NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop

NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop

NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop

This post has already been read 105368 times!

Whilst attending Citrix Synergy this year and chatting to some of my colleagues I got involved in a conversation around using your Google or Gmail account to log into your Citrix Unified Gateway and then being able to launch your Apps and Desktops without having to sign into AD and just using your Google account.  This really sparked an interest with me so I decided to build it out in my lab.

I was shown this article by Eric from

and I have to say – its great! It does however use XenApp 6.5 for the Kerberos Constraint Deligation (KCD).  This was an issue for me as I don’t run XenApp 6.5 in my lab and didn’t really want to spin up a new environment just to test.

Welcome Federated Authentication Service for XenApp and XenDesktop!

With the release of XenDesktop 7.9 Citrix have introduced the ability to use federation with XenApp and XenDesktop.  If you want more information on it read this post

So, the purpose of this post is to walk you through the process of setting up XenDesktop 7.9 and Federated Authentication Services to allow access to your Apps and Desktops using your Google Account.

My Setup

I have added an additional URL for the specific purpose of giving to customers who wish to use Google to sign into my gateway.  The existing URL for regular access will remain the same.

  • – normal access to Unified Gateway
  • – Google account access to Unified Gateway

I am going to use content switching policies to define where the user goes based on URL, but more on that later.

Google Setup

The first thing you will need to do is set up a Google API to allow access to the Google oAuth system from your NetScaler.

Head over to and sign in with your Google account

Select Credentials and then create a new OAuth client ID

01 - create key

Select Web application, give it a name and enter the JavaScript Origin and redirect URLs as shown below.  NOTE: This will be the URL that you are going to give your users to access the Unified Gateway using their Google credentials

02 - web app create

Click create and Google will go ahead and create your new oAuth Client, it will display the Client ID and Client Secret – copy these into a text file as you will need them later on!

03 - client id

The Google oAuth Policy on Citrix NetScaler

You will now need to instruct the NetScaler to authenticate you with the Google oAuth Services.  Log into your NetScaler and navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – OAuth

Click Add to insert a new policy

Give the policy a name, fill out your Client ID and Client Secret you saved earlier and enter the following information in the Authorization Endpoint, Token Endpoint and ID Token Decrypt Endpoint fields

Authorization Endpoint:

Token Endpoint:

ID Token Decrypt Endpoint:

Click ok to create the policy

04 - google server created

Next navigate to Security – AAA Application Traffic – Policies – Authentication – Advanced Policies – Policy and click add to insert your new policy

Give your policy a name, set the action type to OAUTH and select your new action from the drop down list.  For the expression type in true

05 - google policy

The AAA vServer

Next you will need to bind your new policy to an AAA vServer for authentication.  This is where we will pass the incoming requests for for authentication, then hand them back to the NetScaler Unified Gateway from there.

Navigate to Security – AAA Application Traffic – Virtual Servers and Add a new Virtual Server

Give your Virtual Server a name, a free IP Address and assign the relevant certificate for the domain you are going to give you users (  Then add an Advanced Authentication Policy and select your new Google oAuth Policy.

07 - aaa vserver

06 - google oauth

We now need to create a Load Balancing vServer to act as a pass through for the Content Switch and AAA vServer.

The Load Balancing vServer

Navigate to Traffic Management – Load Balancing – Virtual Servers and click Add to configure your new Virtual Server.

Give you vServer a name and a free IP Address, assign the same certificate that you gave to your AAA vServer and bind it to an “Always Up” Service.  Essentially this is a service configured on the NetScaler that will not go down.  Just define a new service on the NetScaler to ping itself (

08 - vserver

You now need to add you Authentication vServer to the Load Balancing vServer.  Add Authentication from the options on the right hand side of the screen and select form based authentication.

Fill out auth.h.1 as the Authentication FQDN, select Authentication Virtual Server from the drop down and select your AAA vServer from the list provided

09 - authentication policy

The final thing you will need to do is add a responder policy to the vServer to forward you to the vpn login page.  This is because after authentication from Google you will be passed back to the root of the vServer and you want to forward the user to the NetScaler Gateway with the AAA credentials for SSO.

Click Policies and click on Add.  Select Responder from the list, give the policy a name and click the + to add an action.

Give the action a name, the type will be Redirect and the expression will be the following:


Set the Response Status Code to 302 and click on OK.  This will take you back to the policy screen

For the policy Expression enter the following:


Click ok and thats it for the vServer.

Bind the vServer to the AAA vServer

Navigate to Security – AAA Application Traffic – Virtual Servers and open up your AAA vServer

Scroll down until you see Form Based Virtual Servers and ensure that your vServer is listed there, if it is not then bind it to the AAA Server

10 - vserver bind

Content Switching Policies

At this stage you have your Google Authentication Provider set up, your AAA vServer and Load Balancing vServer set up and linked and your responder policy to forward your users to the NetScaler Gateway once authenticated.  You now need to set up your Content Switching Policies to direct the traffic the way you want.

