This post has already been read 20200 times!
I have long been an advocate of fronting everything with a NetScaler, I think it is an excellent way to Secure the perimeter of your network and with Unified Gateway a great way to simplify incoming firewall rules. Also, for those of us that have a lab and only 1 external IP this is a great way to present multiple public services on a single IP Address.
My network uses LDAPS and Azure MFA to secure access to my Apps and Desktops but I have always wanted to look into ADFS and the options around authentication using that and Citrix NetScaler Unified Gateway.
In this post series I will walk you through setting up ADFS for use with your NetScaler Unified Gateway, integrating this with Azure MFA and providing context aware authentication to your Gateway and in turn your Apps and Desktops.
I was going to write this as a single post but while putting together the screenshots for the ADFS part only I realised that it would be waaaay to long in a single post. I have therefore decided to write this as a series. This will be the intended order:
- Setting Up ADFS and Internal Access
- Setting Up Citrix FAS and StoreFront
- Configuring NetScaler SAML Authentication and ADFS Proxy
- Setting up Azure MFA
- Configuring Context Aware Authentication
- Making it look good!
I have used a number of resources to assist with bringing all of this together and I will reference and link to them during the posts.
The assumptions are:
- You will need an external URL pointing to your publically available Unified Gateway. In my case I am going to use sts.bretty.me.uk
- You will also need a public certificate on the NetScaler capable of handling this FQDN.
- You have a Windows Server 2012 R2 Server built and ready to host the ADFS Role.
- You have an existing Unified Gateway running. In my case I have https://ug.bretty.me.uk up and running.
So, let’s get going with Part 1. ADFS
Start up Server Manager from your ADFS Server and select to install the ADFS Role
Continue with the wizard until it shows you what its going to install and confirm that
Check to allow the server to restart if required
nce ADFS is installed you will have to do some post configuration – you can see this by the below icon showing in Server Manager
Click that and click to Configure the federation service
Click Next on the Welcome Screen
Select a Domain Admin account to use for the ADFS configuration
Specify the service properties. So, this is the first stage of the deployment that you need to be aware of the external access to ADFS. Make sure the certificate you have imported here is capable of authenticating SSL traffic on the EXTERNAL fqdn for your ADFS service. In my case I am using sts.bretty.me.uk
Name the federation service name the same as your external fqdn
Give it a display name – this is not so important as this is just the text that will be displayed to the user on the login page and we will be changing this later on
Specify a service account in Domain Admins that ADFS uses to communicate with Active Directory. You can be more specific with the svc account rights but in this case I am just using the Domain Admins Group
Select a database type for ADFS. Again, as this is just running in my lab I am going to use the inbuilt database, however in production you would want to use SQL
Review the options
Allow the Pre Reqs to check and pass
Click on configure and let the wizard configure your ADFS Service for you. Once it is finished open up the AD FS Management Tool
Expand AD FS – Service – Certificates
Here you will see the Public Certificate and 2 internal certificates auto generated by the ADFS wizard for Token Decrypting and Token Signing. I am going to replace these with my own certificates
On the right you can click to add a new token signing or decrypting certificate. You may get this error message
If you do, open up powershell as an administrator and run the command listed
Then click again to import/select the token signing certificate and select your public certificate
Then click again to import/select the token decrypting certificate and select your public certificate
Click on each of the new imported certificates and select to Set as Primary on the right
Next Expand AD FS – Trust Relationships – Relying Party Trusts
You need to add a trust to let ADFS know about the NetScaler Unified Gateway that will be passing over authentication requests. Right click and select to add a new relying trust
Click on next and select “Manually” for setting up the Relying Party
Give your party a name and description
Select AD FS profile and click next
Click on next without importing a certificate
Check the box for Enable support for the SAML 2.0 WebSSO protocol and enter the following in the URL textbox
https://YOUR_UNIFIED_GATEWAY_FQDN/cgi/samlauth – eg: https://ug.bretty.me.uk/cgi/samlauth
Click Next and add the trust identifiers.
NOTE: This is important and you will have to remember the identifiers you add here as these will be needed for the NetScaler SAML Policy configuration later in this blog post series
Click next and select NO for MFA – we will be configuring this eventually but at a later time
Select to Permit all users – again you would lock this down more in production but in this case this setting should be fine
Click next without reviewing the settings – we will do this later in this post
Take the tick out of the Add Claims option and click Close
You will now see your Relying Party Trust listed. We need to check that the options and all correct in this so right click your new trust and click Edit
On Identifiers check that your Unified Gateway is listed there. I put in HTTPS:// and the straight FQDN just to be sure that the NetScaler passes over the right ID
Select Encryption and make sure there is no certificate listed here – if there is then remove it
Select Signature and you will notice there is no certificate there
Click on Add and select an x509 formatted certificate appropriate for the external URL for ADFS
Select Advanced and ensure that the Hash is SHA-256
Select Endpoints and make sure that the SSO endpoint you added earlier is listed there
Click on Add SAML to add an endpoint for the logout action.
Select SAML Logout and POST and enter the following URL:
https://YOUR_EXTERNAL_ADFS_FQDN/logout.jsp – eg: https://sts.bretty.me.uk/logout.jsp
Click on OK and OK again to close the Relying Party Identifier. Now you need to add the claims for this relying party that the NetScaler will be passing over to ADFS. Right click the relying party and click on Edit Claim Rules
Click to Add the first rule
Select Send LDAP Attributes as Claims and click Next
Give it a name, select Active Directory as the Attribute Store and select User Principle Name on the left and Name ID on the right (shown below)
Click Finish then click to add another rule
Select Send Claims using a custom rule and click next
Give it a name and paste the following as the custom rule
=> issue(Type = "logoutURL", Value = "https://YOUR_EXTERNAL_ADFS_FQDN/adfs/ls/", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
Replace YOUR_EXTERNAL_ADFS_FQDN with your own external FQDN – eg: sts.bretty.me.uk
Click Finish and you will see your 2 claims listed
Click ok and you will see your configured Relying Party listed
Internal Access to the ADFS service will be required to ensure that there is a context aware login experience for the user. If I ping my adfs server it resolves to 192.168.0.94
I need sts.bretty.me.uk to resolve to this internally
Open up DNS Management and add a new lookup zone for sts.bretty.me.uk and add a blank host record with the IP Address of your ADFS Server
Open up a browser and navigate to the URL (https://sts.bretty.me.uk/adfs/ls/IdpInitiatedSignOn.aspx) and you should see your ADFS Login Screen shown below
Thats it, ADFS is up and running and we can start to think about the other moving parts in this blog series. In the next part I will talk about the Citrix FAS Service and setting that up ready for ADFS and XenDesktop.
Once you have this all set up you can move onto Part 2 – Setting up Citrix FAS and StoreFront