Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 1

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 1

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 1

This post has already been read 18270 times!

I have long been an advocate of fronting everything with a NetScaler, I think it is an excellent way to Secure the perimeter of your network and with Unified Gateway a great way to simplify incoming firewall rules. Also, for those of us that have a lab and only 1 external IP this is a great way to present multiple public services on a single IP Address.

My network uses LDAPS and Azure MFA to secure access to my Apps and Desktops but I have always wanted to look into ADFS and the options around authentication using that and Citrix NetScaler Unified Gateway.

In this post series I will walk you through setting up ADFS for use with your NetScaler Unified Gateway, integrating this with Azure MFA and providing context aware authentication to your Gateway and in turn your Apps and Desktops.

I was going to write this as a single post but while putting together the screenshots for the ADFS part only I realised that it would be waaaay to long in a single post.  I have therefore decided to write this as a series.  This will be the intended order:

  • Setting Up ADFS and Internal Access
  • Setting Up Citrix FAS and StoreFront
  • Configuring NetScaler SAML Authentication and ADFS Proxy
  • Setting up Azure MFA
  • Configuring Context Aware Authentication
  • Making it look good!

I have used a number of resources to assist with bringing all of this together and I will reference and link to them during the posts.

The assumptions are:

  • You will need an external URL pointing to your publically available Unified Gateway. In my case I am going to use sts.bretty.me.uk
  • You will also need a public certificate on the NetScaler capable of handling this FQDN.
  • You have a Windows Server 2012 R2 Server built and ready to host the ADFS Role.
  • You have an existing Unified Gateway running.  In my case I have https://ug.bretty.me.uk up and running.

So, let’s get going with Part 1.  ADFS

Start up Server Manager from your ADFS Server and select to install the ADFS Role


Continue with the wizard until it shows you what its going to install and confirm that


Check to allow the server to restart if required


nce ADFS is installed you will have to do some post configuration – you can see this by the below icon showing in Server Manager


Click that and click to Configure the federation service


Click Next on the Welcome Screen


Select a Domain Admin account to use for the ADFS configuration


Specify the service properties. So, this is the first stage of the deployment that you need to be aware of the external access to ADFS.  Make sure the certificate you have imported here is capable of authenticating SSL traffic on the EXTERNAL fqdn for your ADFS service.  In my case I am using sts.bretty.me.uk

Name the federation service name the same as your external fqdn

Give it a display name – this is not so important as this is just the text that will be displayed to the user on the login page and we will be changing this later on


Specify a service account in Domain Admins that ADFS uses to communicate with Active Directory.   You can be more specific with the svc account rights but in this case I am just using the Domain Admins Group


Select a database type for ADFS.  Again, as this is just running in my lab I am going to use the inbuilt database, however in production you would want to use SQL


Review the options


Allow the Pre Reqs to check and pass


Click on configure and let the wizard configure your ADFS Service for you.  Once it is finished open up the AD FS Management Tool


Expand AD FS – Service – Certificates


Here you will see the Public Certificate and 2 internal certificates auto generated by the ADFS wizard for Token Decrypting and Token Signing.  I am going to replace these with my own certificates


On the right you can click to add a new token signing or decrypting certificate.  You may get this error message


If you do, open up powershell as an administrator and run the command listed


Then click again to import/select the token signing certificate and select your public certificate


Then click again to import/select the token decrypting certificate and select your public certificate


Click on each of the new imported certificates and select to Set as Primary on the right


Next Expand AD FS – Trust Relationships – Relying Party Trusts


You need to add a trust to let ADFS know about the NetScaler Unified Gateway that will be passing over authentication requests.  Right click and select to add a new relying trust


Click on next and select “Manually” for setting up the Relying Party


Give your party a name and description


Select AD FS profile and click next


Click on next without importing a certificate


Check the box for Enable support for the SAML 2.0 WebSSO protocol and enter the following in the URL textbox

https://YOUR_UNIFIED_GATEWAY_FQDN/cgi/samlauth – eg: https://ug.bretty.me.uk/cgi/samlauth


Click Next and add the trust identifiers.

NOTE: This is important and you will have to remember the identifiers you add here as these will be needed for the NetScaler SAML Policy configuration later in this blog post series


Click next and select NO for MFA – we will be configuring this eventually but at a later time


Select to Permit all users – again you would lock this down more in production but in this case this setting should be fine


Click next without reviewing the settings – we will do this later in this post


Take the tick out of the Add Claims option and click Close


You will now see your Relying Party Trust listed.  We need to check that the options and all correct in this so right click your new trust and click Edit

On Identifiers check that your Unified Gateway is listed there.  I put in HTTPS:// and the straight FQDN just to be sure that the NetScaler passes over the right ID


Select Encryption and make sure there is no certificate listed here – if there is then remove it


Select Signature and you will notice there is no certificate there


Click on Add and select an x509 formatted certificate appropriate for the external URL for ADFS


Select Advanced and ensure that the Hash is SHA-256


Select Endpoints and make sure that the SSO endpoint you added earlier is listed there


Click on Add SAML to add an endpoint for the logout action.

Select SAML Logout and POST and enter the following URL:

https://YOUR_EXTERNAL_ADFS_FQDN/logout.jsp – eg: https://sts.bretty.me.uk/logout.jsp


Click on OK and OK again to close the Relying Party Identifier.  Now you need to add the claims for this relying party that the NetScaler will be passing over to ADFS.  Right click the relying party and click on Edit Claim Rules

Click to Add the first rule


Select Send LDAP Attributes as Claims and click Next


Give it a name, select Active Directory as the Attribute Store and select User Principle Name on the left and Name ID on the right (shown below)


Click Finish then click to add another rule


Select Send Claims using a custom rule and click next


Give it a name and paste the following as the custom rule

 => issue(Type = "logoutURL", Value = "https://YOUR_EXTERNAL_ADFS_FQDN/adfs/ls/", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");

Replace YOUR_EXTERNAL_ADFS_FQDN with your own external FQDN – eg: sts.bretty.me.uk


Click Finish and you will see your 2 claims listed


Click ok and you will see your configured Relying Party listed


Internal Access to the ADFS service will be required to ensure that there is a context aware login experience for the user.  If I ping my adfs server it resolves to

I need sts.bretty.me.uk to resolve to this internally


Open up DNS Management and add a new lookup zone for sts.bretty.me.uk and add a blank host record with the IP Address of your ADFS Server


Open up a browser and navigate to the URL (https://sts.bretty.me.uk/adfs/ls/IdpInitiatedSignOn.aspx) and you should see your ADFS Login Screen shown below


Thats it, ADFS is up and running and we can start to think about the other moving parts in this blog series.  In the next part I will talk about the Citrix FAS Service and setting that up ready for ADFS and XenDesktop.

Once you have this all set up you can move onto Part 2 – Setting up Citrix FAS and StoreFront