Since Citrix XenApp / XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Via Citrix FAS it is possible to authenticate a user via SAML and thus connect Citrix as a service provider to existing identity providers, such as Azure-AD.
Sequence of SAML authentication
Continue reading “SAML Authentication with Azure AD as IdP and Citrix as SP”
- The user browse the FQDN (e.g. citrix.deyda.net) of the Citrix Gateway vServer (Service Provider) to start his VA / VD resources
- The Citrix Gateway vServer directs the unauthenticated user directly to the Identity Provider (Azure-AD) to authenticate itself (saml: authnRequest)
- The Identity Provider points to its SingleSignOnService URL (e.g. login.microsoftonline.com) and the user must authenticate
- The user enters his AD credentials and these are checked by the Identity Provider against the user database
- Upon successful verification in the user database, the IdP is informed
- The IdP issues a token (SAML assertion) and sends it to the Citrix Gateway (saml: response)
- Citrix Gateway checks the token (assertion signature) and extracts the UPN from the assertion token. This allows access via SSO to the VA / VD farm via FAS (The SP does not have access to the user’s credentials)
In one of my recent projects, I had to build several Citrix ADCs in a new data center. After consultation with the customer, the same services and functions should be configured as in the old data center. The only difference was that the new data center should use different IP ranges and therefore all network settings of the Citrix ADCs and the connected services had to be adapted.
Continue reading “Copy a Citrix ADC configuration to a new machine”
- Same version and build on all Citrix ADC
- Same Citrix ADC license version on all Citrix ADC
- IP addresses of the new Citrix ADC should be defined and free (NSIP, SNIP & VIP).
- IP addresses of the connected machines should be known (server or server groups)
- Basic configuration of the new Citrix ADC should be done (NSIP, SNIP, DNS, Timezone & License)
Through various recent projects, I had to work through the clutter of information regarding NVIDIA vGPU licensing.
Here is a small summary of this information.
NVIDIA vGPU Architecture
Under the control of the NVIDIA GPU Virtual Manager, running in the hypervisor, the NVIDIA Physical GPU can operate multiple virtual GPU devices (vGPUs), that can be assigned directly to the Guest VM.
The Guest VMs use the NVIDIA virtual vGPUs in the same way as a physical GPU would come from the hypervisor by direct passed through. The NVIDIA Driver loaded into the guest VM provides Direct GPU Access for high-performance operations. The NVIDIA Virtual GPU Manager paravirtualized interface performs the non-performance management operations for the NVIDIA Driver.
Continue reading “NVIDIA vGPU Licensing”
To complete my previous article, I also directly implemented and tested Microsoft Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for implementation. For more information on MFA and the differences between Local and Cloud, please read my previous post.
It is important that all my information has the status of March 2019 and since it is the cloud, it will soon be obsolete again.
Continue reading “Microsoft Azure MFA Cloud Service in Citrix ADC Version 12”
During one of my current projects, I launched a PoC for two-factor authentication based on Microsoft Azure MFA. Azure multi-factor authentication requires users to verify and confirm their signups using a mobile app, phone call, or text message. You can use it with Azure AD or the local AD.
It is important that all my information has the status of March 2019 and because it is the cloud, quite quickly become obsolete again.
The safety of the two-stage check is at level approach. The multiple authentication factors poses a major challenge for attackers. Even if an attacker can find out the user’s password, this is useless unless he or she is also proficient in the additional authentication method. This works by requesting at least two of the following authentication methods:
Continue reading “Microsoft Azure MFA Server in Citrix ADC Version 12”
- Something you know (usually a password)
- Something you have (a familiar device that can not be easily duplicated, like a phone)
- Something that you are (biometrically)