Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSO doesn't work with Citrix deployed on BIG-IP

Hi guys,

We would like to use our F5 (LTM&APM fully licensed) instead of Netscaler Gateway for access to our Citrix Farm therefore we have recently deployed the newest iApp (f5.citrix_vdi.v2.3.0) to get this configured and I can see some issues with single sign-on already.

I can get to the F5 website (Virtual Server - DNS record created) and log-in successfully with my AD credentials but then it will take me to one of our website hosted on our Citrix WI server (Web Interface) which will ask me to log-in again. Providing the same set of credentials I can log in and access all the resources just fine.

It looks like the SSO does not work - not passing on my credentials from F5 website to Citrix Web Interface.

What am I missing here?

Has anyone seen this before?

Thanks,

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi mate,

Verify that you are passing the credentials to the citrix farm. If not, you can do it by session variables.

Also please make sure that you have enabled auto log-in in the citrix desktop. Navigate to Access Policy ›› Application Access : Remote Desktops : Remote Desktops ›› Citrix__apm_remote_desktop_1

Select Autologin and give the session variables there.

Auto Logon -> Enable
Broker Authentication > Password Based
Username Source > session.logon.last.username
Password Source  > session.logon.last.password

and update it.

Please let me know if you need any more information.

-Jinshu

0
Comments on this Answer
Comment made 15-Aug-2016 by Domel 262

Image TextHi Jinshu,

Thanks a lot for you reply.

I have double checked the access profile within APM created by the Citrix iApp and it looks like "SSO Credential Mapping" as well as "Variable Assign" is all there.

In regards to enabling auto log-in in the Citrix Desktop - where do I find this?

Is this somewhere within Citrix WI server configuration or it's something which has to be enabled for Citrix Receiver?

Thanks,

0
Comment made 15-Aug-2016 by Jinshu 1336

Navigate to Access Policy ›› Application Access : Remote Desktops : Remote Desktops

You can find the Citrix remote desktop name created there. Click on the name

Select Autologin and give the session variables there.

Auto Logon -> Enable
Broker Authentication > Password Based
Username Source > session.logon.last.username
Password Source  > session.logon.last.password

Please note you might need to update the same variables which you have given in the access policy.

-Jinshu

0
Comment made 15-Aug-2016 by Domel 262

Hi Jinshu,

Thanks for coming back to me on this one.

I can not see the Citrix remote desktop name for some reason (please have a look at the screenshot attached)

The only thing I can see there is the new VDI profile

Image Text

0
Comment made 15-Aug-2016 by Domel 262

New VDI Profile:

Image Text

0
Comment made 15-Aug-2016 by Domel 262

Also there is a new Citrix Client Bundle created by iApp I believe:

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Okay. This is because you are not using F5 APM Webtop to replace the Citrix storefront servers,isnt it?

  1. Can you give the veriables you have given in the access policy?
  2. Can you check in the Citrix storefront logs, what's the error message while you are authenticating with AD on F5 APM?

-Jinshu

0
Comments on this Answer
Comment made 15-Aug-2016 by Domel 262

Hi Jinshu,

Yes, that is correct - I don't want to replace Citrix Web Interface or Storefront (we actually don't have Storefront in place - just Citrix Web Interface) - please see screenshot below.

Re.1 - This could be a problem then as I'm not too sure how to achieve this...

Re.2 - Citrix WI logs don't show anything as the F5 doesn't even try to log in - please screen shot below

Image Text

0
Comment made 15-Aug-2016 by Jinshu 1336

Can you give the screenshot of 'Variable Assign' in the policy (After the SSO Credentials Mapping)?

0
Comment made 15-Aug-2016 by Domel 262

Hi Jinshu,

Please have a look at the screenshot below:

Image Text

0
Comment made 15-Aug-2016 by Jinshu 1336

Okay. Just try below one.

1. Remove the SSO Credentials Mapping
2. Edit the variable assign to below one.

session.logon.last.username = expr { "xyz.com\\[mcget {session.logon.last.username}]" }
session.logon.last.password = expr { "[mcget {session.logon.last.password}]"}

Replace xyz.com with your domain name.

If this is not working, We can create a SSO and add it to the policy.

0
Comment made 15-Aug-2016 by Domel 262

Let me try that Jinshu

0
Comment made 15-Aug-2016 by Domel 262

Tried that just now and still no luck.

