Citrix XenApp(StoreFrontAuth) and XenDesktop with Netscaler

Citrix XenApp(StoreFrontAuth) and XenDesktop 集成 NetScaler 配置步驟

來源 https://www.carlstalhood.com/netscaler-gateway-12-storefrontauth-and-xendesktop-wizard/

參考 https://docs.citrix.com/en-us/citrix-gateway/13/integrate-with-xenapp-and-xendesktop.html

 

參考 https://discussions.citrix.com/topic/405200-urgent-netscaler-operation-not-permitted-storefront-trust-ssl-certificate-missing/

注意： ssl certkey name 必須為 ns-sftrust-certificate (此名字的certkey為內部專用證書, 不允許綁定到用戶創建的服務上, 只允許系統內部服務使用. ) , 選擇的證書文件必須為 ns-sftrust-root.cert (此證書文件是系統初始化時, 通過腳本自動生成, 用戶也可以手動調用腳本重新生成, 該證書僅供內部服務使用. )

> show vpn sfconfig
ERROR: Operation not permitted [StoreFront Trust SSL certificate is missing.]

In Netscaler GUI do:

Step 1
Traffic Management >> SSL >> Certificates >> CA certificates
- Click install
- Name: ns-sftrust-certificate
- Select from Appliance, choose ns-sftrust-root.cert

Step 2
From CLI to verify do:
> show vpn sfconfig
Created /var/download/GatewayConfig.zip, it is available for download via the web management interface.
Done
> 

#filename: rc.local.start
#filepath: /flash/nsconfig/

# NOTE: add ns-sftrust-certificate internal ssl certkey command 
# Because this command will not write to the configuration file 
# This command needs to be executed every time the system starts 
# You can use this command(show vpn sfconfig) to check whether the certificate is valid
# After the built-in certificate is added, it cannot be deleted
/netscaler/nscli -s -U %%:nsroot:. add ssl certKey ns-sftrust-certificate -cert ns-sftrust-root.cert

 

1. 從文件導入 NetScaler Gateway 設備配置

 

2. 在策略中允許WebSocket連接，因為 Receiver html5 方式訪問需要WebSocket支持。

 

3. 應用商店URL設置為SSL加密連接, 身份驗證方法僅啟用[用戶名和密碼][HTTP基本認證][從 NetScaler Gateway 直通]三種方式，並啟用統一體驗。

遠程訪問方式為: 已啟用(完整的VPN通道)

 

4. 設置Receiver部署方式為[如果本地Receiver不可用, 則使用Receiver for HTML5]

 

5. 應用商店設置中，啟用套接字池，默認不啟用。

 

在PC上使用NetScaler上Gateway vServer 的VIP對應的域名 https://sfwan.mtestadp.com/ 進行登錄。

 

在移動設備上使用NetScaler上Gateway vServer 的VIP對應的域名 https://sfwan.mtestadp.com/ 進行登錄。

在NetScaler上的Gateway vServer 上配置以下命令, 指明內網應用網段和給客戶端使用的內網IP池, 以及在會話中開啟VPN模式支持

add vpn intranetApplication Intranet ANY 192.168.185.0 -netmask 255.255.255.0 -destPort 1-65535 -interception TRANSPARENT
bind vpn vserver _XD_10.0.100.101_443 -intranetApplication Intranet
bind vpn vserver _XD_10.0.100.101_443 -intranetIP 192.168.185.80 255.255.255.248

set vpn  sessionaction AC_OS_10.0.100.101 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON
set vpn  sessionaction AC_WB_10.0.100.101 -transparentInterception ON -defaultAuthorizationActioion ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON

 

 

XenApp(StoreFrontAuth) and XenDesktop Wizard – NetScaler Gateway 12 / Citrix Gateway 12.1

總覽

NetScaler Gateway 12和Citrix Gateway 12.1及更高版本支持一種稱為StoreFrontAuth的新身份驗證形式，該形式將Active Directory身份驗證委派給StoreFront服務器。StoreFrontAuth替換Citrix Gateway上的LDAP。您通常不需要兩者。

• StoreFrontAuth使用nFactor，這意味着Citrix ADC必須獲得高級版（以前稱為企業版）或鉑金版（以前稱為白金版）的許可。

啟用S​​toreFrontAuth的最簡單方法是使用XenApp和XenDesktop向導。該向導使您可以從幾種不同的身份驗證方法中進行選擇，包括多重身份驗證。

