Product Documentation

Configure NetScaler and StoreFront for Delegated Forms Authentication (DFA)

May 22, 2017

Extensible authentication provides a single customization point for extension of NetScaler's and StoreFront’s form-based authentication. To achieve an authentication solution using the Extensible Authentication SDK, you must configure Delegated Form Authentication (DFA) between NetScaler and StoreFront. The Delegated Forms Authentication protocol allows generation and processing of authentication forms, including credential validation, to be delegated to another component. For example, NetScaler delegates it authentication to StoreFront, which then interacts with a third party authentication server or service.  

Installation recommendations

  • To ensure communication between NetScaler and StoreFront is protected, use HTTPS instead of HTTP protocol.
  • For cluster deployment, ensure that all the nodes have the same server certificate installed and configured in IIS HTTPS binding prior to configuration steps.
  • Ensure that Netscaler has the issuer of StoreFront's server certificate as a trusted certificate authority when HTTPS is configured in StoreFront.

StoreFront cluster installation considerations

  • Install a third party authentication plugin on all the nodes prior to joining them up together.
  • Configure all the Delegated Forms Authentication related settings on one node and propagate the changes to the others. See the "Enable Delegated Forms Authentication."

Enable Delegated Forms Authentication

Because there is no GUI to setup Citrix pre-shared key setting in StoreFront, use the PowerShell console to install Delegated Forms Authentication.

  1. Install Delegated Forms Authentication. It is not installed by default and you need to install it using the PowerShell console.
    PS C:\Users\administrator.PTD.000> cd 'C:\Program Files\Citrix\Receiver StoreFront\Scripts' 
    PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> & .\ImportModules.ps1 
    Adding snapins 
    Importing modules 
    Loading 'C:\Program Files\Citrix\Receiver StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' 
    Loading 'C:\Program Files\Citrix\Receiver StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' 
    PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Install-DSDFAServer 
    Id                             : bf694fbc-ae0a-4d56-8749-c945559e897a 
    ClassType                      : e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc 
    FrameworkController            : Citrix.DeliveryServices.Framework.FileBased.FrameworkController 
    ParentInstance                 : 8dd182c7-f970-466c-ad4c-27a5980f716c 
    RootInstance                   : 5d0cdc75-1dee-4df7-8069-7375d79634b3 
    TenantId                       : 860e9401-39c8-4f2c-928d-34251102b840 
    Data                           : {} 
    ReadOnlyData                   : {[Name, DelegatedFormsServer], [Cmdlet, Add-DSWebFeature], [Snapin, Citrix.DeliverySer 
                                     vices.Web.Commands], [Tenant, 860e9401-39c8-4f2c-928d-34251102b840]} 
    ParameterData                  : {[FeatureClassId, e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc], [ParentInstanceId, 8dd182c7-f 
                                     970-466c-ad4c-27a5980f716c], [TenantId, 860e9401-39c8-4f2c-928d-34251102b840]} 
    AdditionalInstanceDependencies : {b1e48ef0-b9e5-4697-af9b-0910062aa2a3} 
    IsDeployed                     : True 
    FeatureClass                   : Citrix.DeliveryServices.Framework.Feature.FeatureClass 
  2. Add Citrix Trusted Client. Configure the shared secret key (passphrase) between StoreFront and Netscaler. Your passphrase and client ID must be identical to what you configured in NetScaler.
    PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Add-DSCitrixPSKTrustedClient -clientId -passphrase secret
  3. Set the Delegated Forms Authentication conversation factory to route all the traffic to the custom form. To find the conversation factory, look for ConversationFactory in C:\inetpub\wwwroot\Citrix\Authentication\web.config.This is an example of what you might see.
    <example connectorURL="http://Example.connector.url:8080/adapters-sf-aaconnector-webapp"> 
          <routeTable order="1000"> 
              <route name="StartExampleAuthentication" url="Example-Bridge-Forms/Start"> 
                  <add param="controller" value="ExplicitFormsAuthentication" /> 
                  <add param="action" value="AuthenticateStart" /> 
                  <add param="postbackAction" value="Authenticate" /> 
                  <add param="cancelAction" value="CancelAuthenticate" /> 
                  <add param="conversationFactory" value="ExampleBridgeAuthentication" /> 
                  <add param="changePasswordAction" value="StartChangePassword" /> 
                  <add param="changePasswordController" value="ChangePassword" /> 
                  <add param="protocol" value="CustomForms" /> 
  4. In PowerShell, set the Delegated Forms Authentication conversation factory. In this example, to ExampleBridgeAuthentication.
    PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Set-DSDFAProperty -ConversationFactory ExampleBridgeAuthentication

PowerShell arguments are not case-sensitive: -ConversationFactory is identical to -conversationfactory.

Uninstall StoreFront

Before you uninstall StoreFront, uninstall any third party authentication plugin, as it will impact the functionality of StoreFront.