Recently we had upgraded firmware on a Citrix ADC from 13.0-83.27 to 13.0-85.15. This was to try and correct an issue with the HTML interface not updating the custom settings on the Login Schemas for nFactor configuration. It would create the custom XML file for use, but it wouldn’t reflect any changes to it. I checked the permissions on the XML file and they would show root had read / write. You could still copy the XML file down via tools like WinSCP, make the edit, and copy back to the ADC.
Below you can see what happened. You would navigate to AppExpert > Responder and you would see the proper number of policies showing.
After you click on the the # Responder Policies, you see below.
It shows that there are no policies there. You can click on “Statistics” and you see this below.
It appears that it reset the counters as well. You can putty into the ADC and do a “show run” and you see that they are still there.
You can see that the policies are there. They do appear to work, but they just don’t show on the HTML GUI.
So a downgrade of version will be in order to see if that resolves the issue and Citrix is still looking at the issue to find a resolution.
UPDATE: Looks like a firmware revision reversion took care of the display issue with the showing of Responder policies.
This configuration covers setting up EULA as a first factor in an nFactor flow to do one side of an MFA configuration. This will setup a group extraction that looks for an assigned Universal group that is designated to trigger directing traffic to an MFA provider. The reason for using a Universal group would be in an instance where you have a forest with multiple subdomains that have a two-way transitive trust. This allows you to manage group membership from one domain as the Universal group will be replicated to all the domain controllers. This example is to check membership of the Universal group and perform cascading LDAP for the users that are NOT members of that Universal group.
So I was trying to move to advanced authentication in a test environment. While I was doing that, I thought to myself that since my end goal with that test, would be to prep to move to MFA. That led to me thinking how I would want to implement that. Then…… I ran into a very interesting thing when you move from using basic authentication to an authentication profile with AAA-TM, that the EULA option goes bye bye. There isn’t even an option to select. So I went looking how to resolve that. One option was to follow a guide that I found to edit some xml files, but that meant that I would have to manually copy these to keep them in sync between the Citrix ADCs. I didn’t like that idea but did see the option to use EULA as a first factor in nFactor. Hmm… I was already thinking in that mode to setup nFactor since it would be needed to go down the MFA road. So that is the decision I decided to work on and get testing. I also found some interesting tidbits that I’ll point out in the configuration.
Update: Changed LDAPS policy settings to fix “Anonymous” issue.
Update: Added link to article to create custom XML file to change ${http.req.user.name} to ${AAA.USER.NAME}
So here we go!
You will need to have either Advanced or Premium license to have access to this feature. You will also need to have configured an Authentication Virtual Server which I will link soon.
In the “Authentication Schema” box, select the “Edit” pencil.
Click on the “LoginSchema.” This will bring up a list to choose from.
Scroll down and select “Eula.xml.”
Click the “Edit” button if you want to edit the EULA message.
After you change the EULA message below and click “Save,” click the “Select” button. This is VERY important or it won’t select it.
After you have configured the message, click “Save.”
Click “Create” button.
Click “OK.”
Click on “Add Policy.”
Click the “Add” button.
Name the policy and select “Action” as “NO_AUTHN.”
For the “Expression,” enter “HHTP.REQ.URL.CONTAINS(“/nf/auth/doAuthentication.do”)
Click “OK.”
Click “+” sign beside “NO_Authn_Pol” (whatever you name the Authentication Policy).
Select “Create Factor.” This factor will do the group extraction to test group access.
Name “Factor Name.” (Grp_Ext_Test in this example)
Select “Add Schema.”
Select “Only_User_Name.” This will have the user enter their user name to be evaluated.
Click “OK.”
Click “Add Policy.”
Click “Add.”
Enter “Name” for policy (test-ldap-grpexpt-pol in this example).
Select “Action Type” as “LDAP.”
For the “Expression” enter “true.”
Click “Add” on “Action.”
Select the root of the forest (domain if you only have 1 domain) for the “Server Name.” (The DC that you are trying to access will need to have the Global Catalog available for this to work correctly)
For the “Port,” choose either 3268 for unsecure LDAP or 3269 for secure LDAP (This will require that you upload the root certificate for the organization to utilize).
Make sure the UNCHECK the box for Authentication. This is just going to do a lookup if the user is part of the MFA group.
Enter your “Base DN” as where the users will be or the root of the forest / domain.
Enter “Administrator Bind DN” which is the account that will authenticate to the domain.
Enter and confirm “Administrator Password.”
Click “Test Network connectivity” to make sure that it is working correctly.
Complete “Server Logon Name Attribute” as “sAMAccountName.” The samaccountnames need to be unique in the forest or you will have issues with this global catalog lookup.
For “Group Attribute” select “memberOf.”
For “Sub Attribute Name” select “cn.”
Click the “+” sign beside “test-ldap-grpext-pol.”
Select “Create decision block” and enter “Decision block Name.” (Grp_Eval_Test in this example)
Click “Create.”
