WTOS 9 and SAML/Azure MFA

Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
    Posts
  • #52906
    arbleb
    Participant
    • Total Post: 31
    • Frequent Flyer
    • ★★★

    Good morning Monkeys!

    Piloting WTOS 9 remotely from home and attempting to get it to authenticate with a Netscaler Gateway setup with SAML/Azure MFA.

    I plug the URL into the Broker section of policy and that seems to come down correctly – however – when booting up the thin device, I’m being challenged with username/password/domain and I can’t seem to bypass (at this stage, our domain isn’t available to authenticate).

    I think I’m missing something fundamental.  My goal is to have the thin device hit our Gateway which does a redirect to SAML for the user to authenticate, and then return to our Storefront via that Gateway (where the user could now provide domain credentials).

    I’ve poured through the policies, admin guide and these forums and see no mention of this setup, thus I think I’m heading the wrong direction.

    Any advice/input/wisdom to share?

    #52927
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    You are using the Netscaler URL as your broker, correct?
    Have you configured the policy to use LDAP or anything else for authentication?

    CG

    #53034
    arbleb
    Participant
    • Total Post: 31
    • Frequent Flyer
    • ★★★

    Good morning!

    Correct – using the Netscaler URL as my broker.

    I’ve tried every option for authentication (Default, LDAP and LDAP+RSA) and it continues to prompt me for a domain username/password when I power up the thin device.  It appears to be getting the correct policy from WMS.

    If I enter in my e-mail address/password, it prompts me for a “token code” – but our SAML based Netscaler URL doesn’t use token codes.

    I feel like I need to bypass that initial authentication  because our Netscaler Gateway doesn’t use LDAP or RSA – which leads me down the path that I’m missing something fundamental.

    #53071
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    For your Citrix broker server are you doing the URL to the store?  For example I have https://company.name.com/Citrix/NSWEBFAS as my broker.

    Citrix Workspace mode turned on

    NetScaler/ADC authentication method is Default

    i have no issues with Microsoft 2FA SAML auth that way.

    #53148
    arbleb
    Participant
    • Total Post: 31
    • Frequent Flyer
    • ★★★

    Spent some time with our Wyse guy and he confirmed it “should” work –

    However, the web landing page for our SAML authentication is customized , and he’s guessing that is the cause of the issue.  He reports that he has another client with the same issue and we both don’t have the “standard” Microsoft SAML page (whatever that looks like).

    He suggested trying MR2 but wasn’t confident that would work.

    #57161
    james359
    Participant
    • Total Post: 1
    • Newbie

    Hi guys,

    just wondering if you made any progress with this issue?

    I have similar issue where when using Wyse3040, 9.1 and SAML for Citrix Netscaler through Azure I receive a prompt for a token when I try and login.
    The test account does not have 2FA enabled so not sure why we get the token prompt.

    Logging in through a browser on a PC is fine.

    Appreciate any help.

    #57210
    Tenkrat
    Participant
    • Total Post: 3
    • Newbie

    Thanks a lot.

    Had a similar problem.

    #57622
    arbleb
    Participant
    • Total Post: 31
    • Frequent Flyer
    • ★★★

    No good progress.

    Took another stab at it a couple weeks ago with no luck.

    Same scenario where it works fine from anything BUT a thin device and I get prompted for a bizarre token.

    Since our Wyse guy was guessing that our “custom” page (really, just changed a couple logos from Microsoft to our company) was the cause, our next step is to setup a test ADFS/SAML authentication page to try.

    #62571
    james_359
    Participant
    • Total Post: 1
    • Newbie

    I did get this working in the end, nFactor was required. There was also a bug in the Netscaler firmware. Once updated the issue was resolved (Upgrade your ADC to 13.0 64.x or greater build) I also needed to use the latest Wyse firmware 9.1 and use workspace mode.

    ‘In the trace I can see after the packet POST /nf/auth/webview/done HTTP/1.1, ADC Gateway responds with internal server error. But this is not observed when user logs in with Browser.

    Upgrade your ADC to 13.0 64.x or greater build, these builds have a fix to this issue.

     

    #107192
    MarvinS
    Participant
    • Total Post: 16
    • Regular Joe
    • ★★

    WMS 3.5.2

    Netscaler 13.0

    ThinOS 9.1.3129

    We’re unable to get SAML Azure MFA working. Within a browser session it works flawless, but when trying it via the Wyse we are getting the error:  “No active policy is found in primary authentication cascade”

    This error comes from the gateway, but the primary authentication policy (Saml) is configured and online.

    We tried some suggestions like brian1020 said a few posts above “workspace mode” on and the broker URL set to the store etc..

    So what are we doing wrong 😉

    #107413
    MarvinS
    Participant
    • Total Post: 16
    • Regular Joe
    • ★★

    Brian1020 maybe? 😉

    #107418
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    This is how my broker settings have been since the beginning. The only thing missing from the screenshot is my broker URL but it’s the same as you would use externally.

    #107422
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    Netscaler version 13.0.83.27

    #107436
    MarvinS
    Participant
    • Total Post: 16
    • Regular Joe
    • ★★

    Thanks for the heads up. Still the same error.

    What do you have in the “Login Experience” section of WMS?

    #107438
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    Not much

    Authenticate to broker and I have a default domain though I don’t think that’s necessary with MFA.

    Under session settings

    Idle 120

    Inactive 120

    Lock 0

    Enable Auto log off

    No configuration for 3rd Party and SmarCard sections.

Viewing 15 posts - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.