PoC Guide: Microsoft Azure Active Directory Federated Authentication for Citrix Virtual Apps and Desktops with NetScaler
Use of the Cloud to deliver Enterprise services continues to grow. Cloud services inherit the benefits built into cloud infrastructure including resiliency, scalability, and global reach. Azure Active Directory (AAD) is the Microsoft Azure hosted directory service and provides those same cloud benefits to Enterprises. AAD allows Enterprises to host their employee identities in the cloud and securely access services also hosted in the Cloud, or on-premises.
Citrix Virtual Apps and Desktops delivers virtual apps and desktops using resources hosted on-premises, or in the Cloud. NetScaler provides secure remote access to those virtual apps, and desktops and also can be hosted on-premises, or in the Cloud. Together along with the Citrix Federated Authentication Service they can utilize AAD to authenticate user access to Citrix Virtual Apps and Desktops from anywhere.
The guide demonstrates how to implement a Proof of Concept environment for Microsoft AAD Federated Authentication for Citrix Virtual Apps and Desktops with NetScaler using SAML. AAD acts as the Identity Provider (IdP) while NetScaler acts as the Service Provider (SP).
It makes assumptions about the installation, or configuration of certain components:
- An Active Directory Server is installed on-premises and you can log in as Domain Admin.
- An Azure tenant is available with a P2 license and you can log in as Global Admin.
- A NetScaler appliance has been installed and licensed. Also it has a NetScaler Gateway virtual server configured to provide access to an on-premises Citrix Virtual Apps and Desktops environment. Use Version 13 build 60, or higher.
- A Delivery Controller, StoreFront, and VDA are installed, and configured to delivery virtual apps, or desktops for domain users. Use version 2006, or higher.
- A virtual machine is available, or another server has enough capacity to install FAS. The DDC, FAS, and StoreFront are all installed on the same server in this POC.
- The Remote Client is able to launch a virtual app or desktop using the Workspace App, or browser. Use Windows Version 188.8.131.52(2006), or higher.
AD and AAD Config
To configure Active Directory (AD) and Azure Active Directory (AAD) perform the following steps:
- Log in to your AD domain controller.
- Open Server Manager > Tools > Active Directory Domains and Trusts
- Right-click, select Properties and enter the UPN Suffix for users corresponding to one of your AAD domains.
- On your AD domain controller open Server Manager > Tools > Active Directory Users and Computers.
- Right-click and select New > User, or edit an existing one
- Under Properties > Account set the UPN to the new Suffix.
Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. It allows us to copy AD users to AAD with a UserPrincipalName (UPN) mapped to our AAD domain.
- Log in to your AD domain controller, or other virtual server where you host the Microsoft Azure Active Directory Connect process.
- Download the executable from the Microsoft download site Microsoft Azure Active Directory Connect and launch it.
- You are prompted to accept making changes to the virtual machine and accept a license agreement on the welcome page.
- You are prompted to log in as a Global AAD admin and as a Domain Services admin.
- For installation on a single AD virtual machine you can follow express settings. After it verifies UPN Suffixes it makes a full sync of all users, groups, and contacts.
See using Azure AD Connect express settings for more information.
For this POC we assume you have a Certificate Authority, including Web Enrollment, installed on an AD DC. If not navigate to Server Manager > Add roles and features and follow prompts to install Active Directory Certificate Services. See Microsoft Certificate Authority Installation for more information.
- Next launch MMC
- Select Add/Remove Snap-in > Certificates > Computer Account > Ok
- Right-click Personal > All Tasks > Request New Certificate
- Click Next and select Active Directory Enrollment Policy
- Select Domain Controller Authentication and click Enroll
- Log in to the Azure Portal as a global admin
- Navigate to Azure Active Directory > Enterprise Applications
- Select New application
- Select Non-gallery application
- Enter a unique name and select Add
- Select single sign-on > SAML and select the pencil icon to edit the Basic SAML Configuration
- Enter the FQDN of the NetScaler gateway virtual server in the Identifier field.
- Enter the FQDN with the URI /cgi/samlauth added in the Reply URL field
- Click save
- Capture the following to be entered in the NetScaler SAML configuration:
- Under SAML Signing Certificate - download Certificate (base64)
- Under Setup Citrix FAS - Login & Logout URL
- Select Users and groups > Add user and select existing users, or groups that have access to Citrix Virtual Apps and Desktops using their AAD UPN
To configure the NetScaler perform the following steps:
- Log in to the NetScaler UI
- Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See NetScaler SSL certificates for more information.
- Navigate to Security > AAA - Application Traffic > Virtual Servers and select Add
- Enter the following fields and click OK:
- Name - a unique value
- IP Address Type - Non-Addressable
- Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
- Select No Authentication Policy, and select Add
- Enter a name, set Action Type to SAML, and select Add Action
- Enter the following fields and click OK:
- Name - a unique value
- Unselect Import Metadata
- Redirect URL - Paste the Login URL copied from the AAD config
- Single Logout URL - paste the Logout URL copied from the AAD config
- Logout binding - Redirect
- IdP Certificate Name - select Add, enter a name, select Certificate File Name > local, and select the SAML Signing Certificate (base64) downloaded from AAD
- Signing Certificate Name - select the domain certificate the ADC uses to sign requests to AAD.
