Tutorial: The NetScaler, Storefront, Receiver, SSO headache

29 Jul

So this is one of those topics why I actually started this blog. I’m preparing our environment for a big upgrade off all Citrix Receivers, implement Storefront and decommission our last two webinterface servers. A nice job which already gave me quite a headache. So in this tut I will try to give you the complete tutorial how to implement NSGW with Storefront so the Receiver can actually SSO, and all traffic is routed through the NetScaler Gateway.

First of all our deliverables:

  • The Storefront servers must be loadbalanced by the NetScalers
  • Storefront traffic between client and Storefront Servers must be encrypted
  • Traffic between Storefront servers and NetScaler must be encrypted (your NetScaler can offload this traffic ofcourse if this is not a requirement)
  • All traffic to the XenApp/XenDesktop servers must be routed through the NSGW. A direct ICA/Session Reliability connection to the backend is not acceptable
  • The Citrix Receiver should perform domain passthrough (SSO) authentication
  • Because this is an internal infrastructure 1-factor authentication suffices

A little drawing what we’re trying to acchieve

sf-architecture

So now the fun part. How to start all this? Let’s start with Storefront.

Storefront Initial Configuration

I’m going to assume you know how to properly install Storefront. I’m only going to cover the essential parts required for this config.

Shopping list:

  • The hostname you would like to use for your StoreFront Base URL (eg. storefront.mydomain.com).
  • An IP for the load balancing vServer VIP to be used for the Storefront vServer
  • A DNS A-Record storefront.mydomain.com that points to the VIP
  • A trusted (commercial or domain signed) certificate. (please save yourself a big headache. Do NOT use self signed certs for this)

First start with importing your certificate on both Storefront Servers. Fire up an MMC and choose to import the certificate to the personal store of the local computer. You ofcourse need both the private and public key in PFX format. If you do not know how to create a PFX or process a cert search this blog. I wrote a lot about it.

sf-importcert1

sf-importcert2

Next just install StoreFront. After the next-next-finish install fire-up the StoreFront MMC. Start with creating a new deployment. The first dialog is entering your Base URL. This is an important one. You need the https baseurl you will use for your StoreFront Loadbalancing vServer. In my case: https://storefront.mydomain.com

sf-config1

Second you need to configure your Store Name. Remember it cause you need it later in your NetScaler monitor config

sf-config2

Next configure your delivery controllers. I use a XML loadbalancer called ctxxml.mydomain.com which loadbalances XML. You can also just enter some XML servers or Delivery Controllers. Important to remember the display name.

sf-config3

For now we’re gonna skip the Remote Access section. Fire up IIS and configure your Default Website in which your Store is created to use SSL. Verify StoreFront uses SSL.

sf-config4

sf-config5

We’ll leave the StoreFront configuration for now. Let’s proceed to the NetScaler.

NetScaler StoreFront Load Balancing vServer

To Load Balance Storefront we’re first creating the Storefront Servers in the Traffic Management Section. Just type a name and the IP.

ns-config1

Next create a custom monitor with the STOREFRONT type selected. Enter the name of the store you created. Do not forget to check the Secure box all the way to the bottom of the standard parameters tab.

ns-config2b

ns-config2

Next create a SSL Service Group. Add the members, the monitor and the certificate. Your Service Group will be partially up because on the secondary node you do not have a Storefront config yet. But that’s ok. Ignore it.

ns-config3

And finally the vServer. In this case use the VIP that corresponds to the A-record of the Base URL. Bind the Service Group you created before and bind the SSL cert. Do not forget to configure persistency. I configured SSL Session on 120mins (which is the same as the storefront timeout I would like to configure).

ns-config4

ns-config5

After creating the vServer your secondary StoreFront server is able to reach the primary one via the Base URL.

