Citrix Web Interface with ISA Single Sign On

It’s been a long time since my last post!  I’ve been so busy working on the house (but nothing really blog-worthy).  Anyway today a colleague and I went through and set up the Citrix Web Interface (5.x) with single-sign-on using Microsoft ISA 2006.

The Web Interface and Secure Gateway run on the same server but are configured completely independently of each other, they could just as well be on separate servers if the load warranted it.  They both listen on port 443 on separate IP addresses with separate certificates.

On the face of it, it seems quite straight forward – configure the Web Interface for pass-through authentication, create an ISA web publishing rule using our common SSO web listener with forms based authentication and configure an authentication delegation method.  This works just fine as far as getting the user logged in with their list of applications.

Next step – configure the CSG to listen on a separate IP address with a separate certificate and configure a NAT rule so the ICA client can connect directly to the CSG.  Again fairly straight forward.

Here’s the catch. Using pass-through on the web interface doesn’t work with the CSG.  Pass-through mode expects the client to be domain-joined, inside the corporate network and able to authenticate directly with the XenApp Server (as opposed to being pre-authenticated by the XML/STA services).  The result with the above configuration is that when the user launches an application they are presented with a Windows login dialog which defeats the purpose of single-sign-on.

The solution – ASP.Net “jump” page on the web interface.

Configure the Web Interface in “Explicit ” mode rather than pass-through.  This is the standard method where the user is presented with the Citrix Web Interface login form.

Configure the ISA web publishing rule to delegate “basic” credentials. i.e. clear text user-name/password (secured with SSL of course!).

Create an ASP.NET jump page which extracts the user-name and password from the HTTP request, and creates a form with hidden fields then uses java script to POST the form to the Web Interface login page.

This all happens instantly without the user noticing.  Don’t configure the Web Interface as the default IIS page, instead place the jump page in the root of the IIS web site and set the document priority to to serve it up first.  Here’s the code:  (Download link at the end of the post)

AuthPass.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="AuthPass.aspx.cs" Inherits="AuthPass" %>
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<title>
		</title>
	</head>
	<body onload="submitlogin()">
		<div id="FormContainer" runat="server">
 
		</div>
	</body>
</html>
 
<script type="text/javascript" language="javascript">
	 function submitlogin()
	 {
		document.CitrixForm.submit();
	 }
</script>

AuthPass.aspx.cs - Note: The domain field needs to be set to your own domain or removed completely depending on how your users login.  The form action needs to point to your Web Interface login.aspx page.

using System;
using System.Net;
using System.Text;
using System.Web;
 
public partial class AuthPass: System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
		FormContainer.InnerHtml = doLogin(Request.ServerVariables["AUTH_USER"],Request.ServerVariables["AUTH_PASSWORD"]);
	}
 
	private String doLogin(String strUser, String strPassword)
	{
		StringBuilder strForm = new StringBuilder();
		strForm.Append("&lt;form name=\"CitrixForm\" action=\"https://citrix.corp.com/Citrix/XenApp/auth/login.aspx\" method=\"post\"&gt;");
		strForm.Append("&lt;input type=\"hidden\" name=\"domain\" value=\"MyDomain\"&gt;");
		strForm.Append("&lt;input type=\"hidden\" name=\"user\" value=\"{0}\"&gt;");
		strForm.Append("&lt;input type=\"hidden\" name=\"password\" value=\"{1}\"&gt;");
		strForm.Append("&lt;input type=\"hidden\" name=\"LoginType\" value=\"Explicit\"&gt;");
		strForm.Append("&lt;/form&gt;");
		return String.Format(strForm.ToString(), strUser, strPassword);
	}	
 
}

Here are the key points.

