Authenticate using different domains

Some organizations have policies in place that do not allow you to give third-party developers or contractors access to published resources in a production environment. This article shows you how to give access to published resources in a test environment by authenticating through NetScaler Gateway with one domain. You can then use a different domain to authenticate to StoreFront and the Receiver for Web site. Authentication through NetScaler Gateway described in this article is supported for users logging on through the Receiver for Web site. This authentication method is not supported for users of native desktop or mobile Citrix Receivers.

Set up a test environment

This example uses a production domain called production.com and a test domain called development.com.

production.com domain

The production.com domain in this example is set up as follows:

  • NetScaler Gateway with production.com LDAP authentication policy configured.
  • Authentication through the gateway occurs using a production\testuser1 account and password.

development.com domain

The development.com domain in this example is set up as follows:

  • StoreFront, XenApp and XenDesktop 7.0 or higher and VDAs are all on the development.com domain.
  • Authentication to the Citrix Receiver for Web site occurs using a development\testuser1 account and password.
  • There is no trust relationship between the two domains.

Configure a NetScaler Gateway for the store

To configure a NetScaler Gateway for the store:

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage NetScaler Gateways.
  2. On the Manage NetScaler Gateways screen, click Add.
  3. Complete the General Settings, Secure Ticket Authority, and Authentication steps.

    localized image

    localized image

    localized image

Note:

DNS conditional forwarders may need to be added so that the DNS servers in use on both domains can resolve FQDNs on the other domain. The NetScaler must be able to resolve the STA server FQDNs on the development.com domain using its production.com DNS server. StoreFront should also be able to resolve the callback URL on the production.com domain using its development.com DNS server. Alternatively, a development.com FQDN can be used which resolves to the NetScaler Gateway vServer virtual IP (VIP).

Enable pass-through from NetScaler Gateway

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
  2. On the Manage Authentication Methods screen, select Pass-through from NetScaler Gateway.
  3. Click OK.

localized image

Configure the store for remote access using the Gateway

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.
  2. Select Enable Remote Access.
  3. Ensure that you have registered the NetScaler Gateway with your store. If you do not register the NetScaler Gateway, the STA ticketing will not work.

localized image

Disable token consistency

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Store Settings.
  2. On the Configure Store Settings page, select Advanced Settings.
  3. Clear the Require token consistency check box. For more information, see Advanced store settings.
  4. Click OK.

    localized image

Note

The Require token consistency setting is selected (on) by default. If you disable this setting, SmartAccess features used for NetScaler End Point Analysis (EPA) stop working. For more information on SmartAccess, see CTX138110.

Disable pass-through from NetScaler Gateway for the Receiver for Web site

Important:

Disabling pass-through from NetScaler Gateway prevents Receiver for Web from trying to use the incorrect credentials from the production.com domain passed from NetScaler. Disabling pass-through from NetScaler Gateway causes Receiver for Web to prompt the user to enter credentials. These credentials are different from the credentials used to log on through the Netscaler Gateway.

  1. Select the Stores node in the left pane of the Citrix StoreFront management console.
  2. Select the store that you want to modify.
  3. In the Actions pane, click Manage Receiver for Web Sites.
  4. In Authentication Methods, clear the Pass-through from NetScaler Gateway check box.
  5. Click OK.

    localized image

Log on to Gateway using a production.com user and credentials

To test, log on to Gateway using a production.com user and credentials.

localized image

After logon, the user is prompted to enter development.com credentials.

localized image

Add a trusted domain drop-down list in StoreFront (optional)

This setting is optional, but it may help prevent the user from accidentally entering the wrong domain to authenticate through the NetScaler Gateway.

If the user name is the same for both domains, entering the wrong domain is more likely. New users may also be used to leaving out the domain when they log on through the NetScaler Gateway. Users may then forget to enter domain\username for the second domain when they are prompted to log on to the Receiver for Web site.

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
  2. Select the drop-down arrow next to User name and password.
  3. Click Add to add development.com as a trusted domain, and select the Show domains list in logon page check box.
  4. Click OK.

localized image

localized image

Note:

Browser password caching is not recommended in this authentication scenario. If users have different passwords for the two different domain accounts, password caching can lead to a poor experience.

NetScaler clientless VPN (CVPN) session action policy

  • If Single Sign-on to web applications is enabled within your NetScaler session policy, incorrect credentials sent by NetScaler to Receiver for Web are ignored because you disabled the Pass-through from NetScaler Gateway authentication method on the Receiver for Web site. Receiver for Web prompts for credentials regardless of what this option is set to.
  • Populating the Single Sign-on entries in the Client Experience and Published App tabs in NetScaler does not change the behavior described in this article.

    localized image

    localized image