• 或者，您可以在nFactor中手動配置StoreFrontAuth並將AAA vServer綁定到網關vServer。有關手動配置nFactor的內容，請參閱 NetScaler 網關授權直連到 StoreFront 。

先決條件

許可證 –確保設備已獲得Advanced Edition（以前稱為Enterprise Edition）或Premium Edition（以前稱為Platinum Edition）的許可。

DNS服務器 – 確保在Citrix ADC上配置了DNS服務器。

該向導將創建一個全新的網關虛擬服務器。您將需要以下內容：

• 網關的DNS名稱(FQDN)
• 網關的VIP
• 網關的證書

到StoreFront服務器的URL – 必須通過Citrix ADC SNIP和NSIP可以訪問StoreFront

• 要檢索商店列表，NSIP必須能夠訪問StoreFront URL
• StoreFront必須為3.11版或更高版本

RADIUS – 如果要進行多因素身份驗證，則需要RADIUS信息，包括將Citrix ADC NSIP和/或SNIP添加為RADIUS客戶端。

另請參閱Citrix CTX223882 常見問題解答–使用NetScaler Gateway在StoreFront上配置身份驗證

XenApp and XenDesktop Wizard ( XenApp和XenDesktop向導 )

1. 在Citrix ADC中，單擊  左下方的 XenApp and XenDesktop Wizard ( XenApp和XenDesktop向導 ) 。
   
   
   
2. 在右側，點擊 Get Started ( 入門 ) .
   
3. 選擇  StoreFront，然后配置  Continue ( 繼續 )
   
4. 在 Citrix Gateway 部分, 輸入新網關的FQDN .
5. 輸入新網關的VIP.
6. 選中 Redirect requests from port 80 to secure port ( 將請求從端口80重定向到安全端口 ), 然后點擊 Continue ( 繼續 ).
   
7. 在 Server Certificate (服務器證書) 部分, 如果您在此設備上已經擁有與新網關FQDN匹配的證書，請選擇它。或者，將選擇更改為 Install Certificate ( 安裝證書 )，然后導入.pfx文件。完成后，單擊  Continue ( 繼續 ).
   
8. 在 StoreFront 部分, 輸入指向StoreFront的URL，然后單擊 Retrieve Stores ( 檢索商店 ) .
   
9. 在 Receiver for Web Path 下列選項中, 選擇一個要使用的 Receiver for Web Path.
   
10. 在 Default Active Directory Domain 字段中, 輸入StoreFront服務器將接受的域名。
11. 輸入一個 Secure Ticket Authority URL , 包含 http:// 或 https://. 使用加號圖標添加多個STA服務器。STA通常是您的XenDesktop控制器。然后單擊 Test STA Connectivity ( 測試STA連接 )。
    
12. 選中 Use this StoreFront for Authentication ( 使用此StoreFront進行身份驗證 ) 並單擊 Continue ( 繼續 ).
    
13. 在 Authentication 部分, 點擊 Choose Authentication Type 的下拉選擇項, 其中有些選項是多個認證的. Multi-factor ( 多因素認證 ) 將在后面詳細介紹. 現在我們選擇 StoreFront Auth.
    
14. 單擊按鈕 Retrieve Auth Enabled Stores ( 檢索 StoreFront 授權是否啟用 )， 若 StoreFront 版本過低，不滿足功能，將無法繼續配置，並提示 StoreFront  版本不滿足需求.
    
15. 在 Authentication Service URI 下拉選項中選擇一個需要使用的URI.
    
16. 在 Domain 字段中輸入可用的默認域. 注意：此處輸入的域名必須與StoreFront允許的域名之一匹配。這將在下面的 Multiple Domains  ( 多域名 ) 部分中進行介紹.
17. 單擊  Continue ( 繼續 ).
    
18. 查看摘要顯示信息界面, 並單擊 Done ( 完成 ).
    
19. 如果未啟用默認SSL配置文件, 請轉到 Citrix Gateway > Virtual Servers, 編輯網關虛擬服務器，然后配置為默認的 SSL vServer Settings ( ssl 虛擬服務配置 ).
    
