Multi factor Authentication for Citrix Xen. Desktop Net. Scaler against Azure AD dreadys Blog. In my last post about secure access to Xen. Desktop virtual workspaces I tried to give an overview of the different ways to implement multi factor authentication with Citrix Net. Scaler and Xen. Desktop. I came to the conclusion that integrating the remote access with Azure AD and using the Microsoft MFA feature is a very end user friendly way to accomplish this goal, especially when you already have Azure AD in your setup. In this post I will outline a walkthrough to the setup and configuration steps needed. Settings and Configuration in Microsoft Azure ADIn a first step we need to create a new enterprise application in Azure Active Directory. Log in to your Azure management portal portal. Azure Active Directory. Select the Azure Active Directory management. Select Enterprise applications and create a new application. AZOcyqTh6gY/maxresdefault.jpg' alt='How To Install Application On Citrix Xen App Server Configuration' title='How To Install Application On Citrix Xen App Server Configuration' />Choose to create a non gallery application and give it a name. Add a new Non gallery application. Name your application This is the name of the application your users will see on their access panel. After your enterprise application has successfully been created, you will see the Quick start panel. Quick start pane of the new enterprise application. In the properties of the enterprise app you may change the name of the application and assign a custom logo. Here you also can globally enable or disable the application and choose if a user assignment is required for the application. If this option is set to yes, users must first be assigned to this application before being able to access it. If this option is set to no, then any users who navigate to the application will be granted access. Enterprise application properties. Add users and groups you want to grant access to the application. How To Install Application On Citrix Xen App Server Configuration' title='How To Install Application On Citrix Xen App Server Configuration' />Support site offering resources for Citrix Presentation Server, VDI, VMWare, Xen, Microsoft Terminal Services, SoftGrid and others. Hotfix Rollup Pack 7 for Citrix XenApp 5. Citrix Presentation Server 4. Microsoft Windows Server 2003 32bit Edition. Learn how to deliver applications using Citrix Studio in XenDesktop 7. Get more info at httpwww. Assign users and groups to your application. Assign users and groups. Assigned user to the enterprise application. Move on to the Single sign on settings and enable SAML based sign on. Enable SAML based Sign on. Set the Identifier to the URL of your Net. Scaler gateway. Set the Reply URL to the URL of your Net. Scaler gateway and append cgisamlauth. Set the Sign on URL to your Net. Scaler gateway address. Select user. userprincipalname for the User Identifier. Make the new certificate active and set a notification email. When the active signing certificate approaches its expiration date, notifications are sent to this email address with instructions on how to update the certificate. Make new certificate active and set a notification email. Download the SAML signing certificate Base. We need this later on our Net. Scaler to set up the SAML authentication. Citrix Net. Scaler Configuration. The configuration on the Net. Scaler side is quite straight forward. We just need to edit an existing virtual gateway to reflect our new SAML authentication against Azure AD. Upload and install the SAML signing certificate to your Net. Scalers CA certificates. This can be done under Traffic Management SSL Certificates CA Certificates. Upload SAML signing certificate. Install SAML signing certificate. Add the SAML authentication server via Authentication Dashboard. Add SAML authentication server. Choose SAML for the server type and select the uploaded IDP certificate. For the signing certificate you may select your Net. Scaler server certificate. The Issuer Name has to match the Identifier you have set in your Azure enterprise app. Configure authentication server. Now you need to provide the Redirect URL and the Single Logout URL, which you can lookup in your enterprise app on Azure AD Configure Citrix Gateway at the bottom of the page. Lookup redirect and single logout URLs. SAML Single Sign On Service URL and Sign Out URLTake note of the SAML Single Sign On Service URL Redirect URL and the Sign Out URL Single Logout URL and put the values in your authentication server configuration of the Net. Scaler. Set Redirect and Single Logout URLs As a last step before hitting create, set the Signature Algorithm and Digest Method to SHA2. Set SHA2. 