XenApp VDA 7.15 CU1 breaks Single Sign-on with Citrix FAS

This weekend I was busy upgrading my demo lab to the latests Citrix 7.15 LTSR CU1 release. In my demo lab I’m running Citrix VDA 7.14 version so after upgrading the VDA to version 7.15 CU1 (LTSR) I noticed Single Sign-on to the desktop was no longer working I got prompted with a login screen on the Window Server 2016 VM:

Looking at the StoreFront and FAS server I didn’t see any errors.
When checking the Windows event log on the VDA I noticed the following error:

While searching on the Internet I’ve found the following article on the Citrix discussions forums: https://discussions.citrix.com/topic/389163-715-vda-upgrade-password-not-passing-through/

When rolling back the VDA to version 7.14 the Single Sign-on works correctly.

If you look closer at the error the VDA cannot find the FAS Server
[S101] Identity Assertion Logon failed. Unrecognised Federated Authentication Service [id: 0]
When VDA 7.14 was installed I found that in the registry at the following location the FAS server is configured:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Citrix\Authentication\UserCredentialService\Addresses] 
“Address1″=”myfasserver01.domain.local” (REG_SZ)
&
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses]
“Address1″=”myfasserver01.domain.local” (REG_SZ)

I exported both registry key’s to a .reg file. After this I upgraded the VDA again to version 7.15 and noticed that these key’s are no longer present after the upgrade.

Now when adding the .reg files that I’ve backup-ed earlier the Single Sign-on works again with VDA 7.15 version. When you reboot the server the registry entries remain on the system.

I’ve also tested this with the VDA version 7.17 and I can confirm that this works correct without the workaround described above. But the 7.15 is an LTSR version so most company’s use this version to ensure they have longterm support.

(Beware that this is a workaround for fixing the Single Sign-on problems for VDA version 7.15 CU1, use this at your own risk and test this in a non production environment first.)

 

 

Advertenties

Netscaler AAA virtual server with SafeNet Grid Token

I’m currently involved in a project on migrating several websites from Microsoft TMG to Citrix Netscaler. Depending on the security level for the website we configure LDAP (Username and Password) or MFA (Multi Factor Authentication) with LDAP & RADIUS for these websites. Our customer is currently using Safenet Grid Token for MFA on the Microsoft TMG so we need form based authentication on the Netscaler, this can be accomplished with Netscaler Gateway or Netscaler AAA Virtual Server.

In my opinion the best way to do this, is with a Netscaler AAA virtual server but remember this requires a Netscaler with Enterprise or Platinum license.  When you use Netscaler Gateway for authentication you have to secure the Netscaler Gateway server to prevent unauthorized access to other internal services or the possibility to setup a SSL VPN. When you use Netscaler AAA virtual server you’ll only get access to the page that’s requested.

SafeNet published an integration guide for Citrix Netscaler with Netscaler Gateway you can find this here. Unfortunately there is no integration guide available for integration with Netscaler AAA virtual server. I’m only describing the changes that are necessary on the Netscaler the SafeNet cloud configuration should be preconfigured.

So when trying to configure the AAA server I followed the integration guide for Netscaler Gateway starting on page 17:

Instead of modifying: index.html and gateway_login_form_view.js you need to change the files according to the integration guide: tmindex.html and tmindex_view.js for the AAA virtual server.

When you open your AAA virtual server or the website you configured with Form Based Authentication you’ll see the following screen displayed: 

When you fill in your User name and click on the Get Grid button nothing happens !!!

I started debugging the page with the Google Chrome Debugger (F12) you’ll see the following error displayed when you click on the Get Grid button:

Uncaught TypeError: Cannot read property ‘value’ of null 
at getChallenge (tmindex.html:92)
at HTMLInputElement.onclick (tmindex.html:1)

So when looking at the debug message I found out that the GetGrid button action is trying to find the User Name that is typed in the form this doesn’t work.
After that I started to look in the gateway_login_form_view.js file because this works with the Netscaler Gateway. There is piece of code missing in the tmindex_view.js file:

gateway_login_form_view.js: (line 33)
var enter_user = $(“<input type=’text’></input>”).attr({‘id’:’Enter user name’,’class’:’prePopulatedCredentials’,’autocomplete’:’off’, ‘spellcheck’ : ‘false’,’name’ :’login’, ‘size’:’30’, ‘maxlength’ : ‘127’,”width”:”180px”,”autofocus”:true}).focus(function(){loginFieldCheck();});

tmindex_view.js: (line 27)
var enter_user = $(“<input type=’text’></input>”).attr({‘class’:’prePopulatedCredentials’,’autocomplete’:’off’, ‘spellcheck’ : ‘false’,’name’ :’login’, ‘size’:’30’, ‘maxlength’ : ‘127’,”width”:”180px”,”autofocus”:true}).focus(function(){loginFieldCheck();});

So what’s missing is the: ‘id’:’Enter user name’
You can copy the code from gateway_login_form_view.js (line33) and replace it in tmindex_view.js on line 27 and upload the file to your Netscaler. Without the attribute id: “Enter user name”, the credentials can’t be sent to SafeNet to request a Grid Token. I don’t know why this is missing in the default tmindex_view.js file on the Netscaler.