This is what I am trying to achieve.

  • If a user types in then go straight to my NetScaler Gateway
  • If the url hitting the Content Switch contains any of the AAA Traffic, “/cvpn” in the URL or “/citrix” in the URL then direct them to the NetScaler Gateway
  • If a user types in then go to my Load Balanced vServer (AAA Auth vServer is attached to this – and will redirect to Google for authentication)

I am going to achieve this my using 2 Content Switching policies and a Default vServer on the Content Switch.

Navigate to Traffic Management – Content Switching – Actions and create an action to redirect traffic to your NetScaler Gateway

11 - action - ng

Navigate to Traffic Management – Content Switching – Policies

Create a policy with the following expression:


Substitute your URL’s in place of mine

Bind this policy to your action you created in the previous step.

12 - cs policy

Next open up your Content Switch and locate the Content Switching Policy Binding section.

Bind your policy as a priority of 100

13 cs policy

Set your Load Balancing vServer as the Default Load Balancing Virtual Server

14 - vserver

15 - bound

Unbind the SSO Domain in the NetScaler Gateway Session Policy

Locate the Web session policy assigned to your NetScaler Gateway and under the published applications tab, remove the SSO Domain name

16 - sso domain

At this point your NetScaler should be configured to direct the traffic for and to different login providers.  Lets test that.

17 - ug

18 - login

Looking good.  So, lets move onto configuring StoreFront (needs to be version 3.6)

StoreFront Configuration

The first thing you will need to do is set the StoreFront to accept incoming connections from your new NetScaler (URL)

Click on Manage NetScaler Gateways and add a new gateway for your Google URL (

19 - netscaler

Make sure you add a callback URL for the gateway

20 - callback

Then enable remote access to your store from your new NetScaler

21 - call back url

Next you will have to enable Smart Card authentication to your store.  Click on Manage Authentication Methods and enable Smart Card

22 - smartcard

Next under the options for Pass Through from NetScaler Gateway select Configure Delegated Authentication

23 - delegation

Select to Fully Delegate Credential Validation to NetScaler Gateway

24 - delegated

Finally you need to enable Smart Card authentication on your Receiver for Web site.  Configure your site you are using for Unified Gateway and select to allow Smart Card Authentication

25 - receiver for web config

That’s StoreFront configured.  The final piece is to configure the Citrix Federated Authenticated Service to allow for federated authentication to the XenDesktop delivery Groups for SSO.

Citrix Federated Authentication Service

I am not going to re-invent the wheel here as I think Citrix have done a great job in documenting this install procedure!  The install is relatively simple and quick to complete.

You can find the install guide here:

Once complete you should see the following screen(s)

26 - fed 1

27 - fed 2

Once this is done its time to test!!

Direct to

First lets check we are NOT signed into Google

28 - no google

No – ok lets log into the Unified Gateway using the URL

29 - ug sign in

Once Logged in we can navigate to our apps and desktops

30 - ug logged in

Quickly check that we have not been signed into Google

28 - no google

No, ok lets launch a desktop

31 - desktop launched

That’s great – out original NetScaler Unified Gateway is working as expected.  Now lets test with Google as an authentication Method.


First lets make sure we are not signed into Google

28 - no google

Then I type into my browser and I am redirected here

32 - login

Once I sign in the token is handed back to the NetScaler and I am presented with this

33 - logged in

If I refresh my Google page you will see that I am now signed into my Google Account

34 - google signed in

If I click on clientless access StoreFront will enumerate my apps and desktops for me

35 - apps and desktops

Lets launch a desktop

36 - desktop launched

Excellent – all working.  I have logged into the Unified Gateway using my Google account and been signed into StoreFront and my desktop using Federated Services.

To ensure it doing what I think it is I have logged out of my desktop but left myself logged into Unified Gateway.

I am going to Stop the Citrix Federated Authentication Service and try to re-launch the desktop.

37 - stopped

Desktop unable to launch

38 - cannot launch

And that’s it.  How to log into your NetScaler Unified Gateway with your Google Credentials and SSO to your Apps and Desktops.

Hope this helps some of you out.




11 thoughts on “NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop

  1. Darren Bennett

    Hi Dave

    Just got this working in my lab – thanks for taking the time to write and share this.


  2. Pingback: EUC Weekly Digest – June 11, 2016 – Carl Stalhood

  3. Lee

    Thanks for this write up. I am having one issue with it. After I set this up and I login (via google) I get “Error trying to validate Access Token.” ANy thoughts on where to troubleshoot this issue?

  4. Pingback: Citrix NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop |IT News

  5. Shrikant C

    Hi Dave,

    This is what i am looking for and thanks for sharing !!

    I would like to try it with different identity provider(like ADFS or SecureAuth) other than Google. Any thoughts on this.


      1. Shrikant C

        Thanks for the reply.

        The blog series you mentioned is mainly targets SAML authentication and i’m looking for OAuth authentication with NetScalar(where ADFS should be the identity provider.).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.