Storefront Server Group

Now it’s time to create our Storefront Server Group. On your primary server click Add Server in the Server Group section.

sf-config6

On the Secondary Server click to join a server group. Fill in the required data. Your server group is created.

sf-config7

If you properly configured your Storefront vServer you are able to do so. If your StoreFront secondary StoreFront server cannot reach the primary one via the Base URL you will get this error in the propagation part:


An error has occured during the all server configuration update process.
Citrix.DeliveryServices.ConfigurationReplication.Exceptions.ServerUpdateConfigurationException, Citrix.DeliveryServices.ConfigurationReplication, Version=2.6.0.0, Culture=neutral, PublicKeyToken=
An error occurred running the command: 'Install-DSFeatureClasses'
The feature data is out of date
At C:\Program Files\Citrix\Receiver StoreFront\Services\ConfigurationReplicationService\Cmdlets\ConfigurationReplicationServiceModule.psm1:86 char:9
+ Install-DSFeatureClass "$($installPath)$($featurePackage)"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RemoteEndpoint: net.tcp://server/Citrix/ConfigurationReplication

Fix your vServer so the primary node is UP. The secondary will remain down until propagation succeeds. If you are sure you configured that part correct de-install StoreFront on both nodes. Remove %programfiles%\Citrix and make sure no old storefront sites are left in IIS. Start over.

After succesful propagation both nodes should display UP on the NetScaler

ns-config6

StoreFront Authentication

Let’s switch back to StoreFront and configure the settings you need for succesful authentication. First open the Authentication section and click Add/Remove Methods.

sf-auth1

Make sure you configure Domain pass-through. If you configure pass-through from NSGW like I did you will get a warning you can ignore. Next configure trusted domains. I always configure both the NETBIOS and FQDN of the domain.

sf-auth2

After that navigate to the Receiver for Web section and configure authentication. I used the same authentication settings but remember the StoreFront WebInterface will not do SSO when behind the NSGW.

sf-auth3

Propagate the settings to the second server in the server group. Now it’s time to test Storefront. You should be able to log-in and start an app through both the URL’s of the server (https://server1/citrix/storeweb | https://server2/citrix/storeweb) and the load balanced Base URL https://baseurl/citrix/storeweb. If this doesn’t work you need to troubleshoot this first.

NetScaler Gateway

I’m only covering a little section of the session profile. The complete config of the NSGW vServer for StoreFront is documented very well in this document

Session Profile Receiver

sf-nsgw-sesprof-receiver

For the Receiver you need to configure:

  • ICA Proxy On
  • The WebInterface address – which is the Load Balanced Base URL (eg. https://storefront.yourdomain.com)
  • The WebInterface address type (in my case IPv4)
  • Single Sign On domain which is the NETBIOS name of the domain
  • Accounting service url which again is the Load Balanced Base URL (eg. https://storefront.yourdomain.com)

sf-nsgw-sesprof-webint
For the Web Interface you need to configure:

  • ICA Proxy On
  • The URL to the Storefront WebInterface – which is the Load Balanced Base URL (eg. https://storefront.yourdomain.com/citrix/StoreWeb)
  • The WebInterface address type (in my case IPv4)
  • Single Sign On domain which is the NETBIOS name of the domain

Also add your STA Servers in the Published Application settings

sf-nsgw-sta

StoreFront Remote Access

Ok now we’re ready to configure Remote Access. Return to your StoreFront server. Click Stores. Click Enable Remote Access. Select No VPN Tunnel and click Add.

sf-ra1

 

sf-ra2

Configure the NetScaler Gateway

  • Display Name
  • NetScaler Gateway URL
  • Logon type domain
  • Callback URL (The Storefront server must be able to reach the NSGW via this URL)

Configure the same STA servers you configured in the NSGW Published Apps section. Enable Session Reliability

sf-ra3

Once more propagate the settings to the second StoreFront server. You should now be able to launch a session through NetScaler Gateway via the Storefront Web Interface. You can test if the session really flows through the NSGW with NetStat.

sf-nsgw-test

Use the netstat -na | findstr command to search throug the netstat results. You should see:

  • Only 443 connections to the NSGW
  • NO TCP2598 connection to any XenApp/XenDesktop server
  • NO TPC1494 connection to any XenApp/XenDesktop server

If this is the case your NSGW setup is working. Let’s tackle the receiver.

