Virtualization, technology, and random rantings with a focus on Citrix and VMware.

Tag: ADC

Order Of Operations, YMMV : Authentication Class Type Options For SAML Authentication Server

So you got your SAML Authentication server all configured. You got your MFA rolling. You start your day. You open up another app that has an assigned enterprise application to it with conditional access set. Then you open up your Citrix tab. You go to the site. It redirects you. And BOOM. Just like that. ERROR!!!

You think think think and think about why you are getting the error. You know when you opened Citrix FIRST yesterday the world was all sunny and bright. But today, that is not the case. But you really read the error closely. And you notice something… Authentication method ‘Password.’ You know that when you opened Citrix yesterday with your password and MFA, then continued on, it all worked. But change the order, and it does not. So. You go and check your SAML authentication settings.

You’ll see that by default, the “Password” class type is selected when you create the SAML authentication server. If you click on it so it is no longer blue, then save it, you notice that everything seems to work. So anything that is set there is EXPECTED in the assertion, not what is ACCEPTED. This would happen more if you have conditional access to not prompt on prem for one app, and prompt always on the other enterprise app. If you clear that, it will allow you to use the SAML assertion you got from the other app, assuming it is with the same IDP. There is also another option that you see outlined. “Force Authentication.” This option, if set, will force the session you start to redo the authentication and not use anything that you have cached. This is also good for testing purposes to force it to go through the authentication process.

Responder In The GUI… You Left Me Again.. Was It Me? : Upgrade From 13.0-84.11 to 13.0-87.9 Responder Policies Disappear From GUI

**Update: So.. It appears it does show up but… it shows under “Show built-in Responder Policies. **

This is where you select to show built-in.
They should up like normal now.

Did an upgrade of 13.0-84.11 to 13.0-87.9. Same thing occurred as in the upgrade to 13.0-85.15. The responder policies seem to vanish from the GUI. It will show the correct number of policies at the overview screen, if you look on the bound vServer, but not in the pane that shows all available policies. If you check the ns.conf, you will see the policies are there and are bound where they should be. Seems to be a bug again where it goes the way of the dodo.

You can see there are policies
You see there are no policies showing
But you can see there are policies bound to the vServer

Dazed And ConFAS’d : Cipher Suites For FAS And EndGame Exceptions For VDI

Ran into some fun with setting up FAS for MFA. I was testing a shorter list of ciphers on a test SSL profile on ADC on the test vServer. Come to find out, when accessing a machine that was using MFA from outside the network, I was getting an SSL error 4 on Windows machines and SSL error 47 on Stratodesk machines. I hadn’t seen that error since Receiver 4.x. It appears there are some additional ciphers needed in regards to the Citrix Workspace App. It appeared to work fine with the other cipher set using the HTML5 Workspace App. This article has the updated cipher set you need to have or it may cause you some issues (Changes To FAS Ciphers). These would be applied to your SSL profile assigned to the vServer on the ADC.

Ciphers needed in the SSL profile that are in link above

I also ran into an issue with EndGame.

When trying to connect from to VDI Windows 10 machines, you would encounter an incorrect user name or password error if EndGame was enabled, instead of it SSO logging you in.

Checking the event log on the machine, you encounter a Smart Card Logon Event 5.

There are 2 DLLs you have to add to a global exclusion, scardhook.dll and scardhook64.dll. These are located under C:\Program Files\Citrix\ICAService. Just excluding those DLLs got rid of the Event 5 Smart Card Logon error and allowed the Provider DLL to initialize.

After getting these exclusions applied, SSO works normally for accessing the VDI machines.

Looking For The Missing Plink: Using Plink To Get Information From ADC

Simple little script that you can modify the commands you want to run against a Citrix ADC. I’ve included using the “show ha node,” “show version,” and “show ip.” You can blank the commands and leave ” to have it skip the command. I ran into an issue with trying to send the password to the ADC so I had to use GetNetworkCredential().password on the $credential variable ($credential.GetNetworkCredential().password). This allowed the password to be passed without issue.

