Overview

NetScaler Gateway 12 and Citrix Gateway 12.1 and newer support a new form of authentication called StoreFrontAuth, which delegates Active Directory authentication to a StoreFront server. StoreFrontAuth replaces LDAP on Citrix Gateway. You usually don’t need both.

• StoreFrontAuth uses nFactor, which means Citrix ADC must be licensed for Advanced Edition (formerly known as Enterprise Edition) or Premium Edition (formerly known as Platinum Edition).

The easiest method of enabling StoreFrontAuth is to use the XenApp and XenDesktop Wizard. The Wizard lets you select from several different authentication methods, including multi-factor.

• Or, you can manually configure StoreFrontAuth in nFactor and bind the AAA vServer to a Gateway vServer. See George Spiers NetScaler Gateway authentication direct to StoreFront for manual nFactor configuration.

Prerequisites

License – make sure the appliance is licensed for Advanced Edition (formerly known as Enterprise Edition) or Premium Edition (formerly known as Platinum Edition).

DNS Servers – make sure DNS Servers are configured on the Citrix ADC.

The Wizard creates a whole new Gateway Virtual Server. You’ll need the following:

• DNS name for the Gateway

• VIP for the Gateway

• Certificate for the Gateway

URL to the StoreFront servers – StoreFront must be reachable from Citrix ADC SNIP and NSIP

• To retrieve the list of stores, NSIP must be able to reach the StoreFront URL

• StoreFront must be version 3.11 or newer

RADIUS – If you are doing multi-factor authentication, then you’ll need RADIUS information, including adding Citrix ADC NSIP and/or SNIP as RADIUS Clients.

Also see Citrix CTX223882 FAQ – Configuring Authentication at StoreFront using NetScaler Gateway

XenApp and XenDesktop Wizard

1. In Citrix ADC, click XenApp and XenDesktop on the bottom left.
   

2. On the right, click Get Started.
   

3. Select StoreFront and then configure Continue
   

4. In the Citrix Gateway section, enter the FQDN for the new Gateway.

5. Enter the VIP for the new Gateway.

6. Check the box next to Redirect requests from port 80 to secure port, and click Continue.
   

7. In the Server Certificate section, if you already have a certificate on this appliance that matches the new Gateway FQDN, then select it. Or, change the selection to Install Certificate, and import a .pfx file. Click Continue when done.
   

8. In the StoreFront section, enter the URL to StoreFront, and click Retrieve Stores.
   

9. In the Receiver for Web Path drop-down, select a Receiver for Web Path.
   

10. In the Default Active Directory Domain field, enter a domain name that your StoreFront server will accept.

11. Enter a Secure Ticket Authority URL, including http:// or https://. Use the plus icon to add more than one STA server. STAs are usually your XenDesktop Controllers. Then click Test STA Connectivity.
    

12. Check the box next to Use this StoreFront for Authentication and click Continue.
    

13. In the Authentication section, in the Choose Authentication Type drop-down, notice that there are several options. Multi-factor will be detailed later. Leave it set to StoreFront Auth.
    

14. Click the button to Retrieve Auth Enabled Stores.
    

15. Use the Authentication Service URI drop-down to select a store.
    

16. The Domain field can be used to enter a default domain. Note: the domain name entered here must match one of the domain names permitted by StoreFront. This will be explained below in the Multiple Domains section.

17. Click Continue
    

18. Review the summary screen, and click Done.
    

19. If Default SSL Profiles are not enabled, then go to Citrix Gateway > Virtual Servers, edit the Gateway Virtual Server, and configure standard SSL vServer Settings.
    
    

Portal Theme and Login Schema

1. If you point your browser to the Gateway URL, notice it’s an old theme.
   

2. On the left, go to Citrix Gateway > Virtual Servers.

3. On the right, edit the Gateway Virtual Server that was created by the wizard.
   

4. On the right, in the Advanced Settings column, click Portal Themes.
   

5. On the left, scroll down, and change the Portal Theme selection to RfWebUI, or one of its derivatives. Click OK.
   

6. Now when you visit the Gateway URL, it’s shown using a newer theme. However, there’s a “First Factor” text in the middle of the page. We can fix that.
   

7. Back in your Citrix Gateway, near the middle of the page, find the Authentication Profile section. Click the pencil icon. This object enables nFactor.
   

8. Click the Edit button to edit the Authentication Profile.
   

9. Note the name of the AAA vServer. Unfortunately, this Edit button doesn’t take us to a place where we can make the edit we need.
   