ISA 2006

  • Web publishing rule with SSO WebListener using forms based Authentication
  • “Basic” authentication delegation  (SSL end to end!)
  • Published logoff URL is set to /Citrix/XenApp/site/logout.aspx
  • Simple NAT rule for CSG

Web Interface

  • A new XenApp site is created in the Web Interface Management tool with “At Web Interface” configured for the “Where user authentication takes place” setting
  • Authentication Method set to Explicit
  • AuthPass.aspx[.cs] files are placed in the root of the IIS website to handle auto-login
  • XenApp web site is not configured as the default IIS site.  AuthPass.aspx is set as the default page on the IIS web site
  • Secure access mode is set to “Gateway Direct” but this will depend on your environment

CSG

  • This CSG is entirely configure using the CSG Management Console
  • A specific certificate for the CSG is selected
  • The CSG is set to listen on specific IP address rather than the default of all IPv4 addresses (an additional address must be added to the server’s TCP config).
  • “Direct” mode is configured for the Web Interface location

There you have it.  Citrix WI/CSG SSO for ISA.  I know it’s a bit of a hack but I spent some time trying to find a way to do this natively with Citrix Web Interface configuration and posted in the Citrix support forums without any success.  If there is a more official way to do it I’d love to hear about it.

On a side note…

I found a long delay during login which was fixed by disabling NetBIOS over TCP/IP on the web interface server

Citrix Web Interface SSO for MS ISA
Version: 1.0.0
Updated: 2011-02-17
Download: AuthPass.zip - 1.09 kB

basic, Citrix, CSG, explicit, HTTP Authentication, ISA, pass through, secure gateway, sso, Tmg, web interface, wi

15 Responses to Citrix Web Interface with ISA Single Sign On

  1. Frank Stevens March 4, 2014 at 6:58 am #

    Please disregard. It just started working for me. It must have been the domain restrictions on the web interface. Thanks again!


    Frank Stevens:

    Great article! Thank you for posting this! I stumbled upon this article and it sounds perfect for what I am trying to do.
    I have TMG publishing Citrix web interface 5.4 and everything works except for SSO. I am hoping your script can help me although I have not had success as of yet. I keep getting “your credentials are invalid” displayed on the WI page.
    One thing that perhaps wasn’t mentioned in the article is I think we need to set the root IIS where authpass is located to basic credentials.
    As far as my secure gateway, I put it on its own server and published through TMG as a non web server NAT and IP since the secure gateway doesn’t like its SSL cracked (you would get SSL 4 error if it were proxied). Anyway everything works great this way except signing on twice.
    Any advice or tips on how I might diagnose? Thank you!

    • RhysGoodwin March 17, 2014 at 9:09 am #

      Hi Frank,

      I’m glad to see this was useful for someone else.

      Cheers,
      Rhys

  2. Raj Singh August 11, 2011 at 1:31 am #

    Rhys,

    I have the same setup except I am using the AccessGateway/NetScaler in a ICA proxy mode – and I have the Citrix 5.4 WI page presented in an iFrame on a Web Page from another IIS server –I tried your code and I am getting the Citrix Log On prompt –any ideas?

    • RhysGoodwin August 11, 2011 at 6:09 pm #

      Hey Raj,

      I haven’t had any experience with AccessGateway or NetScaler. It’s a bit hard to say what’s happening without knowing what your setup looks like. I would suggest trying to analyse the HTTP transactions using something like HTTPAnalyser.

      Cheers,
      Rhys

  3. James Spadaro March 3, 2011 at 7:26 pm #

    I’ve been trying to solve this issue for a while now and just found your post on ths subject. I’m trying this solution with WI 5.4 and ISA 2006, but it doesn’t seem to be passing the credentials to the login.aspx page properly. I’m getting this message at the WI screen…. “you must enter a user name”.

    Any thoughts on how to resolve this, or would you be able to look at my config over a GoToMeeting session? I’ve been trying to solve this issue long enough that I’m willing to pay for the help…:-)

    • RhysGoodwin March 3, 2011 at 7:56 pm #

      Hi James,
      Yeah I’m also running 5.4. How have you got ISA setup? You could check that the field names on the login.aspx html source are correct. Failing that I could take a quick remotely look.

      Cheers,
      Rhys

      • James Spadaro March 4, 2011 at 3:37 pm #

        I took a second look over everything today and was still unable to get it working. If you’re willing to help remotely, shoot me an email at jspadaro@flightapps.com and I’ll set up a time to work with you on this.

