- This topic has 19 replies, 7 voices, and was last updated 2 years, 5 months ago by brian1020.
-
AuthorPosts
-
August 27, 2020 at 1:37 pm #52906
Good morning Monkeys!
Piloting WTOS 9 remotely from home and attempting to get it to authenticate with a Netscaler Gateway setup with SAML/Azure MFA.
I plug the URL into the Broker section of policy and that seems to come down correctly – however – when booting up the thin device, I’m being challenged with username/password/domain and I can’t seem to bypass (at this stage, our domain isn’t available to authenticate).
I think I’m missing something fundamental. My goal is to have the thin device hit our Gateway which does a redirect to SAML for the user to authenticate, and then return to our Storefront via that Gateway (where the user could now provide domain credentials).
I’ve poured through the policies, admin guide and these forums and see no mention of this setup, thus I think I’m heading the wrong direction.
Any advice/input/wisdom to share?
September 3, 2020 at 1:03 pm #52927You are using the Netscaler URL as your broker, correct?
Have you configured the policy to use LDAP or anything else for authentication?CG
September 9, 2020 at 11:20 am #53034Good morning!
Correct – using the Netscaler URL as my broker.
I’ve tried every option for authentication (Default, LDAP and LDAP+RSA) and it continues to prompt me for a domain username/password when I power up the thin device. It appears to be getting the correct policy from WMS.
If I enter in my e-mail address/password, it prompts me for a “token code” – but our SAML based Netscaler URL doesn’t use token codes.
I feel like I need to bypass that initial authentication because our Netscaler Gateway doesn’t use LDAP or RSA – which leads me down the path that I’m missing something fundamental.
September 16, 2020 at 3:39 pm #53071For your Citrix broker server are you doing the URL to the store? For example I have https://company.name.com/Citrix/NSWEBFAS as my broker.
Citrix Workspace mode turned on
NetScaler/ADC authentication method is Default
i have no issues with Microsoft 2FA SAML auth that way.
September 24, 2020 at 6:19 pm #53148Spent some time with our Wyse guy and he confirmed it “should” work –
However, the web landing page for our SAML authentication is customized , and he’s guessing that is the cause of the issue. He reports that he has another client with the same issue and we both don’t have the “standard” Microsoft SAML page (whatever that looks like).
He suggested trying MR2 but wasn’t confident that would work.
January 18, 2021 at 9:23 pm #57161Hi guys,
just wondering if you made any progress with this issue?
I have similar issue where when using Wyse3040, 9.1 and SAML for Citrix Netscaler through Azure I receive a prompt for a token when I try and login.
The test account does not have 2FA enabled so not sure why we get the token prompt.Logging in through a browser on a PC is fine.
Appreciate any help.
January 18, 2021 at 10:44 pm #57210Thanks a lot.
Had a similar problem.
January 19, 2021 at 1:25 pm #57622No good progress.
Took another stab at it a couple weeks ago with no luck.
Same scenario where it works fine from anything BUT a thin device and I get prompted for a bizarre token.
Since our Wyse guy was guessing that our “custom” page (really, just changed a couple logos from Microsoft to our company) was the cause, our next step is to setup a test ADFS/SAML authentication page to try.
January 26, 2021 at 5:43 pm #62571I did get this working in the end, nFactor was required. There was also a bug in the Netscaler firmware. Once updated the issue was resolved (Upgrade your ADC to 13.0 64.x or greater build) I also needed to use the latest Wyse firmware 9.1 and use workspace mode.
‘In the trace I can see after the packet POST /nf/auth/webview/done HTTP/1.1, ADC Gateway responds with internal server error. But this is not observed when user logs in with Browser.
Upgrade your ADC to 13.0 64.x or greater build, these builds have a fix to this issue.
February 24, 2022 at 9:01 am #107192WMS 3.5.2
Netscaler 13.0
ThinOS 9.1.3129
We’re unable to get SAML Azure MFA working. Within a browser session it works flawless, but when trying it via the Wyse we are getting the error: “No active policy is found in primary authentication cascade”
This error comes from the gateway, but the primary authentication policy (Saml) is configured and online.
We tried some suggestions like brian1020 said a few posts above “workspace mode” on and the broker URL set to the store etc..
So what are we doing wrong 😉
March 23, 2022 at 6:31 am #107413Brian1020 maybe? 😉
March 23, 2022 at 12:33 pm #107418This is how my broker settings have been since the beginning. The only thing missing from the screenshot is my broker URL but it’s the same as you would use externally.
March 23, 2022 at 12:54 pm #107422Netscaler version 13.0.83.27
March 24, 2022 at 9:38 am #107436Thanks for the heads up. Still the same error.
What do you have in the “Login Experience” section of WMS?
March 24, 2022 at 10:18 am #107438Not much
Authenticate to broker and I have a default domain though I don’t think that’s necessary with MFA.
Under session settings
Idle 120
Inactive 120
Lock 0
Enable Auto log off
No configuration for 3rd Party and SmarCard sections.
-
AuthorPosts
- You must be logged in to reply to this topic.