OptimalGatewayForFarms

So when starting a session via the StoreFront Web Interface your session will connect through the NSGW. For StoreFront we would ofcourse try to acchieve Single Sign-On. The trick here is you cannot do so behind a NSGW. You cannot SSO your Citrix Receiver via the URL of the NSGW. So you must authenticate your Receiver directly to the StoreFront servers (or in our case the StoreFront Loadbalancer). The upside is that the NetScaler will terminate the client session and initiate the session to the StoreFront servers itself.

To route StoreFront traffic through the NSGW you need to edit the web.config of the StoreFront server (it’s in inetpub\wwwroot\citrix\storename). Search for the     <optimalGatewayForFarmsCollection /> tag and replace it with:

<optimalGatewayForFarmsCollection>
<optimalGatewayForFarms enabledOnDirectAccess="true">
<farms>
<farm name="XA65" />
</farms>
<optimalGateway key="copy_from_gateway_above" name="external.domain.com" stasUseLoadBalancing="false"
enableSessionReliability="true" useTwoTickets="false">
<hostnames>
<add hostname="external.domain.com" />
</hostnames>
<staUrls>
<add staUrl="http://yourSTA/scripts/ctxsta.dll" />
<add staUrl="http://yourSTA/scripts/ctxsta.dll" />
</staUrls>
</optimalGateway>
</optimalGatewayForFarms>
</optimalGatewayForFarmsCollection>

Please note the following else this config will not work:

  • enabledOnDirectAccess must be set to TRUE
  • Farm name must be identical to the farm name you configured in StoreFront (review the section where you configured your XML servers)
  • The OptimalGatewayKey can be copied from the NSGW you already configured in Storefront (It is above the section of the web.config file your editing).
  • The OptimalGateway Name must match the name of the NSGW configured in Storefront
  • EnableSessionReliability must be set to TRUE (at least, that’s what I recommend)
  • hostname must be the fqdn of the NSGW
  • And ofcourse configure the STA’s you’re also using on your NSGW
  • Make sure your FARM name matches the FARM(s) you configured in Storefront. You can find them in the web.config. They are case sensitive. So in my case I configured XA65 as farm and configured delivery controllers on it in Storefront

Refer to this document for more information about the OptimalGatewayForFarms configuration. If you have trouble setting this up or are unsure about your config use there is a PowerShell script on the page too, which you can use to configure the web.config. The script will also perform error checking.

After configuring propagate the settings. This will copy the web.config to the second node.

Internet Explorer Security

It’s recommended to place the Storefront Base URL  in the local intranet zone. This zone contains the proper settings to allow SSO authentication. The setting needed is Automatic Logon only in Intranet Zone. Trusted sites with Automatic Logon with current user name and password will probably also work.

ie-settings

Receiver Installation

I always like to install my Receiver unattended. The important part is that you use the /ENABLE_SSON=YES and the /INCLUDESSON parameter. Also configure a Store with the discovery URL. My unattended setup looks like this. Make sure you connect to the Storefront Loadbalancing vServer URL and NOT the NSGW url.

CitrixReceiver /silent /includeSSON ENABLE_SSON="Yes" UseCategoryAsStartMenuPath="True" ALLOWADDSTORE="N" SelfServiceMode=True  STORE0="StoreFront Test;https://storefront.mydomain.com/Citrix/Store/discovery;On;Company Store"

More information can be found in this document . After installation you will find the required policy templates in C:\Program Files (x86)\Citrix\ICA Client\Configuration . If you use a local policy you need to copy the receiver.adml file to C:\windows\PolicyDefinitions\en-US and the receiver.admx to  C:\windows\PolicyDefinitions . If you open gpedit.msc you can then set the required local policy

sf-gpedit1 sf-gpedit2

Now reboot your PC. After reboot the ssonsvr.exe process should be running and the ProviderOrder in HKLM\System\CurrentControlSet\Network\ProviderOrder should contain PnSson . Your Receiver should SSO and you should be able to start apps. If you setup the OptimalGatewayForFarms correctly the ICA/Session Reliabilty traffic is routed through the NSGW, which you can check with netstat like I showed before.

