Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 24, 2015

APM webtop to Citrix - prefilling userid, domain for Citrix logon dialog

Env: Big-IP 4200v running 11.5.2 plain, APM fully licensed

 

Context: APM webtop with Citrix Remote Desktop icon, accessing F5 pool of Citrix XML brokers, replacing Storefront; users login to APM via RSA credentials against RADIUS server, no user login to AD (but userid is the same); Citrix client type is new-ish Receiver (12.3), Citrix XenApp version is 7.1

 

In the described environment, the user logs in to APM by providing userid and RSA PIN/value, which are validated via RADIUS servers. We do not AD-authenticate as part of the APM login, because our F5s involved are in our DMZ, and we don't want them interacting with AD directly - and so we can't turn on "Auto Logon" in the Citrix desktop object, and can't insert an SSO Credential Mapping object (can i?). The user gets to a webtop, and and then clicks on the Citrix remote desktop icon, they are prompted for their AD userid, password and domain, with an F5 generated dialog that will in turn provide the credentials to the XML brokers. In this flow, we would like to pre-fill the userid from what they entered as part of their RADIUS login, and their domain from a hard-coded value.

 

I inserted into the policy an Assignment object, I manually set session.logon.last.domain to our desired domain string, but the Citrix logon dialog did not pick it up. And I can't figure out how to insert the username from the session variable that holds it.

 

Is what I'm attempting possible? Do I in fact need to insert an SSO Credential Mapping, even though we are just pre-filling variables, not actually doing SSO?

 

APM
citrix
citrix xenapp
deployment
security

7 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 24, 2015

    You can use auto-login. You just have to get the user to enter their AD password into the login form, and then use THAT password din the auto-login configuration.

     

    I've done this when using secureID auth and AD. The APM authenticates using the secureID, and the AD password is saved in a DIFFERENT variable on the login form. The AD password isn't checked by APM, it's simply used to auto-login the user to Citrix. if the user gets their AD password wrong, they get all the web top icons, EXCEPT the ones that would appear from the Citrix XMLBroker.

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jul 24, 2015
    You can do this, yes, but you'd have to manually edit the webtop code. Don't attempt it unless you have (or are a) a web developer on hand. Edits like these are not supported, and will not be preserved on upgrade or sync, such as between blades in a multi-blade environment. After you do these edits, you'll have to issue a "bigstart restart" to clear out the cache and regenerate it. The file is here: /var/sam/www/php_include/webtop/renderer/webtop_full/full/common/webtop_common.inc Near the top of this file, you'll find some variable defs that look like: var x = %{session.y} Add these: var mydomain = %{session.logon.last.domain}; var myusername = %{session.logon.last.username}; Note that you actually have access to all of the session variables, so this same sort of technique can be used to make any edits to this webtop that you want, and input custom information set during access policy execution. Next look for the areas where "userInput" and "domainInput" are defined. This is the pop-up that appears when the citrix auto logon is unsuccessful. Add these lines so that the js sets the values you want: domainInput.setAttribute('value',mydomain); userInput.setAttribute('value', myusername); You should back up the original page in case you encounter any trouble.
  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Jul 24, 2015
    Interesting (and good to know in general) - if Hamish's auto-login approach doesn't work for us for whatever reason, and we fall back to pre-populating the dialog fields, we'll try this. Thanks!
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 24, 2015

    Nope. No SSO credential mapping required. I did have to set the appropriate variable for the auto-login (Because secured requires the token code to be in the password variable).

     

    H

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 24, 2015

    Although in a later iteration, I added a code block BEFORE the Citrix auto-login (Which is part of the resource you attach) to copy the supplied AD password to the password field. That way could re-use the Citrix auto-login for both secured and AD password authenticated APM endpoints. (You probably won't need that :) )

     

    H

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jul 24, 2015
    For sure it'd be better to use the built in method Hamish mentioned if it's OK for your use case.
  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    Hamish's approach worked fine for us! I did have to explicitly set the domain string into variable session.logon.last.domain in the variable assignment object in the policy (the same one that stored the value from password1 into session.logon.last.password after the RSA processing was done with it). Thanks, Hamish!