Now when we go back to the Netscaler AAA Virtual Server page and type in our User Name and hit the Get Grid button we’ll see the GridToken displayed:

Now users can succesfully retrieve their Grid Token on an Netscaler AAA Virtual Server.

Important: Just as with the index.html and gateway_login_form_view.js you need to copy the files you just changed to the customizations folder to maintain these files after a reboot of the Netscaler.

Create the customizations directory:

mkdir /var/customizations

Copy the files to the customizations directory:

cp /netscaler/ns_gui/vpn/js/tmindex_view.js /var/customizations/tmindex_view.js.mod
cp /netscaler/ns_gui/vpn/tmindex.html /var/customizations/tmindex.html.mod

If the /nsconfig/rc.netscaler file does not exist already create it:

touch /nsconfig/rc.netscaler
chmod a+x rc.netscaler

Run the following command to add an entry to copy the file on startup of the Netscaler:

echo cp /var/customizations/tmindex.html.mod /netscaler/ns_gui/vpn/tmindex.html>> /nsconfig/rc.netscaler
echo cp /var/customizations/tmindex_view.js.mod /netscaler/ns_gui/vpn/js/tmindex_view.js>> /nsconfig/rc.netscaler

Of course you can also use VI to edit the rc.netscaler file.

I’ve had contact with Gemalto Technical Support about the integration guide for Netscaler Gateway and AAA Virtual Server with Grid Token. Their currently working on a new integration guide,  they couldn’t give a date when the new integration guides will be available. When the integration guides are available I’ll add a link to this article.

I’ve configured and tested this on Netscaler 11.1

 

RES ONE Workspace Management Portal – Install prerequisites with PowerShell

With the introduction of RES ONE Workspace V10 the new management portals are available for RES ONE Workspace & RES ONE Automation. Rob Jager made an excellent blog on How to install the RES ONE Workspace Management portal step by step. I’ve installed the management portal a few times now but the prerequisites for IIS (Web-Server) are very specific. The funny thing is that the RES ONE Automation Management Portal installs the prerequisites automatically. If you don’t have tools like RES Automation Manager I’ll show you how can can quickly install the prerequisites with PowerShell on Windows 2012R2:

Add-WindowsFeature Web-Server,AS-NET-Framework,Web-HTTP-Redirect,Web-Asp-Net45,Web-Net-Ext45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Basic-Auth,Web-Windows-Auth,Web-Client-Auth,Web-Cert-Auth,Web-Request-Monitor,Web-Dyn-Compression

Note that .NET Framework 4.5.2 also is a prerequisite you can download it over here

If you don’t install the prerequisites when you’re trying to install the management portal you’ll get the following error message: “RES ONE Workspace Management Portal cannot be installed on systems with Internet Information Services lower than 7.5″

 

 

 

 

 

 

 

 

 

The prerequisites are also described in the RES ONE Workspace Administration Guide:

Hopefully RES changes the installer to automatically install the Window Features just as with the RES ONE Automation Management Portal.

RES ONE Workspace – Windows 10 – We can’t sign into your account

When you configure Windows 10 with RES ONE Workspace 2016 to save your cookies from Internet Explorer 11 according to the following procedure: HOWTO: Configure User Settings for Microsoft Internet Explorer 11 to support Cookie roaming

The following error occurred to me when logging on to a brand new desktop.

The Windows 10 installation was based on version 1607 (OS Build 14393)

To solve this problem simply update Windows 10 to at least the following OS build: 14393.576

How To: Configure Designated account for Windows Authentication RES ONE Workspace Manager

As of  RES ONE Workspace Manager 2015 SR2 it’s possible to configure a designated account for Windows authentication to access the RES ONE Workspace Manager Console.

What does this mean:
You can run the RES ONE WM Console without requiring your account to have database access to the RES ONE WM Database.

Use case:
When you configure your RES WM environment with Windows authentication, you specify an Active Directory Group during the database creation wizard, this group is granted DBO permission on the database and the service account that is used to run the RES ONE Workspace Service needs to be a member of the AD Group to successfully connect to the database.
But when your Help desk or other staff members need access to the RES ONE WM Console they need to be a member of the same Active Directory group that’s used for the service account, this means that all these users have DBO permission on the database on your MS SQL server. Or you have to configure the individual accounts permissions in MS SQL Management Studio to connect to the RES ONE WM Database.