        This would be greatly appreciated and we will of course pay you for your time.

        Thanks!!

  4. Dharmesh February 19, 2011 at 2:24 pm #

    Rhys,

    This is a great blog. I was looking for something like this. Just one question. Do all the servers; ISA , CSG and WI have to be domain members? Also can CSG be bypassed and have a web publishing rule straight to the WI on the internal segment?

    • RhysGoodwin February 19, 2011 at 11:36 pm #

      Hi Dharmesh,
      The ISA server doesn’t need to be domain joined but does of couse need a way to authenticate users so that could be Windows (domain joined), LDAP, radius etc. Domain joining an ISA server generally IS a good idea though. WI doesnt have to be domain joined because ISA is passing it username and password rather than windows credentials. CSG doesn’t have to be domain joined. You could put the WI on the internal segment. You dont need the csg I think you can use ssl at each ZenApp server but the CSG is a more elegant solution. If you tell me bit more about your environment and what you’re wanting to achieve I might be able to be of more help.

      Thanks for reading,
      Rhys

      • Dharmesh February 20, 2011 at 5:43 am #

        Thanks Rhys,

        I currently have a CSG w/ WI in the DMZ and remote users use Forms authentication to login. Now my organization is going with Sharepoint for our Intranet and we setup a ISA server [ that is on the domain] w/ form base authentication, which works fine. Now we want to allow SSO to our WI. The web-base rule works fine authenticating and displaying Published apps. Now the problem is when I launch an app; I’m prompted a Windows Logon again. I was thinking your “Jump Page” code might do the trick for me if I create a simple page on our sharepoint site set to basic auth. Then create a ISA rule with Basic Auth to that page, which would redirect my users back out to the CSG.

        What do you think?
        Thanks in advance for all your help.

        • RhysGoodwin February 20, 2011 at 5:28 pm #

          Yeah we have SharePoint too. You can check out my MOSS Split Back-to-Back in the Real World post for more info on that. I would suggest that you can leave your WI and CSG in the DMZ and use the Jump page on the WI as I’ve described in the post. You would then utilise 1 ISA web listener (2 certificates) in 2 separate web publishing rules. One for SharePoint, one for Citrix WI. This means that once your users authenticate at ISA FBA they can hop from SharePoint to Citrix WI without re-authenticating. Use basic auth delegation for the Citrix WI and what ever you like you SharePoint although I find using “basic” keeps things simple allowing IIS to do the Kerberos stuff. Just make sure you’re doing SSL end-to-end. But as mentioned take a look at my share point post linked above, it goes in to much more detail on the ISA config. I’ll be keen to hear how you get on.

          Cheers,
          Rhys

  5. RhysGoodwin February 17, 2011 at 7:16 am #

    New Post: Citrix Web Interface with ISA Single Sign On – http://blog.rhysgoodwin.com/windows-admi

    • Frank Stevens March 4, 2014 at 6:06 am #

      Great article! Thank you for posting this! I stumbled upon this article and it sounds perfect for what I am trying to do.
      I have TMG publishing Citrix web interface 5.4 and everything works except for SSO. I am hoping your script can help me although I have not had success as of yet. I keep getting “your credentials are invalid” displayed on the WI page.
      One thing that perhaps wasn’t mentioned in the article is I think we need to set the root IIS where authpass is located to basic credentials.
      As far as my secure gateway, I put it on its own server and published through TMG as a non web server NAT and IP since the secure gateway doesn’t like its SSL cracked (you would get SSL 4 error if it were proxied). Anyway everything works great this way except signing on twice.
      Any advice or tips on how I might diagnose? Thank you!

Trackbacks/Pingbacks

  1. Server Management - June 5, 2012

    Server Management…

    […]Citrix Web Interface with ISA Single Sign On[…]…

  2. Alles zu Goethes Iphigenie auf Tauris wie Analyse,Inhaltsangabe und vieles mehr. - September 28, 2011

    Alles zu Goethes Iphigenie auf Tauris wie Analyse,Inhaltsangabe und vieles mehr….

    […]Citrix Web Interface with ISA Single Sign On[…]…

Leave a Reply