    
    
    

Portal Theme and Login Schema （ 門戶網站主題和登錄樣式 ）

1. 如果將瀏覽器指向網關URL，請注意這是一個舊主題。
   
2. 在左側，轉到 Citrix Gateway > Virtual Servers.
3. 在右側，編輯由向導創建的網關虛擬服務器。
   
4. 在右側的高級設置中, 選擇 Portal Themes ( 門戶主題 ).
   
5. 在左側，向下滾動，更改 Portal Theme ( 門戶主題 ) ，選擇 RfWebUI 或其他風格. 單擊 OK ( 確定 ).
   
6. 現在，當您訪問網關URL時，它會使用較新的主題顯示。但是，頁面中間有一個“ First Factor ”文本。我們可以解決這個問題。
   
7. 返回Citrix Gateway，在頁面中間附近，找到  Authentication Profile（身份驗證配置文件）部分。點擊鉛筆圖標。該對象啟用nFactor。
   
8. 單擊 Edit 按鈕，進入編輯 Authentication Profile (身份驗證配置文件) 設置.
   
9. 記下 AAA vServer 的名稱. 因為這里的 Edit 按鈕，無法將我們帶到對應的編輯頁面。
   
10. 返回到Citrix ADC主導航菜單，然后轉到 Security > AAA – Application Traffic > Virtual Servers 菜單節點.
11. 您會在列表中看到一個新的AAA vServer。之所以失敗，是因為沒有證書綁定到它，但是它仍然有效。如果紅色圖標困擾您，歡迎您將證書綁定到它。
12. 編輯這個 AAA vServer.
    
13. 向下滾動，然后單擊顯示 1 Login Schema 的位置
    
14. 右鍵單擊 Login Schema (登錄樣式), 然后單擊 Edit 進行編輯.
    
15. 單擊 Profile (配置文件) 旁邊的 Edit 按鈕.
    
16. 單擊 Authentication Schema 字段旁的的鉛筆圖標.
    
17. 在左側, 單擊 LoginSchema 文件夾將其打開.
    
18. 將鼠標移到  SingleAuth.xml 文件上，然后單擊下載圖標。將其保存在某處。
    
19. 下載的.xml文件。
20. 找到包含 First factor 文本的行. 然后刪除該行。用新名稱保存文件。例如保存為 SingleAuthWithoutNone.xml 
    
21. 返回到 Login Schema 對話框界面，在 Authentication Schema 字段中, 單擊上傳圖標。選擇剛才編輯的文件(SingleAuthWithoutNone.xml )，進行上傳。
    
22. 不幸的是，雖然上傳了新的 Login Schema .xml 文件，但是並沒有選擇使用。所以我們再次點擊鉛筆圖標。
    
23. 在左側，單擊新文件(SingleAuthWithoutNone.xml )以將其突出顯示。
24. 在右側，單擊藍色的 Select 按鈕.
    
25. 請注意，文件名現在已更改為新文件。單擊 OK( 確定 )。 
    
26. 再次單擊  OK ( 確定 )
    
27. 單擊 Close ( 關閉 ).
    
28. 如果將瀏覽器再次指向網關FQDN，多余的文本將消失。歡迎您對.xml文件進行其他更改。 ( First factor 復選框按鈕已經不存在了)
    

StoreFront Configuration for Gateway ( 網關的StoreFront配置 )

1. 在Citrix ADC的左下方，單擊 XenApp and XenDesktop.
   
2. 點擊右上角的 Download file ( 下載文件 ).
   
3. 在 Download StoreFront Settings 頁面上, 您可以導出所有虛擬服務器，也可以僅導出其中之一。單擊 OK ( 確定 ).
   
4. 將GatewayConfig.zip文件保存在 某處。
   
5. 在StoreFront控制台中，在左側，右鍵單擊  Stores節點，然后單擊  Manage NetScaler Gateways。
   
6. 在窗口頂部，單擊 imported from file (從文件導入)的藍色鏈接  
   
7. 單擊 Browse  (瀏覽)按鈕，然后選擇您之前保存的 GatewayConfig.zip 文件。
8. 單擊要導入的網關vServer 旁邊的 Import (導入) 按鈕。
   
9. 在 Select Logon Type 頁面上, 您可以選擇輸入SmartAccess Callback URL，該URL可以解析為在同一設備上的任何Citrix Gateway 對用戶進行身份驗證的FQDN。點擊 Verify (驗證)。
   
10. 單擊 Next ( 下一步 ).
    
