Forum Discussion

Niels_van_Slui1's avatar
Niels_van_Slui1
Icon for Altostratus rankAltostratus
Dec 09, 2016

Citrix Receiver for Windows and adding new account

In my lab I'm trying to setup a Citrix LTM+APM configuration where the BIG-IP replaces the Citrix Web interface or StoreFront servers. When adding a new account to the Citrix Receiver for Windows, I always need to authenticate two times before the new account is added.

So the procedure is as follows:

1. Add new Account (Enter work email or server address). 
2. I'm adding 'citrix.example.org' (this resolves to the ip of the VS).
3. The receiver prompts for 'User name' and 'Password'.
4. I add my credentials and click on 'Log On'.
5. The receiver prompts again, but now for 'Domain\User' and 'Password'.
6. I add my credentials and click on 'Log On'.
7. I'm authenticated and the connection is succesful.

By doing fiddler traces, I notice that the first login attempt (step 3 and 4) is succesful. I see a POST to '/cgi/login' with my login and passwd set and this POST returns a REDIRECT to '/cgi/setclient?wica' and sets the NSC_AAAC cookie.

However, the next following GET to '/AGServices/discover' fails with at 404 - Not Found. And the Citrix Receiver then does a GET to '/Citrix/Store/discovery'. This GET results in a REDIRECT to '/vpn/index.html' and resets the NSC_AAAC cookie to 'xyz'. At this point the Citrix Receiver prompts again to enter credentials (step 5 and 6).

This time the Citrix Receiver sends multiple GETs to '/Citrix/PNAgent/Config.xml' and POSTs the new credentials to '/Citrix/PNAgent/enum.aspx'. This login also succeeds (step 7).

Another thing I noticed is that the Citrix Receiver uses different User-Agent strings. The first logon uses:

User-Agent: CitrixReceiver Windows/10.0 AuthManager/9.0.0.4178 (Release) X1Class

The second logon uses:

User-Agent: SelfService/4.6.0.14932 (Release)

In an attempt to reduce the amount of login prompts from two to one, I have added the following iRule.

when HTTP_REQUEST {
    if { [HTTP::uri] eq "/AGServices/discover" } {
        HTTP::redirect "/vpn/index.html"
    }
}

This iRule changes the behaviour of the Citrix Receiver. After enabling this iRule the Citrix Receiver will only prompt for credentials once. It will prompt to enter 'Domain\User' and 'Password'. However, in the fiddler traces I see that the Citrix Receiver loops for about 10 to 12 times before displaying the login prompt. This is how the loop looks like:

GET /AGServices/discover
GET /Citrix/Roaming/accounts
GET /AGServices/discover
GET /Citrix/Roaming/accounts

So my workaround introduces a small delay. What would be the proper way to fix this? Have anyone experienced the same problems? I also used the Citrix VDI iApp, but it shows exactly the same behaviour.

In my lab I use 12.1.1 HF2 and tried with both Citrix Reveiver version 4.3 and 4.6.

The Citrix XenDesktop/App version doesn't seem relevant for this issue, because the BIG-IP only starts to communicate with the Citrix brokers when authentication is succesful.

2 Replies

  • I can just verify that I've seen the same thing. Also the Storefront replacement mode does not support 2FA authentication using Receiver at the moment, but this has been submitted as a RFE and I know that F5 is working on it atm.

     

  • We have/had the same problem. To get rid of the domain, I've modified your iRule. Now you just have to enter username and password in the Citrix Receiver.

    when HTTP_REQUEST {
    if { [HTTP::uri] eq "/AGServices/discover" } {
        HTTP::redirect "/vpn/index.html"
    }
    if { [HTTP::uri] starts_with "/Citrix/" } {
        if {[HTTP::header content-type] starts_with "text/xml"}{
        log local0. "*** Authentication Citrix Receiver ***"
            HTTP::collect [HTTP::header Content-Length]
            set ContentLength [HTTP::header Content-Length]
        }
      }
    }
    when HTTP_REQUEST_DATA {
     Please set your domain here 
        set Domain "domain.local"
    
        set Payload [HTTP::payload]
        set NewDomain "$Domain"
        log local0. "*** Replacing received domain \"$OldDomain\" with \"$Domain\" to \"$NewDomain\" ***"
        regsub -all $OldDomain $Payload $NewDomain Payload
        HTTP::payload replace 0 [HTTP::payload length] $Payload
        HTTP::release 
    }
    

    (Edit: Some minor changes in the iRule for setting the domain and logging.)