Forum Discussion

Domel_163525's avatar
Domel_163525
Icon for Nimbostratus rankNimbostratus
Aug 15, 2016

SSO doesn't work with Citrix deployed on BIG-IP

Hi guys,

 

We would like to use our F5 (LTM&APM fully licensed) instead of Netscaler Gateway for access to our Citrix Farm therefore we have recently deployed the newest iApp (f5.citrix_vdi.v2.3.0) to get this configured and I can see some issues with single sign-on already.

 

I can get to the F5 website (Virtual Server - DNS record created) and log-in successfully with my AD credentials but then it will take me to one of our website hosted on our Citrix WI server (Web Interface) which will ask me to log-in again. Providing the same set of credentials I can log in and access all the resources just fine.

 

It looks like the SSO does not work - not passing on my credentials from F5 website to Citrix Web Interface.

 

What am I missing here?

 

Has anyone seen this before?

 

Thanks,

 

application delivery
BIG-IP Access Policy Manager (APM)
citrix
citrix netscaler
citrix xenapp
iapp
LTM
xendesktop

4 Replies

Sort By
  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Aug 15, 2016

    Hi mate,

    Verify that you are passing the credentials to the citrix farm. If not, you can do it by session variables.

    Also please make sure that you have enabled auto log-in in the citrix desktop. Navigate to 

    Access Policy  ››  Application Access : Remote Desktops : Remote Desktops  ››  Citrix__apm_remote_desktop_1

    Select Autologin and give the session variables there.

    Auto Logon -> Enable
Broker Authentication > Password Based
Username Source > session.logon.last.username
Password Source  > session.logon.last.password

    and update it.

    Please let me know if you need any more information.

    -Jinshu

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Aug 15, 2016

    Okay. This is because you are not using F5 APM Webtop to replace the Citrix storefront servers,isnt it?

     

    1. Can you give the veriables you have given in the access policy?
    2. Can you check in the Citrix storefront logs, what's the error message while you are authenticating with AD on F5 APM?

    -Jinshu

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Aug 16, 2016

    If username doesn't append the domain name, then the variable we have used might need to modify. But however you will get an authentication error on the Citrix web if F5 APM pass the credentials. Are you able to see any logon attempt on Citrix Web server?

     

    -Jinshu

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Aug 18, 2016

    So your authentication issue solved, right?

     

    If the icons are not responding, It seems the ICA tunnel is not getting established. Are you seeing any errors in APM or Citrix?

     

    -Jinshu