Update 11-1-2016

Today I messed around a little with getting SSO to work with XenApp 7.6 and an old receiver version. I also needed to get it running with 2 different farms. The first thing that needed to be done was allowing the broker to trust requests sent to the XML Service. Fire up your XenDesktop Studio. Select the Powershell tab and fire up the Powershell console. Run the following command:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Next you need to enable the XenApp Services Support to support the Online Plugin.

xenapp-services-support

The next problem I faced was the config.xml only supporting Explicit logon and not SSO. You have to make a choice here. It can only support ONE. If you enable SSO you cannot support explicit logon anymore. Configure SSO with the following command and review your config.xml to check it worked.

In Powershell on your Storefront servers run the following command:
& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore.ps1" –SiteId 1 –ResourcesVirtualPath "/citrix/store" –LogonMethod sson

The last think I encountered was supporting multiple stores. In your storefront web.config you can easily configure multiple farms:


<optimalGatewayForFarmsCollection>
<optimalGatewayForFarms enabledOnDirectAccess="true">
<farms>
<farm name="XA65" />
<farm name="FARM2" />
<farm name="FARM3" />
<farm name="etc.." />
</farms>
<optimalGateway key="copy_from_gateway_above" name="external.domain.com" stasUseLoadBalancing="false"
enableSessionReliability="true" useTwoTickets="false">
<hostnames>
<add hostname="external.domain.com" />
</hostnames>
<staUrls>
<add staUrl="http://yourSTA/scripts/ctxsta.dll" />
<add staUrl="http://yourSTA/scripts/ctxsta.dll" />
</staUrls>
</optimalGateway>
</optimalGatewayForFarms>
</optimalGatewayForFarmsCollection>

Comments

  • Matthijs, is saying:

    Great blog Mark! Really shows the power of storefront and NetScaler and I really like this use case.

    Reply this message
  • George Varghese, is saying:

    Hi Mark

    Thanks for the blog. Very helpful. The NetScaler you are using is 10. Can the same be done via NetScaler 9.3. I am stuck in a situation where I get challenged for the credentials to log on to storefront

    Appreciate your help

    George

    Reply this message
    • mark, is saying:

      Hi George,

      The first thing that comes in mind is perhaps you don’t have Pass-through from NetScaler Gateway Enabled on your StoreFront Servers. If that’s not the case can you please have a look in your StoreFront eventlogs to see if they provide some clarity?

      Kind regards,

      Mark

      Reply this message
  • George Varghese, is saying:

    Hi Mark

    Thanks for your response. I do have the Pass through from Netscaler Gateway option checked under authentication method. I have even tried with different combination of domain pass through but no luck.

    The event log does not show up any error msg, If I am to log on. I can see the following log
    Retrieving available authentication methods for Receiver for Web: ‘Store Receiver’
    Is there any settings with in webconfig that needs to be looked at?

    Appreciate your help

    Regards
    George

    Reply this message
    • mark, is saying:

      Hi George,

      Excuse me for my late reply. I couldn’t fine the time to play arount. Please see my latest update. Hope it solves your problem as well.

      Kind regards,

      Mark

      Reply this message
  • Martijn, is saying:

    Nice guide, everything works however all my ICA traffic is going directly to the XenApp servers and not passing through the NSGW.

    Any idea?

    netstat -na | findstr 2598
    TCP 10.60.11.116:51911 10.172.20.150:2598 ESTABLISHED

    Also is there additional configuration required to get HTML5 receiver working through NSGW?

    Thanks!

    Reply this message
    • mark, is saying:

      Then something is wrong in your optimalgatewayforfarms config

      Reply this message

Leave a Reply to mark Cancel Reply