Citrix Receiver for Windows and adding new account
In my lab I'm trying to setup a Citrix LTM+APM configuration where the BIG-IP replaces the Citrix Web interface or StoreFront servers. When adding a new account to the Citrix Receiver for Windows, I always need to authenticate two times before the new account is added.
So the procedure is as follows:
1. Add new Account (Enter work email or server address).
2. I'm adding 'citrix.example.org' (this resolves to the ip of the VS).
3. The receiver prompts for 'User name' and 'Password'.
4. I add my credentials and click on 'Log On'.
5. The receiver prompts again, but now for 'Domain\User' and 'Password'.
6. I add my credentials and click on 'Log On'.
7. I'm authenticated and the connection is succesful.
By doing fiddler traces, I notice that the first login attempt (step 3 and 4) is succesful. I see a POST to '/cgi/login' with my login and passwd set and this POST returns a REDIRECT to '/cgi/setclient?wica' and sets the NSC_AAAC cookie.
However, the next following GET to '/AGServices/discover' fails with at 404 - Not Found. And the Citrix Receiver then does a GET to '/Citrix/Store/discovery'. This GET results in a REDIRECT to '/vpn/index.html' and resets the NSC_AAAC cookie to 'xyz'. At this point the Citrix Receiver prompts again to enter credentials (step 5 and 6).
This time the Citrix Receiver sends multiple GETs to '/Citrix/PNAgent/Config.xml' and POSTs the new credentials to '/Citrix/PNAgent/enum.aspx'. This login also succeeds (step 7).
Another thing I noticed is that the Citrix Receiver uses different User-Agent strings. The first logon uses:
User-Agent: CitrixReceiver Windows/10.0 AuthManager/9.0.0.4178 (Release) X1Class
The second logon uses:
User-Agent: SelfService/4.6.0.14932 (Release)
In an attempt to reduce the amount of login prompts from two to one, I have added the following iRule.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/AGServices/discover" } {
HTTP::redirect "/vpn/index.html"
}
}
This iRule changes the behaviour of the Citrix Receiver. After enabling this iRule the Citrix Receiver will only prompt for credentials once. It will prompt to enter 'Domain\User' and 'Password'. However, in the fiddler traces I see that the Citrix Receiver loops for about 10 to 12 times before displaying the login prompt. This is how the loop looks like:
GET /AGServices/discover
GET /Citrix/Roaming/accounts
GET /AGServices/discover
GET /Citrix/Roaming/accounts
So my workaround introduces a small delay. What would be the proper way to fix this? Have anyone experienced the same problems? I also used the Citrix VDI iApp, but it shows exactly the same behaviour.
In my lab I use 12.1.1 HF2 and tried with both Citrix Reveiver version 4.3 and 4.6.
The Citrix XenDesktop/App version doesn't seem relevant for this issue, because the BIG-IP only starts to communicate with the Citrix brokers when authentication is succesful.