11. 在 Secure Ticket Authorities 頁面上, 查看 STA 服務的列表, 並單擊 Next (下一步).
    
12. 在 Review Changes (查看更改) 頁面上, 單擊 Import (導入).
    
13.  在 Summary (摘要) 頁面上, click Finish (完成).
    
14. 單擊 Close (關閉).
    
15. 新的網關顯示在列表中。請注意，新的網關 Used by Store (由 Store 使用),因此無需親自在Store上啟用遠程訪問。單擊 Close(關閉).
    
16. 編輯新導入的Gateway對象。
    
17. 在 Secure Ticket Authority 頁面上, 選中 Enable session reliability (啟用會話可靠性). 若不啟用此選項, EDT協議將不起作用，單擊OK(確定)。
    

StoreFrontAuth and Multiple Domains ( StoreFrontAuth 和 多域名 )

The wizard configures Session Profiles with a default domain name. Multiple domains won’t work until you remove this SSON Domain.

1. At Citrix Gateway > Virtual Servers, edit the Gateway Virtual Server created by the wizard.
   
2. Scroll down, and click where it says 2 Session Policies.
   
3. Right-click each Session Policy, and click Edit Profile.
   
4. On the tab named Published Applications, uncheck the box next to Single Sign-on Domain. Click OK.
   
5. Repeat for the other Session Profile.
   

StoreFrontAuth authenticates users to StoreFront using normal StoreFront username syntax:

• username only
• Domain\username
• username@domain.suffix (aka userPrincipalName)

If no domain name is specified, StoreFrontAuth can be configured with a default domain name.

1. Go to Security > AAA > Virtual Servers, right-click the AAA vServer that has StoreFrontAuth enabled, and click Edit.

   

2. Scroll down, and click where it says 1 Authentication Policy.
   
3. Right-click the StoreFrontAuth policy, and click Edit Policy. Unfortunately, Edit Action doesn’t seem to work.
   
4. Click the Edit button next to the Action.
   
5. In the Domain field, enter a default domain name that will be used if the user does not specify a domain. Click OK.
   

Notes on domain names:

• The domain names entered by users (domain\username, or username@domain.suffix), must be accepted by StoreFront.
• The default domain name entered in the StoreFront Authentication Action must be accepted by StoreFront.
• After StoreFront Authentication authenticates the user, it sends back the user’s UPN. Citrix Gateway then uses the UPN to Single Sign-on to StoreFront. Thus, the UPN suffixes must be accepted by StoreFront.

To configure the domain names accepted by StoreFront:

1. In StoreFront Console, right-click your store, and click Manage Authentication Methods.
   
2. Click the top gear icon, and click Configure Trusted Domains.
   
3. If the selection is Any domain, then you’re good, and you don’t need to change anything.
4. If it’s set to Trusted domains only, then make sure that UPN domain suffixes are in the list.
5. To make it easier for users, add the NetBIOS domain names too. However, if you checked the box for Show domains list in logon page, then internal users will see both the NetBIOS domain names, and the UPN domain suffixes.
6. Notice that there’s a drop-down to select the Default domain. This default domain is only used if the user does not specify a domain name, and if no domain name is configured in the StoreFrontAuth action.
   

Depending on how you configured the StoreFront trusted domains, users have several options for logging into Citrix Gateway:

• Username only – the default domain name configured in the StoreFrontAuth action is used. If StoreFrontAuth default domain is not configured, then it uses the default domain name configured in StoreFront.
  
• Domain\username – requires the short domain name (NetBIOS) to be included in StoreFront’s list of trusted domains.
  
• UPN.suffix\username – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  
• username@UPN.suffix – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  

Multi-factor authentication

The XenApp and XenDesktop Wizard supports several authentication configurations:

1. On the bottom left, click XenApp and XenDesktop.
   
2. On the top right, move your cursor over the existing Gateway, and click click the pencil icon to edit it.
   
3. If you earlier removed the Single Sign-On Domain to support multiple AD domains, then the wizard will prompt you to re-enter a Default Active Directory Domain. Unfortunately, this field is not optional. After entering a domain name, and completing the steps shown in this section, you can follow the above instructions to remove it again.
   
4. In the Authentication section, click the pencil icon.
   
5. At the top of the Authentication section, there’s a drop-down for Choose Authentication Type. There are several options. Since this article is focused on StoreFront Auth, only RSA + StoreFront Auth will be detailed below.
   
