Category Archives: Citrix ADC

Citrix ADC – “Cannot Complete You Request” StoreFront Error

Citrix ADC – “Cannot Complete You Request” StoreFront Error

I recently deployed an ADC in to my lab environment and ran in to the dreaded “cannot complete your request” error when trying to logon.

After chasing my tail for a few days and going through all the articles under the sun to troubleshoot StoreFront and ADC settings I finally came across an article https://vhorizon.co.uk/citrix-adc-13-64-35-cannot-complete-your-request-error/ by Dale Scriven on vhorizon.co.uk which gave three lines of config to resolve the issue.

Continue reading Citrix ADC – “Cannot Complete You Request” StoreFront Error

Citrix ADC Vulnerability CVE-2019-19781

Citrix ADC Vulnerability CVE-2019-19781

Last Wednesday I got an update email from the Citrix Heroes community ran by DJ Eshelman about a new vulnerability which has been found with Citrix ADC appliances.  Fortunately my home lab hasn’t been powered up much this past few weeks but today I decided to apply the mitigation steps to my VPX in case.

Continue reading Citrix ADC Vulnerability CVE-2019-19781

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

This section of the documentation provides the steps necessary to configure Radius Load Balancing on a Citrix NetScaler HA Pair.

As with most configurations of a NetScaler HA Pair, the configuration is only performed on the Primary Node of the pair and then replicated automatically to the Secondary Node.

Configuring Raidus Load Balancing on a Citrix NetScaler consists of the following steps which will be explained in further detail in this section :-

  1. Creating a Radius Load Balancing Monitor
  2. Creating the Radius Server Servicies
  3. Creating a Radius Load Balancing vServer
  4. Creating a Radius Authentication Server and Profile
  5. Applying the Radius Profile to the Access Gateway vServer
  6. Saving the new configuration

Creating a Radius Load Balancing Monitor

The first part of the configuration is to create a Radius Load Balancing Monitor on the NetScaler by performing the following steps :-

  • Logon to the Primary Node NetScaler Web Gui as an AdministrativeAccount
  • Expand the Load Balancing branch in the Left Hand pane
  • Click on the Monitors branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Monitor
  • Click on the Special Parameters tab and set the User Name to anAccount on the Active Directory Domain.

For the configuration of this test environment I used the Service Account created for the SMS2 installation

  • Set the Password to the Password of the Active Directory Account choosen
  • Set the Radius Key to the Shared Secret Key set up on the Radius Servers

N.B. In order for this to work correctly both Radius Servers must be using expecting the same Shared Secret key

  • Under the Response Codes section click on Add, select 3-Access-Reject from the list, and then click on Add
  • Click on OK to create the new Radius Load Balancing Monitor

Creating the Radius Server Services

The next part of the configuration is to create the Radius Server Load Balancing Services for the two Radius Servers by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Services branch under Load Balancing and then click on the Add button
  • When prompted enter a Service Name for the new Service
  • Set the Server to the IP Address of the Radius Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Select the newly created Radius Monitor the list of Available Monitors and click on Add to apply it to the Service
  • Click on OK to create the new Radius Server Service

Perform the steps above to configure a Radius Server Service for the second Radius Server

Creating A Radius Load Balancing vServer

The next part of the configuraiton is to create the Radius Load Balancing vServer by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Virtual Servers branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Virtual Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Set the IP Address to the address required for the new Virtual Server
  • In the Services Section select both the newly created Radius Services created in the previous section
  • Click on the Method and Persistence tab
  • Under the LB Method section change the Method to Token

o    In the Rule box enter CLIENT.UDP.RADIUS.USERNAME

  • Under the Persistence section change the Persistence to RULE

o    Confirm that the Rule shown is CLIENT.UDP.RADIUS.USERNAME as set for the LB Method Rule

  • Click on Create to create the new Radius Load Balancing vServer

Creating a Radius Authentication Server and Profile

The next part of the configuraiton is to create the Radius Authenication Server and Profile by performing the following steps :-

  • Expand the Access Gateway branch in the Left Hand pane
  • Expand the Policies branch and then the Authentication branch
  • Click on the Radius branch and then click on the Servers tab
  • Click on the Add button and when prompted enter a Name for theAuthentication Server
  • Set the IP Address to the IP Address of the Radius Load Balancing vServer created in the previous section
  • If necessary, set the Port to 1812
  • Enter the Radius Shared Secret configured for the NetScaler in both the Secret Key and Confirm Secret Key settings
  • Click on Create to create the new Radius Authentication Server
  • Click on the Policies Tab and then click on the Add button
  • When prompted enter a Name for the new Radius Authentication Policy
  • Select the Radius Server created in the previous steps as the Server
  • Set the Expression to ns_true
  • Click on Create to create the new Radius Authentication Policy

Applying the Radius Authentication Profile to the Access Gateway vServer

The next part of the configuration is to apply the newly created Radius Authentication Policy to the Access Gateway vServer by performing the following steps :-

  • If necessary, Expand the Access Gateway branch in the Left Hand pane
  • Click on the Virtual Server branch and then open the Virtual Serveryou wish to apply Radius Authentication to
  • Click on the Authentication Tab and then under the Authentication Policies section click on Secondary
  • Click on the Insert Policy button and select the Radius Profile created in the previous section
  • Click on OK to apply the changes

Saving the configuration

The last part of the configuration is to save the new configuration on the NetScaler by performing the following steps :-

  • Click on the Save button and when prompted “Do you want to save the running configuration?” click on Yes
  • Once the configuration is saved and you are prompted “Configuration Saved Successfully” click on OK

NetScaler 10 – Implementing Password Changing At Any Time

NetScaler 10 – Implementing Password Changing At Any Time

Introduction

This article provides the steps to implement Password changing at any time functionality on a NetScaler 10 VPX with a Web Interface 5.4 Server running on Windows 2008 R2.

Overview

With the Access Gateway 5 going end of life soon, many people are upgrading to a NetScaler VPX solution to provide external access to their user base.  One of the biggest pieces of functionality which seems to be missing at this time is providing users the ability to change their passwords at any time.

The old method of performing this with the Access Gateway 5 no longer works with a NetScaler VPX and so Citrix have two Articles which provide the steps to perform in order to enable this functionality for a site but it does come with some disadvantages / considerations.

  • Administrators Cannot hide applications externally
  • Administrators Cannot disable or enable any Xenapp or XenDesktop policies based on user access from Access Gateway
  • Client Detection and download is no longer available

Initial Creation Of The XenApp Web Site

The first step is to create a new XenApp Web Site on the Web Interface Server.  To create a new XenApp Web Site on the Web Interface Server perform the following :-

  • Logon to the Web Interface Server as an administrative account
  • Open the Citrix Web Interface Web Management console
  • Right Click on XenApp Web Sites in the Left Hand pane and selectCreate Site
  • At the Specify IIS Location page change the Path to the Site name required

E.G. /Citrix/ChangePasswordSite/

  • The Name field with change automatically
  • Select Set as the default page for the IIS site if you wish it to be the default page and then click on Next to continue
  • At the Specify Point of Authentication page select At Web Interface and then click on Next to continue
  • At the Confirm Settings for New Site page check they are as you want them to be and then click on Next to continue

The new XenApp Web Site will now be created

  • Once created leave the option Configure this site now selected and then click on Next to continue
  • At the Specify Server Farm page change the Farm Name to the name of your XenApp Farm (This is for display purposes in the console only)
  • Click on the Add Button and when prompted enter the Server Name orIP Address of one of the XenApp Servers in the farm enabled for XML
  • Add in any additional XenApp Servers in the farm enabled for XML you require
  • If necessary change the XML Port to the Port being used on the Xenapp Servers
  • If necessary change the Transport Type to HTTPS or SSL Relay depending on if you have this configured on the Xenapp Servers
  • Click on Next to continue
  • At the Configure Authentication Methods page ensure only the Explicit option is ticked and then click on Next to continue
  • At the Domain Restriction page change it to Restrict domains to the following
  • Click on Add, Enter your Active Directory name, and then click on OK
  • Click on Next to continue
  • At the Specify Logon Appearance Screen page select whether you want Minimal or Full and then click on Next to continue
  • At the Select Published Resource Type page select whether you want OnlineOffline, or Dual Mode and then click on Next to continue
  • At the Confirm Settings page click on Finish to continue

Configuring Password Changing For The XenApp Web Site

The next step is to configure password changing for the new XenApp Web Site on the Web Interface Server.  To configure password changing for the new XenApp Web Site perform the following :-

  • Highlight the new XenApp Web Site in the Centre Pane
  • Click on Authentication Methods in the Right Hand pane
  • Click on Properties in the Configure Authentication Methods screen
  • Click on Password Settings in the list
  • Tick the Allow users to change password option and select At any time
  • Configure the Remind users before passwords expire section as required and then click on OK
  • Click on OK to close the Configure Authentication Methods screen

Configure Secure Access For The XenApp Web Site

The next step is to configure Secure Access for the new XenApp Web Site on the Web Interface Server.  To configure Secure Access for the new XenApp Web Site perform the following :-

  • Highlight the new XenApp Web Site in the Centre Pane
  • Click on Secure Access in the Right Hand pane
  • In the Specify Access Methods screen click on the Default in the centre pane
  • Click on Edit, change it to Gateway direct, and then click on OK
  • Click on Next in the Specify Access Methods screen
  • In the Specify Gateway Settings screen set the Address (FQDN) to the Fully Qualified Domain Name of your Access Gateway
  • Click on Next to continue
  • In the Specify Secure Ticket Authority Settings screen click on Add
  • Enter the address of your STA Server and then click on OK

N.B. The address must include the /scripts/ctxsta.dll on the end E.G. http://{Your XenApp Server Name}/scripts/ctxsta.dll

 

  • Enter the addresses of your other STA Servers and then click on OK

N.B. The STA’s you configure here MUST match those configure under the Access Gateway Virtual Server Published Applications section

  • Click on Finish to complete setting up Secure Access for the Site

Replace Login.java The XenApp Web Site

The next step is to replace the login.jar file for the new XenApp Web Site on the Web Interface Server.  To replace the login.jar file for the new XenApp Web Site perform the following :-

  • Download the AGWISSO.ZIP file from the link below

http://support.citrix.com/article/CTX106202

  • Unzip the file on the Web Interface Server
  • In Windows Explorer navigate to the folder below for your new XenApp Web Site

Inetput\wwwroot\Citrix\{Your new XenApp Web Site}\app_code\PagesJava\com\citrix\wi\pages\auth

E.G. C:\Inetput\wwwroot\Citrix\ChangePasswordSite\app_code\PagesJava\com\citrix\wi\pages\auth

  • Rename the file login.java to login.java.old
  • Copy the login.java file from the Web Interface 5.4 folder in the folder where you unzipped the AWISSO.ZIP on the Web Interface Server
  • Paste the login.java file in to the folder below for your new Xenapp Web Site

Inetput\wwwroot\Citrix\{Your new XenApp Web Site}\app_code\PagesJava\com\citrix\wi\pages\auth

E.G. C:\Inetput\wwwroot\Citrix\ChangePasswordSite\app_code\PagesJava\com\citrix\wi\pages\auth

Configure A New Session Policy On The Access Gateway

The next step is to configure a new Session Policy on the Access Gateway.  To configure a new Session Policy on the Access Gateway perform the following :-

  • Logon to the NetScaler Management IP Web Gui
  • Expand the Access Gateway branch in the Left Hand pane
  • Expand the Policies branch under the Access Gateway branch in theLeft Hand pane
  • Click on Session
  • Click on the Profiles Tab
  • Click on Add
  • When prompted enter a name for the new Session Policy
  • Click on the Client Experience Tab
  • Ensure that Clientless Access is Enabled and set to Off
  • Ensure that Single Sign-on to Web Applications is Enabled
  • Click on the Published Applications Tab
  • Ensure that ICA Proxy is Enabled and set to ON
  • Ensure that Web Interface Address is Enabled and set it to the URL of your new site

E.G. Http://{Your Server IP}/Citrix/ChangePasswordSite

  • Ensure that Single Sign-on Domain is Enabled and enter your Active Directory Name

N.B. Must be the same as was set for the Web Interface XenApp Web Site Domain Restriction

  • Configure any other settings you require like DNS etc and then click onOK

Bind The New Session Policy To A Session Profile On The Access Gateway

The next step is to bind the new Session Policy to a Session Profile on the Access Gateway.  To bind the new Session Policy to a Session Profile  perform the following :-

  • Click on the Profile Tab under the Session branch
  • Double Click the Session Profile you wish to bind it to and change theRequest Profile change it to the new Session Policy you created
  • Click on OK to apply the changes to you Session Policy

Providing the Session Policy you have modified is bound to the Access Gateway Virtual Server you should now be able to logon and be passed through to the new Web Interface XenApp Web Site.