Certificates for both root CA and intermediate CA are supported. The certificates to be uploaded must be in the PEM format and include the whole chain. The certificate must be generated starting from the intermediate certificate all the way to the root CA.
    • If the certificate is in a CER format, run the following command on a Linux or Mac terminal to convert the certificate into PEM format. After converting the certificate into PEM format, upload the certificate in the Secure Private Access user interface.

      openssl x509 -in /Users/t_abhishes2/Downloads/cert12.crt out/Users/t_abhishes2/Downloads/cer_pem12_ao.pem

  4. Create a TCP/UDP application to access Active Directory as a TCP/UDP server. For example, Active Directory domain, IP address, and Ports. This is for Windows user logon with AD credentials. For details on creating a TCP/UDP app, see Admin Configuration – Citrix Secure Access client-based access to TCP/UDP apps.
  5. Create additional applications if needed to be accessed before Windows Logon and before user-level tunnel migration.
  6. Create an access policy and provide access for the domain joined machine or its AD group.

    1. In the Secure Private Access admin console, click Access Policies, and then click Create Policy.
    2. Enter the policy name and description of the policy.
    3. In Applications, select the app or set of apps for which this policy must be enforced.
    4. Click Create Rule to create rules for the policy.

      • Enter the rule name and a brief description of the rule, and then click Next.
      • In the Rule scope, select Machine.

        Note:

        When you select a machine, the access privileges are limited as the machine-level tunnel is based on single-factor authentication.

      • Select the matching condition, and the domain, and search for the machine/groups to which the policy must be applied. Add more conditions if needed. When finished, click Next.
        • Matches any of – Only the machines/groups that match any of the names listed in the field and belonging to the selected domain are allowed access.
        • Does not match any – All machines/groups except those listed in the field and belonging to the selected domain are allowed access.

          Always on policy

  7. Select one of the following actions to be applied based on the condition evaluation.

    • Allow access
    • Deny access
  8. Click Next, and then click Finish.

  9. (Optional) Create additional rules for the geo-location and network location, and so on. For details, see Configure an access policy.

    The policy is listed on the Access Policies page. A priority order is assigned to the policy, by default. The priority with a lower value has the highest preference. The policy with the lowest priority number is evaluated first. If the policy does not match the conditions defined, the next policy is evaluated. If the conditions match, the other policies are skipped.

Connector Appliance Configuration

Connector Appliance performs device certificate validation, certificate revocation check (CRL), and device object verification for Always On Device certificate authentication. Connector Appliance must be domain joined to the Active Directory domain for Device certificate authentication to be supported.

Client configuration

  • The Windows machine that needs Always On support must be domain joined to Active Directory or Entra ID hybrid.
  • The Windows machine must enroll a device certificate from the Enterprise Certificate Authority for Secure Private Access Always On.
  • The device certificate attributes must include the following details.

    • The issuer name in the device certificate must match the common name of the CA certificate uploaded to the Secure Private Access admin console.

      Always on CA issuer name

    • Subject must contain the common name of the computer.

      Always on the subject name

    • Subject Alternate Name (SAN) must contain the UPN of the computer.

      Always on SAN

    • CRL distribution point must contain the appropriate LDAP URL.

      Always on CRL DP

    • The certification path must be appropriate to the certificate authority chain.

      Always on CRL DP

  • Install the Citrix Secure Access client for Always On.

  • The following registries must be created on the client to enable Always On before Windows Logon.

    • CloudAlwaysOnURL in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

      Registry Type - STRING

      Registry Value - <Customer Workspace FQDN> (For example, company.cloud.com)

    • AlwaysOnService in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

      Registry Type - DWORD

      Registry Value - 0x00000002

Configure Always On after Windows Logon (machine/user tunnel)

After successful Windows Logon, the machine tunnel continues until the user login is successful with the Citrix Secure Access client.

  • If user auto login is successful, the machine tunnel is migrated to a user tunnel.
  • If user auto login fails, the machine tunnel continues.
  • If the user tunnel gets disconnected, the connection automatically falls back to the machine tunnel.

User Autologon after Windows Logon is supported for the following authentication methods in the Workspace authentication configuration.

  • Workspace authentication with Active Directory (with no second factor) - AD credential SSO
  • Workspace authentication with Citrix Gateway/Adaptive Auth configured with Kerberos SSO
  • Workspace authentication with Azure Active Directory (SSO with Primary Refresh Token (PRT) of Microsoft Entra authentication).

Note:

Disable ADFS by navigating to Workspace Configuration\Customize\Preferences-Federated Identity Provider Sessions and disable the toggle.

Limitations

  • Computer UPN host name must not exceed 15 characters.
  • Windows Auto Logon (First Time User (FTU)) case is supported only if the machine is domain joined and the device certificate is present.
  • The Always On before Windows Logon feature is supported only on Windows 10 or later versions.
  • The Always On before Windows Logon feature is not supported for Windows Server Operating Systems.
  • The Always On before Windows Logon feature is not supported with Cloud Connector. Even if you have not selected Connector Appliance as a preferred connector, the machine tunnel traffic goes via Connector Appliance.

References

Always On before Windows Logon