If you run the commands to query against the secondary node in an HA pair, you will get this error and it can be ignored: plink : Warning: You are connected to a secondary node; configuration changes made in this session will not be propagated to, or saved on, other nodes.(If you want to make changes via the commands, you will need to target the primary node)

# Script to use PuTTY Plink to access Citrix ADC to run commands remotely and get output to text file. This is using PowerShell ISE 5.1 and having PuTTY / Plink in the system path to being able to access.
$credential     = Get-Credential
$sessionHost    = "nodeip"
$pw             = $credential.GetNetworkCredential().password
$user           = $credential.UserName

$date           = Get-Date -Format MMddyyyy
$reportName     = "netscaler.txt"
$reportLocation = "c:\scripts\logs"
$report         = @()

# Commands
$cmd1           = 'show ha node'
$cmd2           = 'show version'
$cmd3           = 'show ip'

if($cmd1 -ne ''){

  $log1 = Echo Y | plink -ssh -l $user -pw $pw $sessionHost $cmd1
  $report += $log1

if($cmd2 -ne ''){

  $log2 = Echo Y | plink -ssh -l $user -pw $pw $sessionHost $cmd2

  $report += $log2

if($cmd3 -ne ''){

  $log3 = Echo Y | plink -ssh -l $user -pw $pw $sessionHost $cmd3

  $report += $log3

$report  | Out-File -FilePath "$reportLocation\$date-$reportName" -noclobber

Output example from Out-File.

Good Ole Proxy Top, Forward Style

So you want to get that sweet, sweet forward proxy all up there for some kiosks? Well… Have I got a deal for you! If you happen to have the licensing (Premium license requirement), you too can be the proud owner of this actually wonderful product. I have been using this for years now and it works extremely well if you don’t have to constantly add sites to the allowed list. Now… First things first. This is for defining your OWN allow list that YOU have to maintain. Getting Gmail to work will take some effort as there are a LOT of sites you have to add for images. This is not using the URL Threat Intelligence which is a line item purchase. This was completed with the help of Kevin Lofy from Citrix. This also is the GUI way of configuring this. Hope that this is of help. It REALLY solved a couple issues and allowed a good bit of control with using AppLocker on the VDA hosting server that was publishing the Firefox browser that linked to the proxy address.

Logon to Citrix ADC.

You will need to select “System” > “Settings” > “Configure Basic Features.”

If “Integrated Caching” is not enabled, you will need to enable the feature. This WILL require a reboot.

Select “Settings” > “Configure Advanced Features.”

You will need to select “SSL Interception” and “Forward Proxy.”

Navigate to “Traffic Management” > “DNS” > “Name Servers” and select “Add.”

Select “IP Address.”

Enter “IP Address.”

Select “UDP” from “Protocol.”

Click “Create.”

Navigate to “Security” > “SSL Forward Proxy.”

Select “Certificate Bundles.”

Select “SSL Forward Proxy Wizard.”

Click “Get Started.”

Click “Continue.”

Enter “Name” for Proxy.

Select “Explicit” from “Capture Mode.”

Click “Continue.”

Click “Continue.”

Select “SSL Sessions Interception.”

Select “Add.”

Select “Bind.”

Select “Add.”

I used an Ubuntu machine and hosted the text file there and reference it as http://ip/something.txt

This will set it to go to next line.

Click “OK.”


Click “Close.”

Click “OK.”

You will need to set a policy to set the IP and Port defined for the proxy (typically 8080) and apply to the machine that will be using the proxy. Using AppLocker with it will make it harder to pivot out of for machine security.

I’ll gather up a blog post of AppLocker and a way to use it with SSL Forward Proxy.

EDT / DTLS Insight!?

So ran into something fun with the 13.0-84.11 firmware for the ADC. After moving to this version, we noticed the packet engine crashed and failed over. Then it did it again a few days later. After a call with Citrix, looks like there is a known bug in there that is to be remediated in the next month with a new firmware release. The recommendation to do the fix is to run this command on each node of an HA pair: nsapimgr -ys enable_ica_edtinsight=0. There was a CTX article that was referenced (, but I was unable to view it. There is a caveat if you happen to be using EDT that it won’t show in ADM after you make this change, so you would need to disable HDX Adaptive Transport if you want to see session information in ADM.

How To Create The Wow nFactor Part 2!

nFactor Flow

This is part 2 of the nFactor setup that outlines how to setup the AAA-TM server and the Authentication Profile that you need in order to implement the nFactor flow you created in part 1. Link to Part 1 below.

Part 1:

This section outlines setting up the AAA-TM server to replace basic authentication on Citrix Gateway. If you want to make this accessible to things other than just Citrix Gateway, you will need an IP address, a certificate, and a DNS entry to point to said IP address. If you want to ONLY use it for Citrix Gateway, there is an option under the configuration for IP Address Type to select “Non Addressable.” In this example, an IP address will be used.

Login to you Citrix ADC and navigate to Security > AAA – Application Traffic > Authentication Virtual Servers. Select “Add.”

You can do two different assignments with this setting. Under “IP Address Type,” you can select “Non Addressable” if you only wish to use for Citrix Gateway.

Enter “Name.”

Select “IP Address Type” as “IP Address.”

Enter IP address.