10. Go back to the main Citrix ADC navigation menu, and go to Security > AAA – Application Traffic > Virtual Servers.

11. You’ll see a new AAA vServer in the list. It’s down because there’s no certificate bound to it, but it still works. If the red icon bothers you, you’re welcome to bind a certificate to it.

12. Edit the AAA vServer.
    

13. Scroll down, and click where it says 1 Login Schema.
    

14. Right-click the Login Schema, and click Edit.
    

15. Click the Edit button next to the Profile field.
    

16. Click the pencil in the Authentication Schema field.
    

17. On the left, click the LoginSchema folder to open it.
    

18. Move your mouse over the SingleAuth.xml file and click the download icon. Save it somewhere.
    

19. Edit the downloaded .xml file.

20. Find the line containing the First factor text and delete the line. Save the file with a new name.
    

21. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the edited file to upload it.
    

22. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
    

23. On the left, click the new file to highlight it.

24. On the right, click the blue Select icon.
    

25. Notice that the file name has now changed to the new file. Click OK.
    

26. Click OK again.
    

27. Click Close.
    

28. If you point your browser to the Gateway FQDN again, the extra text is gone. You’re welcome to make additional changes to the .xml file.
    

StoreFront Configuration for Gateway

1. In Citrix ADC, on the bottom left, click XenApp and XenDesktop.
   

2. On the top right, click Download file.
   

3. In the Download StoreFront Settings page, you can either export all virtual servers, or just one of them. Click OK.
   

4. Save the GatewayConfig.zip file somewhere.
   

5. In StoreFront console, on the left, right-click the Stores node, and click Manage NetScaler Gateways.
   

6. At the top of the window, click the blue link imported from file.
   

7. Click the Browse button, and select the GatewayConfig.zip file you saved earlier.

8. Click the Import button next to the Gateway vServer you want to import.
   

9. In the Select Logon Type page, you can optionally enter a SmartAccess Callback URL that resolves to any Citrix Gateway on the same appliance that authenticated the user. Click Verify.
   

10. Click Next.
    

11. In the Secure Ticket Authorities page, review the list of STAs, and click Next.
    

12. In the Review Changes page, click Import.
    

13. In the Summary page, click Finish.
    

14. Click Close.
    

15. The new Gateway is shown in the list. Notice that the new Gateway is already Used by Store, so there’s no need to enable Remote Access on the Store yourself. Click Close.
    

16. Edit the newly imported Gateway object.
    

17. On the Secure Ticket Authority page, check the box next to Enable session reliability. EDT protocol will not work unless you check this box. Click OK.
    

StoreFrontAuth and Multiple Domains

The wizard configures Session Profiles with a default domain name. Multiple domains won’t work until you remove this SSON Domain.

1. At Citrix Gateway > Virtual Servers, edit the Gateway Virtual Server created by the wizard.
   

2. Scroll down, and click where it says 2 Session Policies.
   

3. Right-click each Session Policy, and click Edit Profile.
   

4. On the tab named Published Applications, uncheck the box next to Single Sign-on Domain. Click OK.
   

5. Repeat for the other Session Profile.
   

StoreFrontAuth authenticates users to StoreFront using normal StoreFront username syntax:

• username only

• Domain\username

• username@domain.suffix (aka userPrincipalName)

If no domain name is specified, StoreFrontAuth can be configured with a default domain name.

1. Go to Security > AAA > Virtual Servers, right-click the AAA vServer that has StoreFrontAuth enabled, and click Edit.

   

   
   

2. Scroll down, and click where it says 1 Authentication Policy.
   

3. Right-click the StoreFrontAuth policy, and click Edit Policy. Unfortunately, Edit Action doesn’t seem to work.
   

4. Click the Edit button next to the Action.
   

5. In the Domain field, enter a default domain name that will be used if the user does not specify a domain. Click OK.
   

Notes on domain names:

• The domain names entered by users (domain\username, or username@domain.suffix), must be accepted by StoreFront.

• The default domain name entered in the StoreFront Authentication Action must be accepted by StoreFront.

• After StoreFront Authentication authenticates the user, it sends back the user’s UPN. Citrix Gateway then uses the UPN to Single Sign-on to StoreFront. Thus, the UPN suffixes must be accepted by StoreFront.