   • The RSA + Domain option is equivalent to Citrix Gateway RADIUS + LDAP. The RADIUS + LDAP authentication is performed directly by Citrix Gateway, which means it doesn’t use nFactor or a AAA vServer. Unfortunately, the wizard does not configure Citrix Gateway correctly. See my NetScaler Gateway RADIUS Authentication article to fix the authentication policies and Gateway binding configuration.

The RSA + StoreFront Auth option will ask you for RADIUS authentication information.

1. Change the Choose Authentication Type drop-down to RSA + StoreFront Auth.
2. Enter the RADIUS information, and click Test Connection. Citrix ADC will use its SNIP to verify the connection.
   
3. Increase the RADIUS Time-out if your multi-factor is phone-based.
   
4. StoreFront Auth should already be configured, so just click Continue.
   
5. Note, if you see any error messages, you might have to completely delete the Gateway, and run the wizard from scratch. Unfortunately, the XenApp and XenDesktop wizard seems to be quite buggy.
6. Click Done to close the Citrix Gateway Settings page.
   
7. After changing the Gateway authentication, on the top right, download the configuration file again, and import to StoreFront.
   
8. When you import to StoreFront, you can select an existing Gateway to overwrite.
   
9. The Gateway that it imports to StoreFront is automatically configured with Domain and security token so you don’t have to configure this yourself.
   

If you point your browser to the Gateway URL, you will see two password fields. You would think that the first password field is where you enter the AD Password, but that’s incorrect. Actually, it wants Passcode in the first field, and AD Password in the second field.

To swap the fields, do the following:

1. Go to Security > AAA – Application Traffic > Virtual Servers.
2. Edit the AAA vServer that is linked to the Gateway vServer.
   
3. Scroll down, and click where it says 1 Login Schema.
   
4. Right-click the Login Schema, and click Edit.
   
5. Click the Edit button next to the Profile field.
   
6. Notice the DualAuth.xml file selection. Click the pencil in the Authentication Schema field.
   
7. On the left, click the LoginSchema folder to open it.
   
8. Move your mouse over the DualAuth.xml file, and click the download icon. Save it somewhere.
   
9. Edit the downloaded .xml file.
10. Look for the two lines containing passwd. Swap the passwd1 and passwd IDs. In other words, remove the 1 from passwd in line 27, and add it to the passwd in line 22. There are two ID tags in each line. Save the file with a new name.
    
11. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the new file to upload it.
    
12. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
    
13. On the left, click the new file to highlight it.
14. On the top right, click the blue Select icon.
    
15. Notice that the file name has now changed to the new file. Click OK.
    
16. Click OK again.
    
17. Click Close.
    
18. Now when you go to the Gateway URL, the fields should work as expected.

============================================================

1. Slavasays:
   May 15, 2019 at 3:24 pm

   Hi Carl, thank you for very detailed article.

   We currently have two factor configured with Web Interface 5.4 where NetScaler prompts for 1st factor (RSA) and after successful authentication redirects to Web Interface where it prompts for second factor (AD). I am trying to have the same with StoreFront but to no avail.
   Any recommendation ?

   REPLY
   1. Carl Stalhoodsays:
      May 16, 2019 at 6:23 pm

      See https://support.citrix.com/article/CTX200066

      REPLY
      1. Slavasays:
         May 24, 2019 at 1:54 pm

         thank you Carl, works like a charm ! The only issue is how to pass user ID from NetScaler to StoreFront and not to enter it again. I’m sure can be done with NetScaler but haven’t found it.

         REPLY
2. Prasantsays:
   December 24, 2018 at 10:22 am

   Hi Carl,

   Thanks for the detailed post. I have been trying to find a way to integrate third party link for self-sign password reset on netscaler but I have not had any success with .js file / custom.css file or theme.css. I see article about EULA but I could not find any articles adding hyperlink for sspr. hopefully, there are some options on 12.1

   REPLY
   1. Carl Stalhoodsays:
      December 24, 2018 at 10:38 am

      What kind of theme? The instructions for RfWebUI are different than the instructions for X1. See https://www.carlstalhood.com/netscaler-gateway-12-tweaks/#logonlinks

      REPLY
3. Kartiksays:
   November 20, 2018 at 12:42 pm

   Hi Carl,

   In multi factor Auth, 1st Auth is validated by Netscaler Gateway and 2nd Auth is validated by storefront ?