By configuring the designated account for Windows Authentication we can choose a different account to access the RES ONE WM database. And the Help-desk or other staff personnel doesn’t need this account information.

If you don’t configure the designated account for Windows Authentication or make the account a member of the Active Directory group;  The user get’s prompted with the following messages:

Configure designated account for Windows Authentication

1. Create a new user account in your Active Directory Domain, for example: svc_reswmdb
2. Grant the account access permissions to your RESWM DB on the MS SQL Server.
   Open SQL Server Management Studio, Security, Logins and select; New login

Select the user account you created in step one

Go to the tab; User Mapping:

Map the user to your RES ONE Workspace Manager Database and grant the user db_owner permissions, OK and close the SQL Management Studio.

 

3. Now open your RES ONE WM Console and go to Setup, Datastore:

Under Windows Authentication select: Designated account
Enter the the credentials from the account you created in step 1.
(use the following format: domain\username, userprincipalname doesn’t work)

5. Now login with a Help Desk or other account with an administrative roll and verify you can open the RES ONE WM Console.

From the RES ONE Workspace Manager 2015 SR Release notes:

As of RES ONE Workspace 2015 SR2, when using a Microsoft SQL Datastore, you can specify a designated Windows account for RES ONE Workspace Datastore access. This makes it possible for the RES ONE Workspace Console to connect to the Datastore using a designated account if the Consoleuser does not have Datastore access with their own Windows account. Previously, when using Windows authentication for access to the Datastore, it was necessary for the Windows user accounts of Console-users to have access permissions on the database.

As a result, after configuring a designated account for your environment, you can remove Windows user accounts of Console-users from the Active Directory groups that grant them write access to the Datastore.

This increases security because users of the Console no longer need permissions on the Datastore.

The designated account can be specified for existing Datastores, and when creating a new Datastore or migrating one.

RES Workspace Manager Mail Control Panel Office 2016

During one of my latest projects I’m building a new platform, based on XenApp 7.7, RES ONE Workspace Manager 2015 SR1 and Microsoft Office 2016. The customer wants the Mail Control Panel item available in the start menu for the end users.

The customer is using Office 365 E3 licenses which entitles them to use the Office 365 click to run version which can be downloaded from the portal.office.com website. We’re using the most recent version Microsoft Office 2016.

In previous versions of Microsoft Office you could configure the control panel item in the following way with RES Workspace Manager:

Mail and Fax Options
                  
module:  MLCFG32.CPL
      
command:  rundll32.exe shell32.dll,Control_RunDLL mlcfg32.cpl
result:  displays the Microsoft Exchange Profiles general property page

https://success.ressoftware.com/kA140000000TZ7w?srPos=0&srKp=ka1&lang=en_US

So I exported the item with a building block and imported the building block in the new RES Workspace Manager environment. Then i logged on as a user but the application didn’t appear, no error, nothing happend.

Then I tried to start the application from the command line in a administrator session, without RES Workspace Manager. Nothing happend as well no error, no control panel item.

After some research I found out that Microsoft Office 2016  click to run, runs within a virtual file system. You need to start the .CPL from the virtual file system. 
This  can be done by launching the application with the following command line:

C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe

Microsoft Application Virtualization Virtual Process Launcher for Microsoft Application Virtualization (MS App-V) platform allows applications to be deployed in real-time to any client from a virtual application server. It removes the need for local installation of the applications. Instead, only the App-V client needs to be installed on the client machines. All application data is permanently stored on the virtual application server.

command:  C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe
parameters: rundll32.exe shell32.dll,Control_RunDLL “C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL”

Microsoft Office 2013 (Click to run)
I got notified by a colleague that the path for Microsoft Office 2013 was different so I installed Microsoft Office 2013 and noticed that the path to the AppVLP.exe is different indeed:
C:\Program Files\Microsoft Office 15\root\client\AppVLP.exe

command: C:\Program Files\Microsoft Office 15\root\client\AppVLP.exe
parameters: rundll32.exe shell32.dll,Control_RunDLL “C:\Program Files\Microsoft Office 15\root\office15\MLCFG32.CPL”

Note:
Although Microsoft Office 2016 is not yet fully supported by RES ONE Workspace Manager 2015. In the next release of RES Workspace Manager ONE 2015 SR2 Microsoft Office 2016 will become supported.

Update:
RES ONE Workspace Manager 2015 SR2 is available from the RES Sucess Center  and can be downloaded when you have valid SA.