Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 5

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 5

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 5

This post has already been read 5469 times!

Previous Articles in this series

Part 1 – ADFS

Part 2 – Citrix FAS and StoreFront

Part 3 – NetScaler Unified Gateway and NetScaler ADFS Proxy

Part 4 – Integrating Microsoft Azure MFA

In Part 5 – Providing Context Aware logins I will set up Single Sign on and Single Factor for Internal Use but still require Multi Factor for External Access to the systems from outside of my network.  This along with dns records for ug.bretty.me.uk and sts.bretty.me.uk internally and externally should give you a nice experience when logging into my Unified Gateway and SSO internally whilst still asking for 2FA externally.

First open up the ADFS Management Console – and re-open the Multi Factor Authentication Policy

01-2fa-auth

Disable MFA for Intranet Users

02-disable-internal

The Issue: when logging onto the service internally it does not ask you for a second factor, however it does prompt for credentials even though you are logged into the machine as a valid domain users.  This is by no means ideal and not a good user experience.

03-the-problem

If we want to look at how we can resolve this we just open up Internet Options

04-the-solution

Add the Unified Gateway and the ADFS External domain names to the intranet zone

05-solution-pt-2

and set automatic login to this zone.

06-solution-pt-3

This is not really viable on each and every machine on the domain so to roll this out I will use Group Policy.  You could use another tool here such as AppSense EM or RES but in this case GPO will do me fine.

Create a new Group Policy and open up the following location

Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page

Then open up the Site to Zone Assignment List

07-site-to-zone-assignment

Add the EXTERNAL Domain Names for both your Unified Gateway and ADFS Service and set to force them into Zone 1 – The Intranet Zone

08-add-sites

Next open up the following

Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Intranet Zone

Then open up Logon Options

09-intranet-zone

Enable this and set it to Automatic Login with Current Username and Password

10-auto-login

Once created you should have the following settings in GPO

11-gpo-configured

Assign this to your domain machines that will use your Unified Gateway internally and open up an Admin Command Prompt and update Group Policy

12-update-successfull

If you check the same options on the domain joined machine you can now see they are set correctly

13-sso-enabled

14-sites-added-to-intranet

If you now go to your Unified Gateway URL internally it will hand you off to ADFS, Single Sign you onto the service without the need for a second factor and hand you back to the NetScaler.  At this point FAS and StoreFront take over and SSO you to your apps and desktops.

15-sso-enabled

Externally of course you will still be prompted for a second factor

46-external

47-external-2fa

48-external-working

Thats it!

Next we will take a look at making it all look good!

Part 6 – Making It Look Good

Laters,

b@m

 

 

2 thoughts on “Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 5

  1. Pingback: Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 6 | bretty.me.uk

  2. Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 5

Leave a Reply

Your email address will not be published. Required fields are marked *