- Issue Name - enter the FQDN of the NetScaler Gateway
- Select create to create the action
- Enter true for the expression
- Select create again to create the policy
- Select bind to bind the policy to the Virtual Server
- Click continue to complete the configuration of the authentication virtual server
- Next navigate to NetScaler Gateway > Virtual Servers, and edit the pertinent virtual server
- If you have an existing basic policy bound under Basic Authentication select it, check the policy, and select Unbind, confirm, and close.
- From the menu on the right select Authentication Profile, and select Add. Enter a name, and click the right arrow under Authentication Virtual Server. Check the policy Authentication virtual server, and click create.
- Click OK to complete binding the NetScaler AAA virtual server to the Gateway virtual server.
- Navigate to NetScaler Gateway > Policies > Session, and select the Workspace App policy with the “Citrix Receiver” expression, and make the following changes:
- Under Published Applications clear the field single sign-on Domain, and clear Global Override
- Under Client Experience from the Credential Index drop-down list select Secondary
- Repeat those steps for the Workspace for web policy with the “Citrix Receiver”).NOT expression
See NetScaler for more information.
Citrix Virtual Apps and Desktops Config
To integrate Citrix Virtual Apps and Desktops components with FAS perform the following steps:
- Open PowerShell as an administrator, and run:
Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
See Enable the FAS plug-in on StoreFront stores for more information.
- Log in to the StoreFront virtual machine (which also hosts FAS, and the DDC in our POC), and launch the StoreFront GUI
- Select Manage Authentication Methods from the menu on the right
- Select Pass-through from NetScaler Gateway
- Select the down arrow next to the gear, and select Configure Delegated Authentication
- Check Fully delegate credential validation to NetScaler Gateway, and click OK twice
- Select Manage Citrix Gateways from the menu on the right
- Edit the pertinent NetScaler Gateway entry
- Under Authentication Settings the Callback URL must be configured if it is not done already. Typically you can update the internal DNS, or for a single StoreFront instance update the local host file to map the private IP of the Gateway virtual server to the FQDN
Next configure the Desktops Delivery Controller to trust the StoreFront servers that can connect to it.
- Open PowerShell as an administrator, and run
Add-PSSnapin Citrix*(provided you do not have all Citrix snap-ins loaded) See Install and set up FAS for more information
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
See Configure the Delivery Controller for more information.
Citrix Federated Authentication Service Config
To configure FAS perform the following steps:
- Load the Citrix Virtual Apps and Desktops ISO image on the FAS Virtual Machine
- Select FAS to begin the installation
- Read the Citrix License Agreement & click Next
- Select the installation directory & click Next
- Update the host firewall to allow port 80 & click Next
- Click Finish
- Review the settings you made & click Install
- After installation success click Finish again. ]
- Under “C:\Program Files\Citrix\Federated Authentication Service” share the PolicyDefinions directory contents, and the “en-us” subdirectory
- Under “C:\Program Files\Citrix\Federated Authentication Service” paste them to the Domain Controller at C:\Windows\PolicyDefinions, and ..\en-US respectively.
- Open Server Manager > Tools > Group Policy Management
- a. Right-click to create new, or edit an existing Group Policy Object that applies to all pertinent VDAs, and Delivery Controllers. (We use the Default Domain Controllers policy for the POC. For production you would typically create a new policy, or edit another pertinent policy.)
- b. Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication
- c. Right-click on Federated Authentication Service
- d. Select edit
- e. Select Show DNS
- f. Enter the FQDN of the FAS server, click OK twice, and close the Group Policy Management editor
- g. Navigate to each Delivery Controller, and VDA), open an MS-DOS prompt as Administrator, and run
- h. To verify it’s been applied open regedit.exe, and navigate to: /Computer\HKLM\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses Address1 entry set to the FQDN applied through the GPO. If it does not appear you may need to reboot the respective virtual machine.
- i. Next return to the FAS virtual machine to begin the service installation. (We host FAS, StoreFront, and the DDC on the same VM for the POC. For production you would typically host them on different VMs for improved scalability, and supportability.)
- j. Run the Citrix Federated Authentication Service program. Select each of the five steps in sequence, and follow the instructions:
- i. Deploy certificate templates
- ii. Set up a certificate authority
- iii. Authorize this service - for this step return to the CA to issue a pending request. The CA is hosted on the Domain Controller in this POC example.
- iv. Create Rule - here specify the CA, and certificate already configured. Also filter the VDAs, and users that are allowed to use the FAS service.
- v. (Connect to Citrix Cloud - in this guide we use on-premises Citrix Virtual Apps and Desktops)
See FAS documentation for more information.
Citrix Workspace client validation
To validate the POC perform the following steps:
- Open a browser, and navigate to the domain FQDN managed by the NetScaler. Notice that the NetScaler Gateway redirects to AAD.
- Log in with the UPN of a user configured to be part of the FAS environment
- Verify the users virtual apps, and desktops are enumerated, and launch once logged in with the UPN via the AAD user object
Citrix Virtual Apps and Desktops has been a resilient technology for decades. Cloud hosted Identity offers enterprises even more reliable service. Implementing the POC described in this guide demonstrates how to achieve that by integrating AAD as the IdP, and NetScaler as the Service Provider. To learn more about Citrix pricing, and packing visit the Citrix website Citrix.com, and to learn more about Citrix technical capabilities visit Citrix TechZone.