56. Head over to your existing Net. Scaler Gateway Virtual Server configuration. Remove existing Active Directory authentication policies under Basic Authentication and replace them by creating a new SAML Policy for the Primary Authentication. Edit Basic Authentication to SAMLBind SAML policy. Make sure to remove the Single Sign on Domain from the Session Profile bound to the virtual server. Remove Single Sign on Domain from Session Profile. Installation and setup of Citrix Federated Authentication Service. The next step is to implement Citrix Federated Authentication Service in your Citrix Xen. Desktop Xen. App environment. Without Citrix FAS your Net. Scaler SAML authentication will work, but your users would have to re authenticate when starting desktops and apps from Store. Front, which is definitively not what you want since we aim to build a true Singe Sign On solution for our users. There is a great blog posts from awesome Citrix CTP Carl Stalhood on how to set up Citrix Federated Authentication Service. You find his detailed setup guide under http www. Its a very straight forward process and I encourage you to follow his guide for the setup. Citrix Store. Front Configuration. In a last step we need to enable Federated Authentication on your Store. Front servers and fully delegate credential validation to Net. Scaler Gateway.  Enable Federated Authentication Service integration on Store. Front by running the following Power. Shell commands Get Module Citrix. Store. Front. List. Available Import ModuleStore. Virtual. Path CitrixStorereplace with your corresponding Store namestore Get STFStore. Service Virtual. Path Store. Virtual. Pathauth Get STFAuthentication. Service Store. Service store. Set STFClaims. Factory. Names Authentication. Service auth Claims. Factory. Name FASClaims. FactorySet STFStore. Launch. Options Store. Service store Vda. Logon. Data. Provider FASLogon. Data. ProviderTo delegate the credential validation to Net. Scaler Gateway, in the Store. Front management console go to Manage Authentication Methods of your Store, and select the settings of Pass through from Net. Scaler Gateway, where you can enable Delegated Authentication. Fully delegate credential validation to Net. Scaler Gateway. Enabling and configuring Azure MFA for your Citrix Gateway enterprise app. Thats it, you are almost done The very last step is to enable and configure multi factor authentication for your newly created Azure enterprise app. Create a new Conditional Access Policy. Create a new conditional access policy. Specify the users and groups to be included and or excluded from the policy. Users and groups in the directory that the policy applies to. Set the conditions which define when the policy will apply. You can specify conditions based on. Device platforms Android, i. OS, Windows Phone, Windows, mac. OS. Platform the user is signing in from. Location determined using IP address range the user is signing in from. Location the user is signing in from. Set Access Controls to block access or enforce additional requirements which need to be satisfied to allow access. You can enforce the following additional requirements. Select the controls to be enforced. Require multi factor authentication User must complete additional security requirements like phone call, text, authentication app challenge. Hotfix Rollup Pack 2 for Citrix Xen. App 6. 5 for Microsoft Windows Server 2. R2. Hotfix readme name XAE6. W2. K8. R2. X6. 4R0. HTMLHotfix package. XA6. 50. W2. K8. R2. X6. 4R0. 2. MSPFor Computers running Xen. App 6. 5. for Windows Server 2. R2. Replaced hotfixes See table. Invalidated hotfixes See table. Date June, 2. 01. Languages supported English US. German DE, Spanish ES, French FR, Japanese JA, Simplified. Chinese SCReadme version 1. This hotfix rollup pack replaces most individual hotfixes released. Xen. App so far and introduces a number of new fixes. This document describes the issues solved by this hotfix rollup. The full Xen. App and other. Citrix Product Documentation. XA6. 50. W2. K8. R2. X6. 4R0. 1, XA6. 50. W2. K8. R2. X6. 40. XA6. 50. W2. K8. R2. X6. 40. 33. XA6. 50. W2. K8. R2. X6. 40. XA6. 50. W2. K8. R2. X6. 40. 36, XA6. 50. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 02, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 04. XA6. 50. R0. 1W2. K8. R2. X6. 40. 05, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 07. XA6. 50. R0. 1W2. K8. R2. X6. 40. 09, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 11. XA6. 50. R0. 1W2. K8. R2. X6. 40. 12, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 14. XA6. 50. R0. 1W2. K8. R2. X6. 40. 15, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 17. XA6. 50. R0. 1W2. K8. R2. X6. 40. 18, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 20. XA6. 50. R0. 1W2. K8. R2. X6. 40. 21, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 23. XA6. 50. R0. 1W2. K8. R2. X6. 40. 24, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 26. XA6. 50. R0. 1W2. K8. R2. X6. 40. 27, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 29. XA6. 50. R0. 1W2. K8. R2. X6. 40. 30, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 33. XA6. 50. R0. 1W2. K8. R2. X6. 40. 34, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 37. XA6. 50. R0. 1W2. K8. R2. X6. 40. 38, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 40. XA6. 50. R0. 1W2. K8. R2. X6. 40. 42, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 44. XA6. 50. R0. 1W2. K8. R2. X6. 40. 45, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 47. XA6. 50. R0. 1W2. K8. R2. X6. 40. 48, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 50. XA6. 50. R0. 1W2. K8. R2. X6. 40. 51, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 53. XA6. 50. R0. 1W2. K8. R2. X6. 40. 55, XA6. Ebcs 10 Pdf Free Download. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 57. XA6. 50. R0. 1W2. K8. R2. X6. 40. 58, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 60. XA6. 50. R0. 1W2. K8. R2. X6. 40. 61, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 63. XA6. 50. R0. 1W2. K8. R2. X6. 40. 64, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 66. XA6. 50. R0. 1W2. K8. R2. X6. 40. 67, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 69. XA6. 50. R0. 1W2. K8. R2. X6. 40. 70, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 73. XA6. 50. R0. 1W2. K8. R2. X6. 40. 74, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 76. XA6. 50. R0. 1W2. K8. R2. X6. 40. 78, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 81. XA6. 50. R0. 1W2. K8. R2. X6. 40. 82, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 84. XA6. 50. R0. 1W2. K8. R2. X6. 40. 85, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 87. XA6. 50. R0. 1W2. K8. R2. X6. 40. 88, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 40. 91. XA6. 50. R0. 1W2. K8. R2. X6. 40. 92, XA6. R0. 1W2. K8. R2. X6. XA6. 50. R0. 1W2. K8. R2. X6. 41. 00. Installing this hotfix rollup pack partially invalidates the. This happens because not all fixes in these. Obtain or request the. Note There are currently no plans to reissue Fix LA3. Hotfix Rollup Packs 2 or 3. For a workaround. LA3. 21. 3, Citrix recommends that you upgrade from Web. Interface to Store. Front. For more information, see Knowledge Center. CTX1. 39. 76. 1. From the description of LA3. Session sharing might not work for up to five minutes after the. The issue occurs with sessions. Version 5. 4 of the Web Interface with Workspace. Control disabled and the Override user device names. This hotfix rollup pack introduces the following fixes that have not. This hotfix rollup pack also contains all fixes included in Hotfix Rollup Pack 1 plus the following fixes. Hotfix Rollup Pack 1 Webcam sharing fails with Cisco Web. Ex. A black screen appears. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 92. 6The time stamp for new files and folders can be incorrect on. Time Zone. Redirection enabled. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. When using the udadmin. For example When first. FQDN, the string that follows the period is. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 80. 0A non seamless session launched as described in Knowledge Center. CTX1. 16. 35. 7 on a Xen. App 6. 5 server turns into a. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 80. 2Client drive mapping clientlt drive letter by way of. Active Directory group policies does not get implemented. From XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 81. 7Rpm. dll can render servers unresponsive. The issue results from a. Further symptoms. Task Manager. From. XA6. 50. R0. 1W2. K8. R2. X6. 40. 02LA1. Users logged on with a user name that contains a string. UD might not be able to launch applications. Instead. and the following message appears Citrix Xen. App. license acquisition error 1. The issue occurs only. Application. enumeration is not affected. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. Attempts to relaunch or reconnect to a published application can. The issue occurs when a one session per user limit is. Reconnection. attempts stall at the Connection Established. Negotiating. Capabilities. From XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 32. 9In sessions using Receivers for non Windows operating systems and. French language keyboard layouts, characters with diacritical. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 59. 8The Citrix XML Service might become unresponsive after running. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 13. 9The IMA Service might become unresponsive, preventing existing. From XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 28. 5Worker groups can contain invalid records. This enhancement to. DSCHECK utility allows you to purge invalid worker group. To remove the invalid server. To remove the invalid worker group server objects, run the. To remove the invalid server entries in the worker. Group. Mappingsdscheck full workergroup Group. Mappings. cleanFrom XA6. R0. 1W2. K8. R2. X6. LA1. 85. 1With Windows Driver Verifier enabled for ctxdvcs. C9. From. XA6. 50. R0. 1W2. K8. R2. X6. LA1. 84. 7A deadlock in picadm. Sessions already connected might disconnect and. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 26. 0Servers might experience a fatal exception, displaying a blue. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA1. 81. 3Opening files from a client side USB device or network drives. Xen. App session might result in corrupt files zero. From XA6. 50. R0. W2. K8. R2. X6. 40. LA2. 11. 3After installing Fix LA0. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA2. 19. 1Xen. App servers behind read only domain controllers RODCs might. CPU usage. From XA6. R0. 1W2. K8. R2. X6. LA1. 61. 7Servers might experience a fatal exception, displaying a blue. From. XA6. 50. R0. W2. K8. R2. X6. 40. LA2. 00. 1Sessions can disconnect unexpectedly, and the disconnect is.