   REPLY
4. Tomsays:
   October 18, 2018 at 11:17 am

   Hi Carl,
   Quick question: There is a feature on NetScaler called WebInterface on Netscaler. This shows up on the XA/XD integration wizard.
   What is this? Does this allow you to run a Storefront like site without storefront servers? If so why use SF?
   What are the use cases for this and why would you not advise a large organisation to use this?

   If you have any information that I could use to answer these questions I would be very grateful.

   REPLY
   1. Carl Stalhoodsays:
      October 18, 2018 at 12:20 pm

      Only for the older Web Interface. The NetScaler version is Java based. I don’t recommend it.

      REPLY
5. dipak borolesays:
   July 28, 2018 at 6:57 am

   Hello Carl,

   Thanks for nice article.

   I have setup Citrix ifnra test lab in AWS environment. I have deplyed NS in AWS with single interface. NSiP, SNIp and Citrix infra servers are same subnet (10.0.64.x)
   From putty i am able to ping DNS/AD server. When I am DNS server in NS it is showing down whereas LDAP is working perfectly. As this my test lab all ports are open through and fro.
   Once login to Netscaler page after credential authenication happens and getting error message “Http/1.1 Internal Server Error 43531”. I have enabled MBF in NS. (tried with route as but same issue)

   Any suggesion?

   Regards,
   Dip

   REPLY
   1. Carl Stalhoodsays:
      July 28, 2018 at 11:44 am

      When you SSH to NetScaler and run ping, that is sourced from the NSIP, not the SNIP. To ping from SNIP, in GUI, go to Traffic Mgmt > Load Balancing > Services, add a service, enter the destination IP. Change the monitor to a ping monitor.

      Is AWS aware of all IP addresses assigned to the appliance? I think you typically add multiple NICs. Or in AWS assign multiple IPs to the NIC.

      Is the DNS server in the same subnet as NetScaler? If not, what is your route 0.0.0.0 0.0.0.0?

      REPLY
      1. dipak borolesays:
         July 30, 2018 at 1:01 am

         Hell Carl,

         Thanks for reply. It really helped.

         You rightly pointed. I have not assinged SNIP to Nic. Once i have assigned it DNS is up now.
         But problem is this is my test environment, i have used self signed cert on netscaler and same cert i have deoyed on my machin so in Trustted root CA option. I able to login to NS via Internet and able to see VDI icon in storeront.
         But when I am launchig it gives me error
         //
         —————————
         Windows 10 Desktop ERROR
         —————————
         Unable to launch your application. Contact your help desk with the following information:
         Cannot connect to the Citrix XenApp server.Network issues are preventing your connection. Please try again. If the problem persists, please call your help desk.

         —————————
         Desktop Viewer
         —————————
         The connection to “Windows 10 Desktop” failed with status (Unknown client error 0).
         \\

         However internally (Intern Jump Server) when i am login getting :”Your logon has expired. Please log on again to continue” via Netscaler. (there is not cert deployed on Storefront)

         But direct storeront link is working properly and able to launch vdi.

         As this test environment i have not using intermediate certicate. is that the probem? or any suggestion how can I user self signed cert.

         Regards,
         Dip

         REPLY
6. Mannysays:
   April 2, 2018 at 4:30 pm

   Carl, when setting up Citrix Receiver to go through StoreFrontAuth, I get “double” prompted. The first is the NS, then again from the AAA VServer (I recognize the test from the LoginSchema). What am I missing here?

   REPLY
7. chrzanowskisays:
   December 3, 2017 at 12:35 pm

   Hello CAril
   How are you
   I hace created a lab with NS 12
   My prod network is 192.168.1.0/24
   I did the xenapp and xendesktop wizard my vip is 172.16.0.10
   I can ping it from the cli
   But if I connect from y windows 10 client and type to https the vip no answer
   for you info my vm NS has only one network card

   tks for your help

   REPLY
   1. Carl Stalhoodsays:
      December 3, 2017 at 2:26 pm

      Are you saying that your NetScaler is connected to multiple subnets? Did you configure VLANs? https://www.carlstalhood.com/netscaler-12-system-configuration/#twoarm