Click “Add Policy.”
Click “Add.” (NonMFA_Test in this example)
Select “Action Type” as “N0_AUTHN.”
Select “Action” as “NO_AUTHN.”
In the “Expression” enter “AAA.USER.IS_MEMBEROF(“UniversalGroup”).NOT.” (UniversalGroup is the group name of the MFA testing group)
Click on the “+” sign beside “NonMFA_Test.”
Select “Create Factor.”
Enter “Factor Name.” (LDAPS_Auth_Test in this example)
Click “Create.”
For the “Authentication Schema” click the pencil icon.
This allows you to take what was entered just after click on “Continue” for the EULA and populating that in the User Name / Password dialogue to prevent users from having to enter it twice.
Under the “Login Schema Files” select “PrefilUserFromExpr.xml. (Note that User Name contains $(http.req.user.name).
You can click the “+” sign on the bottom of the box to add additional LDAP/LDAPS policies. This is what you would normally see under the Basic Authentication on the Citrix Gateway.
Wouldn’t you know it!? A vCenter certificate got changed out and now your hypervisor connector is showing it no worky. Come to find out you missed the email memo that the certificate was getting changed. Or you might’ve been busy and didn’t think too much of it. Well, now you have to get it fixed! What if there was a way to get that information quickly and easily so that you just had to do some copy / paste magic to resolve it? Well…. There is! This handy dandy little script will get those pesky thumbprints and kick them out as a csv so you can use them to update your connector in the XenDesktop database.
# A script to check SSL thumbprints on your Citrix hypervisor connections. This will get all of the thumbprints of your connectors and will get the SSL thumbprints of your vCenters if you happen to have more than one.
# This is for running on in-premise Citrix farm (7.x) on a Delivery Controller with 10.1.0 VMware.PowerCLI module and the Citrix SDK installed with VMware ESXi 7.0U1 or later. This also is ran in ISE. Get-SSLThumbprint function is from https://gist.github.com/lamw/988e4599c0f88d9fc25c9f2af8b72c92
# with the return $SSL_THUMBPRINT -replace '(..(?!$))','$1' changed from ending in '$1:' The instructions for changing the SSL thumbprint can be found at https://support.citrix.com/article/CTX224551.
asnp Citrix*
Function Get-SSLThumbprint {
param(
[Parameter(
Position=0,
Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)
]
[Alias('FullName')]
[String]$URL
)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class IDontCarePolicy : ICertificatePolicy {
public IDontCarePolicy() {}
public bool CheckValidationResult(
ServicePoint sPoint, X509Certificate cert,
WebRequest wRequest, int certProb) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = new-object IDontCarePolicy
# Need to connect using simple GET operation for this to work
Invoke-RestMethod -Uri $URL -Method Get | Out-Null
$ENDPOINT_REQUEST = [System.Net.Webrequest]::Create("$URL")
$SSL_THUMBPRINT = $ENDPOINT_REQUEST.ServicePoint.Certificate.GetCertHashString()
return $SSL_THUMBPRINT -replace '(..(?!$))','$1'
}
$xdConnections = Get-ChildItem XDHyp:\Connections | Select HypervisorConnectionName, HypervisorAddress, SslThumbprints
$xdThumbprints = @()
foreach($xdc in $xdConnections)
{
$line = ""| Select HypervisorConnectionName, HypervisorAddress, SslThumbprints, vCenterThumbprints, SameThumbprint
$line.HypervisorConnectionName = ($xdc).HypervisorConnectionName
$line.HypervisorAddress = ($xdc).HypervisorAddress | Out-String
$line.SslThumbprints = ($xdc).SslThumbprints | Out-String
$line.vCenterThumbprints = Get-SSLThumbprint (($xdc).HypervisorAddress | Out-String)
$line.SameThumbprint = ($line.SslThumbprints -match $line.vCenterThumbprints)
$xdThumbprints += $line
}
$xdThumbprints | Export-Csv c:\scripts\logs\sslthumbprints.csv
Absolutely thrilled and amazed that I have the opportunity to join some of the best professionals out there in the Citrix world by being accepted into the ranks of Citrix Technology Advocates! Excited for what is to come with this! Make sure to welcome and congratulate all the new members and the returning members! Here is the link to check them all out!
You ever get an email from a user that just has their name in it and my VDI isn’t working? You ever go to Citrix Studio and look for the user and sort to find them? Well…. How about a better, faster, more streamlined way!? (Might be some powershell involved)
Look no further! Below is a fast and easy way to find that machine that the user just may have happened to forget to include in said email!
Got to make sure you have have the Citrix Studio Powershell modules in there and load them.
If you happen to do the above, you get this:
Gets you the result with names and machine names.
And so you can do that sweet, sweet copy / paste, code snippet below.
