Configure Citrix Gateway and StoreFront for Delegated Forms Authentication (DFA)
Extensible authentication provides a single customization point for extension of the Citrix Gateway’s and StoreFront’s form-based authentication. To achieve an authentication solution using the Extensible Authentication SDK, you must configure Delegated Form Authentication (DFA) between the Citrix Gateway and StoreFront. The Delegated Forms Authentication protocol allows generation and processing of authentication forms, including credential validation, to be delegated to another component. For example, Citrix Gateway delegates it authentication to StoreFront, which then interacts with a third party authentication server or service.
Configuring Delegated Forms Authentication on Citrix Gateway is described in CTX200383.
Installation recommendations
- To ensure communication between the Citrix Gateway and StoreFront is protected, use HTTPS instead of HTTP protocol.
- For cluster deployment, ensure that all the nodes have the same server certificate installed and configured in IIS HTTPS binding prior to configuration steps.
- Ensure that the Citrix Gateway has the issuer of StoreFront’s server certificate as a trusted certificate authority when HTTPS is configured in StoreFront.
StoreFront cluster installation considerations
- Install a third party authentication plugin on all the nodes prior to joining them up together.
- Configure all the Delegated Forms Authentication related settings on one node and propagate the changes to the others. See the “Enable Delegated Forms Authentication.”
Enable Delegated Forms Authentication
Because there is no GUI to set up Citrix pre-shared key setting in StoreFront, use the PowerShell console to install Delegated Forms Authentication.
-
Install Delegated Forms Authentication. It is not installed by default and you need to install it using the PowerShell console.
PS C:\Users\administrator.PTD.000> cd 'C:\Program Files\Citrix\Receiver StoreFront\Scripts' PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> & .\ImportModules.ps1 Adding snapins Importing modules Loading 'C:\Program Files\Citrix\Receiver StoreFront\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' Loading 'C:\Program Files\Citrix\Receiver StoreFront\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Install-DSDFAServer Id : bf694fbc-ae0a-4d56-8749-c945559e897a ClassType : e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc FrameworkController : Citrix.DeliveryServices.Framework.FileBased.FrameworkController ParentInstance : 8dd182c7-f970-466c-ad4c-27a5980f716c RootInstance : 5d0cdc75-1dee-4df7-8069-7375d79634b3 TenantId : 860e9401-39c8-4f2c-928d-34251102b840 Data : {} ReadOnlyData : {[Name, DelegatedFormsServer], [Cmdlet, Add-DSWebFeature], [Snapin, Citrix.DeliverySer vices.Web.Commands], [Tenant, 860e9401-39c8-4f2c-928d-34251102b840]} ParameterData : {[FeatureClassId, e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc], [ParentInstanceId, 8dd182c7-f 970-466c-ad4c-27a5980f716c], [TenantId, 860e9401-39c8-4f2c-928d-34251102b840]} AdditionalInstanceDependencies : {b1e48ef0-b9e5-4697-af9b-0910062aa2a3} IsDeployed : True FeatureClass : Citrix.DeliveryServices.Framework.Feature.FeatureClass <!--NeedCopy-->
-
Add Citrix Trusted Client. Configure the shared secret key (passphrase) between StoreFront and the Citrix Gateway. Your passphrase and client ID must be identical to what you configured on the Citrix Gateway.
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Add-DSCitrixPSKTrustedClient -clientId netscaler.fqdn.com -passphrase secret <!--NeedCopy-->
-
Set the Delegated Forms Authentication conversation factory to route all the traffic to the custom form. To find the conversation factory, look for ConversationFactory in C:\inetpub\wwwroot\Citrix\Authentication\web.config.This is an example of what you might see.
<example connectorURL="http://Example.connector.url:8080/adapters-sf-aaconnector-webapp"> <routeTable order="1000"> <routes> <route name="StartExampleAuthentication" url="Example-Bridge-Forms/Start"> <defaults> <add param="controller" value="ExplicitFormsAuthentication" /> <add param="action" value="AuthenticateStart" /> <add param="postbackAction" value="Authenticate" /> <add param="cancelAction" value="CancelAuthenticate" /> <add param="conversationFactory" value="ExampleBridgeAuthentication" /> <add param="changePasswordAction" value="StartChangePassword" /> <add param="changePasswordController" value="ChangePassword" /> <add param="protocol" value="CustomForms" /> </defaults> </route> <!--NeedCopy-->
-
In PowerShell, set the Delegated Forms Authentication conversation factory. In this example, to ExampleBridgeAuthentication.
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Set-DSDFAProperty -ConversationFactory ExampleBridgeAuthentication <!--NeedCopy-->
PowerShell arguments are not case-sensitive: -ConversationFactory is identical to -conversationfactory.
Uninstall StoreFront
Before you uninstall StoreFront, uninstall any third party authentication plugin, as it will impact the functionality of StoreFront.