Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

This post has already been read 5410 times!

Wow!  What a mouthful of a post title !

So, the purpose of this is to walk you through the process of adding a connection to your Azure Resource Manager Datacenter from Citrix Studio manually.

Following my previous posts about ADFS and MFA I have a on-premises ADFS instance linked to Microsoft Azure Multi Factor Authentication.  I want to use this method to authenticate to an Azure AD hosted in the cloud and add a hosting connection to Citrix Studio.  Essentially I want the microsoft login to hand off authentication back to my ADFS instance to authenticate the user and deal with MFA.

For context my internal domain name is bretty.local – my external owned domain is bretty.me.uk – my ADFS URL is sts.bretty.me.uk both internally and externally.

So, lets get started.

Active Directory Domain Suffix

The first thing I need to do is add bretty.me.uk as an additional UPN suffix for my domain.  This is so that I can authenticate externally and internally using my bretty.me.uk owned domain.

Open up Active Director Domains and Trusts, right click the top level and click properties

07-domains-and-trusts

Add your external domain as an available domain suffix

08-add-upn

Azure Active Directory

Next we need to set up an Azure Active Directory and link it to our on-premises domain.  There are a number of options and ways that you can configure this however in this post I am going to use directory sync to sync my AD to Azure and link back to my ADFS service for user authentication.

Open up the OLD Azure Admin Console by going here:

https://manage.windowsazure.com

Navigate to Active Directory

01-ad

Select Directory at the top

02-directory

Click Add to create a new directory

03-new-directory

Fill out the details for your new Active Directory, give it a .onmicrosoft.com domain name and select the location

04-ad-details

Click ok to create the new directory

05-domain-ready

Next you will need to add and verify the external domain name that you own (in my case bretty.me.uk)

Click to add a domain.  Add your external Domain name and DONT put a tick in the “I plan to configure this domain for SSO”

06-add-domain

Click Add then next

This screen will ask you to verify that you own the domain.  You will need to add a TXT DNS record to your domain as specified by the screen and verify the domain.  This may take some time to achieve because of DNS replication but make sure you verify your domain before you try to install Directory Sync.

07-verify-domain

Unverified Domain

08-domain-unverified

All Verified!

09-verified-domain

AD Connect

Next you need to set-up Azure AD Connect on one of your domain controllers.  Head over to the following site:

https://www.microsoft.com/en-us/download/details.aspx?id=47594

download and install the AD Connect Software.

NOTE:

I am not going to run you through the options around AD Connect as there are many different ways in which you can deploy this.  In this instance I opted to use ADFS and pointed the Azure AD Connect to my existing ADFS service I have built in previous posts.  The wizard to set this up is very straight forward – you will just need service accounts and details of you on premises ADFS Service.

Once installed open up Azure AD Connect

10-ad-connect

click on current settings and you will see your current AD Connect Settings

11-sync-1

What’s being synchronised

12-sync-2

Finally your ADFS Sync details

13-sync-adfs

Switch back to your Azure Portal and you will see the integration with Active Directory is all up and running

14-integrated

If you switch to your users tab you will see the Admin user you originally set up

15-admin-account

as well as your synchronized local Active Directory user accounts

16-local-ad-accounts

Whilst in the Azure portal you will need to add your local admin account to the Azure Subscription as an co-admin

Head over to settings

17-settings

Click on Users/Access and add your local domain account to the subscription as an administrator

18-co-admin

Test Azure AD and Local ADFS Setup

Next you will need to enable ADFS to use forms authentication locally on the intranet to allow Citrix Studio to add the hosting location

Open up the ADFS Management Console

01-adfs

If you check under Relying Parties you will see that the AD Connec t Wizard has added a relying party for Microsoft Online

02-added-ms-relying-party

Lets test logging into Office 365 as a local domain user.  Open up the Office 365 Login page and log in as a local domain user (david.brett@bretty.me.uk in my case)

03-test-login

Note that I have been redirected to my local ADFS Service for authentication

04-logged-in

Once Logged in Azure MFA is prompting for credentials as I am logging in from an external machine

05-2fa

All done – authentication is working as expected

06-logged-in

Back in the ADFS Management Console – open up authentication methods and enable Forms Authentication for the Intranet Location

09-enable-forms-internally

That’s it for ADFS – you now need to set up the Azure Service Principal ready to connect to from Citrix Studio.

Microsoft Azure Service Principal

NOTE: All commands will be listed in this format

Open up a powershell command as an administrator from a machine on your local network

To install the Azure RM powershell commands

install-module AzureRM

01-install-azurerm

Log into your Azure Account

login-azurermaccount

02-login

When prompted log in with your Subscription Admin details

03-prompt-for-signin

All logged in!

04-logged-in

List all your available subscriptions in Azure

get-azurermsubscription

05-get-subs

Select your subscription you want to connect to from Citrix Studio

select-azurermsubscription -subscriptionid YOURSUBIDGUID

06-select-subscription

Set up your 4 variables you will need for the Service Principal

$SubscriptionId = "YOUR-SUB-ID"
$AADUser = "YOUR CO-ADMIN USER ACCOUNT ADDED EARLIER"
$ApplicationName = "XenDesktopConnect<--CAN BE ANY NAME WITHOUT SPACES"
$ApplicationPassword = "MAKE-UP-A-SECURE-PASSWORD"

07-setup-variables

Create your Azure AD Application

$AzureADApplication = New-AzureRmADApplication -DisplayName $ApplicationName -HomePage "https://localhost/$ApplicationName" -IdentifierUris "https://$ApplicationName" -Password $ApplicationPassword

08-create-application

Create your Service Principal

New-AzureRmADServicePrincipal -ApplicationId $AzureADApplication.ApplicationId

09-create-service-principle

Assign the role to the SP

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $AzureADApplication.ApplicationId –scope /subscriptions/$SubscriptionId

10-role-assignment

So, lets jump over to Citrix Studio and seer what’s required to add a new hosting connection to Azure RM

11-whats-required

Type to list your subscriptions – make a note of the subscription ID

get-azurermsubscription

12-subscription-details

Type the following to get your application ID

$AzureADApplication.ApplicationID

13-application-id

Switch back to your domain controller and open up Azure AD Connect

14-azure-ad-connect

Click on View Current Configuration

15-view-current

You will see your Azure Directory ID listed there

16-ad-details

Add Connection in Citrix Studio

So, its finally time to add the hosting connection in Citrix Studio and start to create some resources

Open up Citrix Studio and select hosting – click to create a new hosting connection.

Put in your subscription ID you got earlier and give your subscription a description then click on use existing

01-new-connection

Your Subscription ID will be filled out automatically

02-use-existing

Enter all the other details your got in the prior steps

03-details-filled-out

Select the region you want the machines to be hosted (you will have to have set up networking and storage in this region

04-region

Select the network you want the provisioned machines to use

05-network

Click Finish

06-finish

Build a Machine Catalog

To build a machine catalog you will need a VM build in Azure with teh VDA installed and it has to be powered off

07-template

Select to create a new machine catalog and select the Server or Desktop OS as appropriate.  When prompted select your new hosting connection

08-create-catalog

Browse to the resource group, storage location, vhd and select the image you created to use as a tempplate

09-vhd-file

Finish the wizard and let Azure Create the catalog for you

10-created

You can see in the details at the bottom that it is an Azure hosted MCS Catalog

11-mc-details

That’s it, all you need to know to set up and configure an Azure RM hosting Connection in Studio manually,

Laters,

b@m

 

One thought on “Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

  1. Pingback: Adding a Citrix XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Leave a Reply

Your email address will not be published. Required fields are marked *