I’m sure many of you out there like ArcGIS and all that it can do for you! Well, maybe you have it in Citrix. Maybe you have custom SearchOptions.cfg’s. Maybe you have style sheets. Maybe you even like to have viewer and professional license versions available to all your users. Well….. In the long long ago, batch was the thing to power all things like this. What if. Just what if I told you, that powershell works too!? How awesome would that be?! You can upgrade your script from batch and stroll down PoSH street! How about see below and you too, for the low low price of free, can enjoy this method too!
**Fixed an issue with the ESRI_SOFTWARE_CLASS not respecting the Viewer / Professional option. This was tested and the issue is corrected.Change has been made below.** **Made an edit to reduce the number of changes you have to make and make it easier to switch between ArcGIS Desktop versions.**
# This is to launch ESRI ArcGIS in Citrix. This is using PowerShell version 5.1.17763.1971, on Server 2019 hosts, with Citrix UPM, and with ArcGIS 10.8.1 and with Seach Options. You can comment out
# the Search Options if you are not using them.
# Date: 08182021
# This sets the $username variable which will be used to map drives.
$UserName = [Environment]::UserName
# Sets profile server name for Citrix UPM. Enter profile server FQDN.
$profsrv = "profileservername.fqdn"
# Sets ArcGIS Version to be used in the script. There are several references to the version in the script. Enter version in format below.
$arcver = "Desktop10.8"
# Sets license server location. Enter license server FQDN.
$licsrv = "licenserver.fqdn"
# This section is to set the locations for _master if hosting on profile server (You can use whereever the _master location is as long as permissions are set and it is accessible
# from the network the Citrix hosting VDA's are located.You can use other drive letters, just make the change to the variables below and the section on removing drives and remapping.# This is location of "SearchOptions.cfg" files.
# This is location of "SearchOptions.cfg" files.
$Master= "\\$profsrv\GIS\_master"
# Location of ArcCatalog.gx, GxDBFactCache.dat, and GxObjFactCache.dat files.
$Desk= "\\$profsrv\GIS\_desk"
# Location of ArcMap Toolbox and styles.
$Desk1= "\\$profsrv\GIS\_desk1"
# Location of drives for GISDATA.
$QDest = "\\$licsrv\GISDATADRIVE"
$SDest = "\\$licsrv\GISDATADRIVE"
$NDest = "\\nas.fqdn\dfs\sharename"
# This tests to see if the location for the Search Options have previously been created for the user, and creating them if it is not present.
If (!(Test-Path "\\$profsrv\CITRIXUPM\$UserName\UPM_Profile\AppData\Local\ESRI\$arcver\ArcCatalog\SearchIndex\Configs\searchoptions.cfg")) {
Write-Host "Please wait while your Search Options are created..."
robocopy $Master "C:\Users\$UserName\AppData\Local\ESRI\$arcver\ArcCatalog\SearchIndex\Configs" /e /S
}
# This tests to see if the ArcCatalog options have previously been created, and create them if not.
If (!(Test-Path "\\$profsrv\CITRIXUPM\$UserName\UPM_Profile\AppData\Local\ESRI\$arcver\")){
Write-Host "Please wait while your ArcCatalog Options are created..."
robocopy $Desk "C:\Users\$UserName\AppData\Roaming\ESRI\$arcver\ArcCatalog\" /e /S /Y
}
# This tests to see if the ArcCatalog options have previously been created, and create them if not.
If (!(Test-Path "\\$profsrv\CITRIXUPM\$UserName\UPM_Profile\AppData\Local\ESRI\$arcver\")){
Write-Host "Please wait while your ArcCatalog Options are created..."
robocopy $Desk1 "C:\Users\$UserName\AppData\Roaming\ESRI\$arcver\" /e /S /Y
}
# This removes any mapped drives that might previously have been mapped.
Remove-PSDrive Q,S,N –Force -Verbose
# This maps the drives to the locations for ArcGIS data and files.
New-PSDrive -Name Q -PSProvider FileSystem –Root "$QDest"
New-PSDrive -Name S -PSProvider FileSystem –Root "$SDest"
New-PSDrive -Name N -PSProvider FileSystem –Root "$NDest"
# Sets the Class version to "Professional" license use. Comment out the Professional and uncomment the Viewer to change version.
set ESRI_SOFTWARE_CLASS="Professional"
#set ESRI_SOFTWARE_CLASS="Viewer"
# This sets the location of the executable for the ArcGIS files and starts the process.
$dir = "C:\Program Files (x86)\ArcGis\$arcver\bin"
Start-Process $dir\ArcMap.exe
Now this above will get the script for you. But… You have to publish it as well! So, how about them settings!? This is the screenshot of the settings to use to publish it. You will need to go back and change the icon if you want to have it show the ArcGIS icon instead of the powershell icon. For the copy / pasters out there:
Publishing Citrix app settings:
Path to the executable file: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
Command line arguments: -ExecutionPolicy Bypass c:\appscripts\ArcMapAdv-PS.ps1
Working directory: C:\WINDOWS\system32\WindowsPowerShell\v1.0\
So there you have it! A way to launch ArcGIS in Citrix with powershell instead of batch!
