Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 1

This post has already been read 28849 times!

I have long been an advocate of fronting everything with a NetScaler, I think it is an excellent way to Secure the perimeter of your network and with Unified Gateway a great way to simplify incoming firewall rules. Also, for those of us that have a lab and only 1 external IP this is a great way to present multiple public services on a single IP Address.

My network uses LDAPS and Azure MFA to secure access to my Apps and Desktops but I have always wanted to look into ADFS and the options around authentication using that and Citrix NetScaler Unified Gateway.

In this post series I will walk you through setting up ADFS for use with your NetScaler Unified Gateway, integrating this with Azure MFA and providing context aware authentication to your Gateway and in turn your Apps and Desktops.

I was going to write this as a single post but while putting together the screenshots for the ADFS part only I realised that it would be waaaay to long in a single post.  I have therefore decided to write this as a series.  This will be the intended order:

• Setting Up ADFS and Internal Access
• Setting Up Citrix FAS and StoreFront
• Configuring NetScaler SAML Authentication and ADFS Proxy
• Setting up Azure MFA
• Configuring Context Aware Authentication
• Making it look good!

I have used a number of resources to assist with bringing all of this together and I will reference and link to them during the posts.

The assumptions are:

• You will need an external URL pointing to your publically available Unified Gateway. In my case I am going to use sts.bretty.me.uk
• You will also need a public certificate on the NetScaler capable of handling this FQDN.
• You have a Windows Server 2012 R2 Server built and ready to host the ADFS Role.
• You have an existing Unified Gateway running.  In my case I have https://ug.bretty.me.uk up and running.

So, let’s get going with Part 1.  ADFS

Start up Server Manager from your ADFS Server and select to install the ADFS Role

Continue with the wizard until it shows you what its going to install and confirm that

Check to allow the server to restart if required

nce ADFS is installed you will have to do some post configuration – you can see this by the below icon showing in Server Manager

Click that and click to Configure the federation service

Click Next on the Welcome Screen

Select a Domain Admin account to use for the ADFS configuration

Specify the service properties. So, this is the first stage of the deployment that you need to be aware of the external access to ADFS.  Make sure the certificate you have imported here is capable of authenticating SSL traffic on the EXTERNAL fqdn for your ADFS service.  In my case I am using sts.bretty.me.uk

Name the federation service name the same as your external fqdn

Give it a display name – this is not so important as this is just the text that will be displayed to the user on the login page and we will be changing this later on

Specify a service account in Domain Admins that ADFS uses to communicate with Active Directory.   You can be more specific with the svc account rights but in this case I am just using the Domain Admins Group

Select a database type for ADFS.  Again, as this is just running in my lab I am going to use the inbuilt database, however in production you would want to use SQL

Review the options

Allow the Pre Reqs to check and pass

Click on configure and let the wizard configure your ADFS Service for you.  Once it is finished open up the AD FS Management Tool

Expand AD FS – Service – Certificates

Here you will see the Public Certificate and 2 internal certificates auto generated by the ADFS wizard for Token Decrypting and Token Signing.  I am going to replace these with my own certificates

On the right you can click to add a new token signing or decrypting certificate.  You may get this error message

If you do, open up powershell as an administrator and run the command listed

Then click again to import/select the token signing certificate and select your public certificate

Then click again to import/select the token decrypting certificate and select your public certificate

Click on each of the new imported certificates and select to Set as Primary on the right

Next Expand AD FS – Trust Relationships – Relying Party Trusts

You need to add a trust to let ADFS know about the NetScaler Unified Gateway that will be passing over authentication requests.  Right click and select to add a new relying trust

Click on next and select “Manually” for setting up the Relying Party

Give your party a name and description

Select AD FS profile and click next

Click on next without importing a certificate

Check the box for Enable support for the SAML 2.0 WebSSO protocol and enter the following in the URL textbox

https://YOUR_UNIFIED_GATEWAY_FQDN/cgi/samlauth – eg: https://ug.bretty.me.uk/cgi/samlauth

Click Next and add the trust identifiers.

NOTE: This is important and you will have to remember the identifiers you add here as these will be needed for the NetScaler SAML Policy configuration later in this blog post series

Click next and select NO for MFA – we will be configuring this eventually but at a later time

Select to Permit all users – again you would lock this down more in production but in this case this setting should be fine

Click next without reviewing the settings – we will do this later in this post

Take the tick out of the Add Claims option and click Close

You will now see your Relying Party Trust listed.  We need to check that the options and all correct in this so right click your new trust and click Edit

On Identifiers check that your Unified Gateway is listed there.  I put in HTTPS:// and the straight FQDN just to be sure that the NetScaler passes over the right ID

Select Encryption and make sure there is no certificate listed here – if there is then remove it

Select Signature and you will notice there is no certificate there

Click on Add and select an x509 formatted certificate appropriate for the external URL for ADFS

Select Advanced and ensure that the Hash is SHA-256

Select Endpoints and make sure that the SSO endpoint you added earlier is listed there

Click on Add SAML to add an endpoint for the logout action.

Select SAML Logout and POST and enter the following URL:

https://YOUR_EXTERNAL_ADFS_FQDN/logout.jsp – eg: https://sts.bretty.me.uk/logout.jsp

Click on OK and OK again to close the Relying Party Identifier.  Now you need to add the claims for this relying party that the NetScaler will be passing over to ADFS.  Right click the relying party and click on Edit Claim Rules

Click to Add the first rule

Select Send LDAP Attributes as Claims and click Next

Give it a name, select Active Directory as the Attribute Store and select User Principle Name on the left and Name ID on the right (shown below)

Click Finish then click to add another rule

Select Send Claims using a custom rule and click next

Give it a name and paste the following as the custom rule

 => issue(Type = "logoutURL", Value = "https://YOUR_EXTERNAL_ADFS_FQDN/adfs/ls/", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");

Replace YOUR_EXTERNAL_ADFS_FQDN with your own external FQDN – eg: sts.bretty.me.uk

Click Finish and you will see your 2 claims listed

Click ok and you will see your configured Relying Party listed

Internal Access to the ADFS service will be required to ensure that there is a context aware login experience for the user.  If I ping my adfs server it resolves to 192.168.0.94

I need sts.bretty.me.uk to resolve to this internally

Open up DNS Management and add a new lookup zone for sts.bretty.me.uk and add a blank host record with the IP Address of your ADFS Server

Open up a browser and navigate to the URL (https://sts.bretty.me.uk/adfs/ls/IdpInitiatedSignOn.aspx) and you should see your ADFS Login Screen shown below

Thats it, ADFS is up and running and we can start to think about the other moving parts in this blog series.  In the next part I will talk about the Citrix FAS Service and setting that up ready for ADFS and XenDesktop.

Once you have this all set up you can move onto Part 2 – Setting up Citrix FAS and StoreFront

Laters,

b@m