      REPLY
8. Matheensays:
   November 6, 2017 at 3:54 am

   Hi Carl, Thanks for your article.
   I have an existing PoC setup where users are connecting directly to Storefront with Pass-through authentication turned on.
   In new setup, we have AG setup for internal users (to force all traffic through SNIP). This means users need to type their credentials to authenticate at NetScaler.
   Users want to be able to use Pass-through authentication (similar to their Poc). I understand Pass-through authentication is not supported in NetScaler Gateway
   If I configure Storefront-auth as described, Is it possible to make pass-through working?
   Bottom line: Users want to automatically logged in from their domain-joined machines using Pass-through, even when connecting from NetScaler AG.
   Note: I have enabled the Pre-reqs for Passthrough to work already (Receiver GPO, TrustingXML etc)

   REPLY
9. Tyron Scholemsays:
   October 2, 2017 at 12:28 pm

   Is there a specific step needed to enable “Storefront Auth” on step 12 (Click the button to Retrieve Auth Enabled Stores)?
   When I click the button, I get an error stating: “There are no auth enabled stores on the specified StoreFront”

   REPLY
   1. Carl Stalhoodsays:
      October 2, 2017 at 12:33 pm

      I usually have to click it a couple times.

      Or, maybe you’ve upgraded StoreFront several times and don’t have a store with integrated auth.

      REPLY
      1. Alisson Gustavo Lorscheitersays:
         July 25, 2019 at 1:21 pm

         I’m with this error using Netscaler 12. How can i fix it ?

         REPLY
10. Thomas Braukmannsays:
    September 15, 2017 at 2:41 am

    Hi Carl,

    i change from LDAP Auth to the new StoreAuth methode, after i change it i become an Error on Storefront

    Eventlog: Citrix Authentication Service ID:1 (1008) /UserDomain

    ” Beim Verarbeiten einer expliziten JSON-Anforderung ist ein Fehler aufgetreten.
    System.ArgumentNullException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Der Wert darf nicht NULL sein.
    Parametername: userDomain
    bei Citrix.DeliveryServices.Security.Claims.Specializations.Directory.Client.DelegatedDirectoryClaimFactory.CreateDirectoryClaimForAllUserGroups(String userSecurityIdentifier, String userDomain, String issuer, String original, IEnumerable`1 requiredProperties, Boolean searchGC)
    bei Citrix.DeliveryServices.Authentication.Explicit.ExplicitJson.Controllers.ExplicitJsonController.AuthenticateUsernamePassword(UsernamePasswordRequest upr)
    bei Citrix.DeliveryServices.Authentication.Explicit.ExplicitJson.Controllers.ExplicitJsonController.Authenticate(JsonRequestHolder holder)
    ”

    I hope you can help me.

    Thx
    Thomas

    REPLY
11. Alan Robertsonsays:
    August 22, 2017 at 10:53 am

    HI Carl do you thing Netscaller v12 is ready for production deployment at a Green Field Site or should I be sticking to V11.1.

    Alan

    REPLY
    1. Carl Stalhoodsays:
       August 22, 2017 at 10:57 am

       I would stay with 11.1, unless you need the new features, and are tolerant to risk.

       REPLY
12. Paulsays:
    August 16, 2017 at 9:31 pm

    Thank you Carl. Is it still possible to restrict gateway access to only members of a specific AD group using StorefrontAuth method?

    REPLY
    1. Carl Stalhoodsays:
       August 17, 2017 at 9:51 am

       The Session Profile has a “Groups allowed to login” field.

       REPLY
       1. Paulsays:
          August 17, 2017 at 9:21 pm

          It worked! Thank you Carl.

          REPLY
13. Chucksays:
    August 4, 2017 at 12:22 am

    Hey Carl, testing Storefront Auth and running into an issue using RfWebUi, other themes work. After loging no apps are disabled. My account also is only showing my samaccount and not full name. Sf without NetScaler works fine as does the X1 theme. Any ideas? Used the wizard to configure everything. SF is set to any domain.

    REPLY
    1. Mikesays:
       September 12, 2017 at 4:53 am

       Hi Chuck,
       I have the same problem here. NS 11.1. with RfWebUI against SF 3.5 is working. Update NS to 12.0.53.6 and RfWebUI aganist SF3.5 produce a error “no apps aor desktops available at this time”. Switching Theme to X1 and login again, it’s working as expceted. Any Ideas where the problem is?

       REPLY

 

================= End