To configure the domain names accepted by StoreFront:

1. In StoreFront Console, right-click your store, and click Manage Authentication Methods.
   

2. Click the top gear icon, and click Configure Trusted Domains.
   

3. If the selection is Any domain, then you’re good, and you don’t need to change anything.

4. If it’s set to Trusted domains only, then make sure that UPN domain suffixes are in the list.

5. To make it easier for users, add the NetBIOS domain names too. However, if you checked the box for Show domains list in logon page, then internal users will see both the NetBIOS domain names, and the UPN domain suffixes.

6. Notice that there’s a drop-down to select the Default domain. This default domain is only used if the user does not specify a domain name, and if no domain name is configured in the StoreFrontAuth action.
   

Depending on how you configured the StoreFront trusted domains, users have several options for logging into Citrix Gateway:

• Username only – the default domain name configured in the StoreFrontAuth action is used. If StoreFrontAuth default domain is not configured, then it uses the default domain name configured in StoreFront.
  

• Domain\username – requires the short domain name (NetBIOS) to be included in StoreFront’s list of trusted domains.
  

• UPN.suffix\username – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  

• username@UPN.suffix – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  

Multi-factor authentication

The XenApp and XenDesktop Wizard supports several authentication configurations:

1. On the bottom left, click XenApp and XenDesktop.
   

2. On the top right, move your cursor over the existing Gateway, and click click the pencil icon to edit it.
   

3. If you earlier removed the Single Sign-On Domain to support multiple AD domains, then the wizard will prompt you to re-enter a Default Active Directory Domain. Unfortunately, this field is not optional. After entering a domain name, and completing the steps shown in this section, you can follow the above instructions to remove it again.
   

4. In the Authentication section, click the pencil icon.
   

5. At the top of the Authentication section, there’s a drop-down for Choose Authentication Type. There are several options. Since this article is focused on StoreFront Auth, only RSA + StoreFront Auth will be detailed below.
   

   
   

   • The RSA + Domain option is equivalent to Citrix Gateway RADIUS + LDAP. The RADIUS + LDAP authentication is performed directly by Citrix Gateway, which means it doesn’t use nFactor or a AAA vServer. Unfortunately, the wizard does not configure Citrix Gateway correctly. See my NetScaler Gateway RADIUS Authenticationarticle to fix the authentication policies and Gateway binding configuration.

   
   

The RSA + StoreFront Auth option will ask you for RADIUS authentication information.

1. Change the Choose Authentication Type drop-down to RSA + StoreFront Auth.

2. Enter the RADIUS information, and click Test Connection. Citrix ADC will use its SNIP to verify the connection.
   

3. Increase the RADIUS Time-out if your multi-factor is phone-based.
   

4. StoreFront Auth should already be configured, so just click Continue.
   

5. Note, if you see any error messages, you might have to completely delete the Gateway, and run the wizard from scratch. Unfortunately, the XenApp and XenDesktop wizard seems to be quite buggy.

6. Click Done to close the Citrix Gateway Settings page.
   

7. After changing the Gateway authentication, on the top right, download the configuration file again, and import to StoreFront.
   

8. When you import to StoreFront, you can select an existing Gateway to overwrite.
   

9. The Gateway that it imports to StoreFront is automatically configured with Domain and security token so you don’t have to configure this yourself.
   

If you point your browser to the Gateway URL, you will see two password fields. You would think that the first password field is where you enter the AD Password, but that’s incorrect. Actually, it wants Passcode in the first field, and AD Password in the second field.

To swap the fields, do the following:

1. Go to Security > AAA – Application Traffic > Virtual Servers.

2. Edit the AAA vServer that is linked to the Gateway vServer.
   

3. Scroll down, and click where it says 1 Login Schema.
   

4. Right-click the Login Schema, and click Edit.
   

5. Click the Edit button next to the Profile field.
   

6. Notice the DualAuth.xml file selection. Click the pencil in the Authentication Schema field.
   

7. On the left, click the LoginSchema folder to open it.
   

8. Move your mouse over the DualAuth.xml file, and click the download icon. Save it somewhere.
   

9. Edit the downloaded .xml file.

10. Look for the two lines containing passwd. Swap the passwd1 and passwd IDs. In other words, remove the 1 from passwd in line 27, and add it to the passwd in line 22. There are two ID tags in each line. Save the file with a new name.
    

11. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the new file to upload it.
    

12. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
    

13. On the left, click the new file to highlight it.

14. On the top right, click the blue Select icon.
    

15. Notice that the file name has now changed to the new file. Click OK.
    

16. Click OK again.
    

17. Click Close.
    

18. Now when you go to the Gateway URL, the fields should work as expected.