Click “OK.”

Click on “No Server Certificate.”

Select the certificate you wish to bind to the AAA-TM server.

Click “Select.”

Select “Bind.”

Select “Bind.”

Select “Continue.”

Click “nFactor Flow.”

Click “Add Binding.”

Select the nFactor flow you created previously and click “Select.”

Enter “true” for the “Expression.”

Click “Bind.”

In the upper-right, select “Portal Themes.”

Select “Add.”

Here you can change the look of the theme. Accepting the defaults, click “OK.”

Click “Done.”

Click “OK.”

Click “Done.”

This completes the setup of the AAA-TM vserver. The next step is to create the Authentication Profile that will be used on Citrix Gateway to utilize the AAA-TM vserver.

Navigate to Security > AAA – Application Traffic > Authentication Profile.

Select “Add.”

Enter “Name” for the profile.

In the drop down for “Authentication Virtual Server,” select the AAA-TM server you created.

Click “Select.”

Click “Create.”

All the pieces have been created, now to apply to Citrix Gateway vserver.

Navigate to Citrix Gateway > Citrix Gateway Virtual Servers.

Select the one you you wish to edit and select “Edit.”

In the upper-right, select “Authentication Profile.”

Select the authentication profile you created earlier and select “OK.”

If you have any policies under “Basic Authentication,” you will need to click the pencil icon and unbind all the policies you have bound there.

Click “OK.”

Click “Done” at the bottom.

Citrix Gateway vserver is now using the Advanced Authentication with nFactor!

Firmware Upgrade Complete! Responder, Where’d You Go?!

Recently we had upgraded firmware on a Citrix ADC from 13.0-83.27 to 13.0-85.15. This was to try and correct an issue with the HTML interface not updating the custom settings on the Login Schemas for nFactor configuration. It would create the custom XML file for use, but it wouldn’t reflect any changes to it. I checked the permissions on the XML file and they would show root had read / write. You could still copy the XML file down via tools like WinSCP, make the edit, and copy back to the ADC.

Below you can see what happened. You would navigate to AppExpert > Responder and you would see the proper number of policies showing.

After you click on the the # Responder Policies, you see below.

It shows that there are no policies there. You can click on “Statistics” and you see this below.

It appears that it reset the counters as well. You can putty into the ADC and do a “show run” and you see that they are still there.

You can see that the policies are there. They do appear to work, but they just don’t show on the HTML GUI.

So a downgrade of version will be in order to see if that resolves the issue and Citrix is still looking at the issue to find a resolution.

UPDATE: Looks like a firmware revision reversion took care of the display issue with the showing of Responder policies.

EULA Evolves, Form Of nFactor!

Preview of what is coming this weekend…..

nFactor Overview

How about a way to convert basic authentication on Citrix Gateway on-prem to advanced authentication with nFactor.

ADC Your Way To Restore

So ran into an interesting thing restoring a Citrix Netscaler Gateway ADC. I went through and was doing a re-deploy of an ADC VPX. So a couple things that I noticed that were rather odd…..

First thing that I noticed was this:

Backup / Import option

So what I noticed was when you select “Import” radio button, the button to accept it once you select the file, is the “Backup” button still. I would think this would be a fantastic change to make a button with the name “Import.” This is something minor, but it was something that stood out to me.

Next thing of interest when restoring your backup file…..

Restore option

Once you have “Backup / Imported” your file to the ADC, you can go back to the list of backup files available to you. Something of importance here. If you have the “Basic” backup, that is a very minimal backup including configuration files only. If you use the “Full” option, this includes the /nsconfig/, /var/, certificates, and License files. Rather important to make sure you are using the correct backup option here. And example here is re-deploying the VPX and wanting to replace the one you had.

Now when you select the “Restore” option, you get this screen:

Restore option

You then get an option to “Reboot.”

Reboot option

Once I did the “Warm reboot,” I was presented with a wait 60 seconds screen. When I logged back in, I noticed that there was basically nothing there. I worked on it for a few minutes and decided to shut it down and power it back up after looking for another backup file. Once it had powered down and powered back on, low and behold it happened to have everything! Success was had! Something to note that will be rather important, should you decide to re-deploy a VPX on ESXi, make sure to note the MAC address of the VM BEFORE you re-deploy. The license file is married to the MAC and that is EXTREMELY important. You can open the license file with Notepad or Notepad++ and read the MAC there and then manually set it on the VM options. Just something that I ran into and thought would be useful information to have!

Note: I had already applied the license file and found that I had to change the MAC address, so all of that was done before attempting to restore the configuration from backup.

Powered by WordPress & Theme by Anders Norén