I have replaced xyz.com with our FQDN as well as with NETBios name and still no luck - please screenshot below:

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I would double check the iApp configuration and make sure you selected to webui server rather then sf server. Also, are you using Down-Level Logon Name (domain\user) or upn (user@domain.com) format to login? The iApp produced configuration only supports the first.

Image Text

0
Comments on this Answer
Comment made 15-Aug-2016 by Domel 262

Hi Greg,

Thanks a lot for your input on this one.

The iApp is configured as per your screenshot (we dont have sf server just wi).

I'm pretty sure we use Down-Level Logon Name (domain\user - there is no need to specify domain while logging in anyway) but is there a way to check this somewhere?

0
Comment made 15-Aug-2016 by Greg Crosby

I meant how users are placing their username during logon; sounds like all they are doing is placing username and not UPN on F5 Logon page. The variable assign created by the iApp is already placing your domain in the SSO to use while replaying credentials to webui servers (session.logon.last.domain = expr {"your-domain"}), so if users are trying to place username in upn format it would fail. You could tail your APM log during a user logon to see were it fails in the process (tail -f \var\log\apm). I would also open up a case with support, as having your environment details would be very useful when determining why SSO is failing.

0
Comment made 15-Aug-2016 by Domel 262

Hi Greg,

the username is for example "gcrosby" and there is no requirement to put domain name in front of it. It will log me in just fine on both F5 as well as Citrix WI server.

So my understanding is that by deploying the F5 iApp it should just work without need of re-configuring the WI servers/XenApp websites?

Will check the logs tomorrow if I can find anything obvious.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If username doesn't append the domain name, then the variable we have used might need to modify. But however you will get an authentication error on the Citrix web if F5 APM pass the credentials. Are you able to see any logon attempt on Citrix Web server?

-Jinshu

0
Comments on this Answer
Comment made 16-Aug-2016 by Domel 262

I have just spoke to our Citrix admin and have been told we actually need XenApp & XenDesktop deployment which it seems to be another iApp.

I have deleted my vdi iApp and used a different template instead (f5.citrix_xenapp_xendesktop.2012_06_27)

I have a new iApp deployed with exactly the same issue - SSO doesn't work.

Image Text

0
Comment made 16-Aug-2016 by Jinshu 1336
1
Comment made 18-Aug-2016 by Domel 262

That was it Jinshu,

Thank you very much for your help on this one.

I had to go back to the previous template which seems to be the most recent one for XenApp/XenDesktop deployment (f5.citrix_vdi.v2.3.0))

My website wasn't configured correctly.

" Authentication point set to At Access Gateway. Authentication method set to Explicit. Authentication service URL points to a virtual server on the BIG-IP® system; the URL must be one of these:

http://address of the virtual server/CitrixAuth https://addreshttps://address of the virtual server/CitrixAuth (if traffic is encrypted between APM and the Citrix Web Interface site).

The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system. "

In my case I had to use FQDN - it didn't work with IP address.

SSO works now and it logs me in to Web Interface where I can see all my resources.

The problem which I have now is when I click on any of the resources (including calculator) nothing happens... - it doesn't launch it and doesn't return any error.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So your authentication issue solved, right?

If the icons are not responding, It seems the ICA tunnel is not getting established. Are you seeing any errors in APM or Citrix?

-Jinshu

0
Comments on this Answer
Comment made 18-Aug-2016 by Domel 262

Just checked and we can see authentication error on WI server every time when I try to launch the app

Image Text

0
Comment made 18-Aug-2016 by Domel 262

I think it's still something to do with SSO as before when I had to log in twice (to F5 and then to WI server) it was working just fine - I could launch every single app...

0
Comment made 18-Aug-2016 by Jinshu 1336

I think F5 APM is passing your credentials to WI and thats why you are able to login citrix through APM. As per the screenshot, the configuration in the WI for the authentication Access gateway is not correct and thats why you are not able to launch Citrix resources.

I would suggest to review the WI configurations once again and see if anything we missed there. If you dont configure SSO, it will work because the authentication gateway is WI itself. You might need to change it to APM.

-Jinshu

1
Comment made 19-Aug-2016 by Domel 262

Thanks Jinshu,

I have configured a brand new WI website and works perfectly now.

Thanks a lot for your help - all good now.

0
Comment made 19-Aug-2016 by Jinshu 1336

Cheers.!!

0