Home > Access Gateway, All, Citrix, NetScaler, StoreFront > SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

Single Sign-On from Access Gateway to StoreFront not working in CVPN mode

There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!

It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!

After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!

So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…

The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…

High_Level_Design_overview_SSO_not_working

The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).

But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.

This picture just shows the login to the NetScaler ADC Access Gateway vServer:

NetScaler_Access_Gateway_login

You enter your credentials and then you’ll see that the NetScaler is trying to open a cvpn connection to StoreFront by the looking at the URL (contains /cvpn/ and then in this case we do have Obscure on for the URL):

StoreFront_cvpn_URL_path

clientless_access_settings_cvpn

But this is as far you may get…. then after a while you’ll see this message:

Cannot complete your request. Could not log off from Access Gateway. Please close your browser to log off.

Cannot_complete_your_request

And of course you’ll start looking at whether you had the right SNIP configured at the StoreFront gateway settings, and whether you can contact the callback URL from your StoreFront server…

Silent_Authentication_callback_URL

You then also try the old ICA proxy session profiles and find out that they work like a charm! You get your credentials passed through to StoreFront and wonder what you’re doing wrong! And this is where we got stuck after a while…..

Then the Citrix support came up with an idea, the IP-address that we had on the StoreFront server was an IP-address that according to RFC 1918 is to be considered to be a PUBLIC IP. For more info read about it here;

http://en.wikipedia.org/wiki/Private_network

I at first didn’t believe them but then they asked me to configure Split Tunnel to On in our CVPN Session Profile:

Split_tunneling_on_cvpn_profile

We did and tried to log in again.. and YES!!! IT WAS WORKING!!! This is unbelievable!!! Thanks a lot Citrix!! (but I must admit that it took them pretty long time to find this as well..)

So the reason behind this design is that it’s a security measure. Citrix don’t want to unwillingly post user credentials to a PUBLIC site. So the problem is that we in this case used “real IPv4” addresses that are considered to be public!!

So how do you solve it without adding the Split Tunnel setting to On?

The best workaround is to put the StoreFront server(s) in a service group behind a Load Balancing vServer that is using a PRIVATE IP in front of it with a private IP and then point AGEE to that VIP!!

High_Level_Design_overview_SSO_working

Or you could of course change your internal IP-plan… But I guess that won’t happen! 😉

More info can also be found here in a good Citrix article that actually highlights this issue and the solution but of course it’s rare for people to know about it I guess though we had this issue for quite some time in this specific environment!

How to Configure the Access Gateway Enterprise Edition Single Sign on to the Web Servers that have Public IP Addresses

I hope that this at least helps someone out there with Single Sign On issues to StoreFront from Access Gateway.

Cheers!

//Richard

  1. February 12, 2013 at 14:04

    good post, saved my issue! been searching for some time about this matter. Did you get any promises about a solution without changing IP schemes via loadbalancing service group as suggested this blog?

    • February 12, 2013 at 14:21

      Hi,

      Great that the blog post helped someone! 😉

      Well the info that we received is that this is a “by design” functionality, so I don’t think that this will change. But perhaps if more customers sends enhancement requests to Citrix to change this then it may be something that they could look at I guess. My wish you be that you as a customer would have the option to configure this through a global settings or so. But for now we have to do the workaround.

      Cheers!

      //Richard

  2. matthieu
    April 16, 2013 at 15:00

    Thanks a Lot. I have been stuck for a while on this issue…

    Guess I will have to change my IP address plan someday

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: