Using NetScaler as OpenID Connect SP with ADFS as IDP

How do you configure Citrix NetScaler OpenID Connect Service Provider with Microsoft ADFS as OpenID Connect Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).

Read this post for doing this with SAML.

Before we begin, let us look at what we need to establish the federation:

  • NetScaler (with at least Enterprise license)
  • Active Directory domain and ADFS (read this post if you want to load balance and use NetScaler as ADFS Proxy)
  • Website (lb vserver) we want to protect with AAA (will be referred to as the service provider)
  • AAA vserver to bind OpenID Connect (OAuth) Service Provider policy

In my case, the following FQDNs are used:

  • LB vserver: webapp-test.domain.com / LB-WEBAPP-TEST
  • AAA vserver: sp.domain.com / AAA-SP-DOMAIN.COM (note: it will actually not be access by the web browser)
  • ADFS: adfs.domain.com

Compared to SAML, we need to create the IDP policy on ADFS before configuring NetScaler:

Note: Generate the random UUID for the client secret using any way you want, It doesn’t have to be a UUID but is common. This site can be used.

Now we need to create the OIDC Service Provider action and profile, as well as bind it to the AAA vserver:

(Note: As I stated before, this policy is bound to the AAA vserver but the expression is matching the hostname of the LB vserver – since the web browser actually never is redirected to the AAA vserver in this scenario)

As a last step, create (if it isn’t already) an authentication profile and bind it to the LB vserver:

Remember that the NetScaler does query the IDP for the keys periodically as well as sending the code to the token endpoint to receive the access_token, refresh_token and id_token (which it uses to extract the UPN). Just the same as with SAML, the browser will never hit the AAA vServer. See below for a screenshot of a capture where the NetScaler (SNIP) sends a request to ADFS (behind the scenes):

For troubleshooting, remember to enable Enhanced Authentication Feedback and to look at both ns.log and the ADFS servers eventviewer for information:



Using NetScaler as SAML SP with ADFS as IDP

How do you configure Citrix NetScaler SAML Service Provider with Microsoft ADFS as SAML Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).

Before we begin, let us look at what we need to establish the federation:

  • NetScaler (with at least Enterprise license)
  • Active Directory domain and ADFS (read this post if you want to load balance and use NetScaler as ADFS Proxy)
  • Website (lb vserver) we want to protect with AAA (will be referred to as the service provider)
  • AAA vserver to bind SAML Service Provider policy

In my case, the following FQDNs are used:

  • LB vserver: webapp-test.domain.com / LB-WEBAPP-TEST
  • AAA vserver: sp.domain.com / AAA-SP-DOMAIN.COM (note: it will actually not be access by the web browser)
  • ADFS: adfs.domain.com

When installing ADFS two self signed certificates are issued for Token-signing and Token-decryption. When it comes to the NetScaler, we could always use whatever certificate for the signing and decryption – but I recommend using a certificate that isn’t used for web site communication. That’s why I create a self signed certificate that I use: (note: I do this on my computer, modify the variables to match your environment – and even though this certificate and key is self signed – keep them secure)

The certificate (not the key) needs to be copied to the ADFS server for when we create the Relying Party Trust, and we also need to copy the ADFS Token-signing certificate to the NetScaler (below called adfs.domain.com-signing).

Copy the newly created certificate and key to the NetScaler, as well as the ADFS Token-signing certificate:

Now we need to create the SAML Service Provider action and profile, as well as bind it to the AAA vserver:

(Note: As I stated before, this policy is bound to the AAA vserver but the expression is matching the hostname of the LB vserver – since the web browser actually never is redirected to the AAA vserver in this scenario)

As a last step, create (if it isn’t already) an authentication profile and bind it to the LB vserver:

Now configure ADFS (modify the variables to match your need):

 



How to join a Windows 10 computer to your Azure Active Directory

Introduction

Some of the benefits of having your Windows 10 devices in your Azure AD is that your users can join the computer to your Azure AD without any extra administrator privileges, assuming you have configured this in your Azure AD. They can also login to the computer without the need of being connected to a specific company network the first time, as long as they have internet connection. You can also manage your Windows 10 devices wherever it may be in the world.



HOW-TO IMPORT DHCP-LEASES TO WINDOWS SERVER FROM PALO ALTO

In some cases you will come across DHCP-scopes that are configured on the edge-device or similar and wanting to move it to your dedicated Windows Server instead.
Below is an example where you can export DHCP-leases from your Palo Alto Networks device and add them to your dedicated Windows Server.

In this example I will be using Putty.

Step 1.
Start Putty and connect to your Palo Alto Networks firewall. Then go to the Putty Reconfiguration page, Session > Logging and select ”All Session output”.
Choose your filename and where to save it. Select Apply.

Step 2.
Log in to your Palo Alto Networks firewall and issue one of the below commands. Choose the second one if you need to specify an interface. For example if you have several DHCP-scopes configured on your firewall.

Close your session when the output has been printed.

Step 3.
Inactivate the DHCP-scope on your Palo Alto Netoworks firewall so there are no new leases being added.

Step 4.

Open the file where the output has been pasted and remove any unnecessary information.

Import the values to Excel and it should look something like this: (We are only importing IP, MAC and Hostname in this example)

Step 5.
Now we need to add the information to the command that we will be using in Powershell on the new DHCP-server.

Go to a new column on the same sheet and add the below:

This will get the information for the IP on column A and row 2, MAC-adress on column B and row 2 and the Hostname on column C and row 2.

Go the new cell and hover to the right corner. Drag down to fill in the rest of the rows.

Step 6.
If you have not already created the new DHCP-scope this is the time to do it.

Step 7.
Start Powershell on your DHCP-server and paste the below commands.

Step 8.
Activate the new scope and remember to configure DHCP-relay on your Palo Alto Networks firewall if needed.



Nyheter på väg till RDS 2016

Microsoft presenterade tidigare i höstas nyheter som är på väg till Remote Desktop Services (RDS) 2016. Det är några stora förändringar på gång som är viktiga att känna till, och detta inlägg sammanfattar några av de nyheter som ska komma inom kort.

Infrastruktur

I en traditionell RDS infrastruktur måste alla servrar i uppsättningen vara med i domänen. Det innebär att RD Gateway och Webaccess servrarna både är med i domänen och har direkt kontakt mot internet, vilket gör dem sårbara för attack.

Med den nya infrastruktur design som Microsoft presenterar så är Gateway, Webaccess och de övriga rollerna ej längre med i domänen. Kontakten från domänen till infrastrukturen görs endast genom utgående trafik på port 443. Förutom att detta ökar säkerheten, så möjliggör det för organisationer att drifta flera olika miljöer med samma RDS infrastruktur. Inte längre behövs den en RDS miljö för varje domän, utan nu kan infrastrukturen sättas upp en gång för att drifta flera olika miljöer och låta användare ansluta till deras respektive domän och Sessionhosts.

Microsoft presenterar även en ny roll inom Remote Desktop Services; Diagnostics, vilket har som uppgift att samla in information om uppsättningen och kan användas för att felsöka anslutningsproblem.

Azure

Integration med Azure Active Directory (AAD) är snart här. Med hjälp av AAD så kan Multi-Factor Authentication, Intelligent Security Graph och övriga Azure tjänster nyttjas i RDS miljön. Azure AD är något som många organisationer redan nyttjar, om de använder sig av Office 365 tjänster.

 

Om RDS miljön sätts upp i Azure så kan organisationer installera RDS rollerna som Platform as a Service (Paas) tjänster. Det innebär att det inte längre krävs ett VM för varje roll i infrastrukturen, Administratörer slipper alltså managera varje VM individuellt, samt de får tillgång till den smidiga skalbarheten som Azure erbjuder. Denna uppsättning stödjer även hybrid-lösningar, Sessionhosts kan alltså ligga on-premise och resten av infrastrukturen i Azure.

Det finns fortfarande ingen ETA på när dessa nyheter görs tillgängliga. För mer information och demo på några av dessa funktioner, se inlägget från Microsoft.



Windows 10 Subscription Activation for Hybrid Azure AD Joined devices

In a migration phase to Windows 10 we wanted to be able to benefit from the fairly new Windows 10 Subscription Activation method for the existing environment. One of the requirements for us was that we could do this with Hybrid Azure AD Joined devices. With this post I will try to guide you through the settings and steps for the setup to work properly.

In this scenario the environment looked like this from the beginning:

 

Domain functional level: Windows Server 2012 R2
Windows 7 machines ready to be upgraded to Windows 10
All Windows clients domain-joined to an on-premise domain
An active Office 365 tenant existed
Azure AD Connect was configured with password synchronization only
An active Azure AD Premium P1 subscription existed

 

Now when we got the background information about the environment, lets start listing the things we needed to do before we successfully could make the Windows 10 Subscription Activation work for the new Windows 10 devices.

  1. Configure a service connection point
  2. Enable device writeback in Azure AD Connect
  3. Sync computers accounts via Azure AD Connect
  4. Create a GPO so domain joined computers automatically and silently register as devices with Azure Active directory
  5. Upgrade existing computer or install a new one with Windows 10 Pro 1709 and on-premise domain-join the device
  6. Verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center
  7. Assign a Windows 10 E3/E5 license to a user in Office 365 Admin Center
  8. Log onto the computer with the user you assigned the license to
  9. Confirm that the Windows 10 Pro 1709 computer steps up to Enterprise

 

Now I will describe most of the steps in more detail so it’s easier for you to understand what needs to be done.

 

To configure a service connection point, follow the steps below:

In newer versions of Azure AD Connect and when running Express settings, this SCP is created automatically here:

You can also retrieve the setting with PowerShell:

In this case, it had not been created, probably because older version of Azure AD Connect was installed that did not perform this. Run the commands below as admin from the Microsoft Azure Active Directory Module for Windows PowerShell on the Azure AD Connect server which also needs to have RSAT-ADDS installed to create the SCP. Make sure you have 1.1.166 of the module installed.

Verify that the SCP has been created with the retrieve PowerShell command above.

To enable device writeback in Azure AD Connect and sync computer accounts, follow the steps below:

This is done from the Azure AD Connect server.

To create the GPO for domain joined computers to automatically and silently register as devices with Azure Active directory, follow the steps below:

To verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center, follow the steps below:

You should also see msDS-Device records in the RegisteredDevices OU in Active Directory.

To assign a Windows 10 E3 or E5 license to a user in Office 365 Admin Center, follow the steps below:

In your Office 365 admin portal, find the user who should log onto the Windows 10 Pro computer and activate the Windows 10 Enterprise license that you bought beforehand. This license can be purchased as a separate license or via Microsoft 365 E3 or E5 license bundle.

To verify that the computer has been activated through Windows 10 Subscription Activation, follow the steps below:

After logging onto the Windows 10 Pro computer, verify that the Enterprise version has been activated.

 

Please note that you need to have a Windows 10 Pro license activated to get this to work. If you have a Windows 7 Pro licensed computer today and you have bought the Windows 10 E3/E5 or Microsoft 365 E3/E5 license you can upgrade your existing Windows 7 Pro computer to Windows 10 Pro by using your existing Windows 7 Pro key. This will give you a valid Windows 10 Pro license that can be used in this scenario.

A good to know command in this hybrid scenario is dsregcmd.exe /status. It will give you the status of your local computer, like if the device is Azure joined or if the user is in Azure.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se.

 



Outlook Search index med FSLogix

Något som upptäckts snabbt efter uppsättningen av sin ”FSlogix Office 365 Containers”-lösning i en fleranvändarmiljö är att sök-indexeringen för Outlook i vissa miljöer görs om vid varje ny inloggning, det gäller miljöer där man har flera Session Hostar användarna kan logga in på.

Sök-funktionen i Outlook använder sig av ”Windows Search” vilket är en databas över indexeringarna på hela Operativsystemet, det är alltså inget som lagras för varje enskild användare. Det innebär t.ex.  att en Citrix miljö med flera servrar kommer en användares Outlook indexera om hela Outlook vid varje ny server man loggar in på. Detta medför en långsam sökning (tills indexeringen är klar) och en onödigt belastning på CPU som i sin tur kan påverka hela miljön negativt. Det kan bli ännu värre i de fall man använder Citrix Provisioning Services (PVS) då den uppdaterade indexeringen försvinner vid varje omstart av servern.

FSLogix to the rescue

För att komma runt detta problem finns en funktion i FSLogix som tar med din Outlook indexering i VHD-filen, på så vis har du alltid din uppdaterade indexeringsdata med dig på vilken server du än hamnar på. Du behöver ändra på två stycken registervärden för att aktivera detta, jag själv föredrar att skapa/editera en GPO för detta.

Följande två registervärden ska justeras:

HKLM\Software\FSLogix\Apps

Type:                      DWORD

Value Name:          RoamSearch

Value Data:            2

 

HKLM\Software\Policies\FSLogix\ODFC

Type:                      DWORD

Value Name:          RoamSearch

Value Data:            2

 

Hör gärna av er om ni skulle vara intresserade av eller vill veta mer om produkter från FSLogix, se gärna våra tidigare blogginlägg om FSLogix nedan:

FSLogix Profile Containers – Enkel och snabb Profilhantering

Office365 med FSLogix i en fleranvändarmiljö

OneDrive with simulated Single Sign-On

 

 



Azure Archive Storage – Manage access tier on all blobs in a container

Last week Archive blob storage went into general availability. If you haven’t checked it out you can find some info here Announcing general availability of Azure Archive Storage

After some testing we realized that you cant change the access tier for an entire container or storage account from the portal. The access tier had to be set blob by blob as shown in the picture.

Here is an easy way to set the access tier with Powershell on all blobs in a specific container. This can be helpful if you have a lot of blobs that could take benefit from the new Archive access tier.

After successfully running the code above we could see that all our blobs had change access tier to ”Archive”.

Our example is very simple and with some imagination you can take it further and for example change the access tiers of certain files with certain properties.



Troubleshooting XenMobile

EMM systems are complex, error-prone and sensitive to changes from a lot of manufacturers, thus I’ll dedicate this post to just that: techniques for troubleshooting XenMobile. This is not a ”I have this problem, what could be the solution”-type post, but I’m rather going to outline some of the more useful tools that you can employ to help solve your problems.

XenMobile Analyzer

Easy to miss, but by far the easiest to use and among the more powerful troubleshooting tools. XM analyzer ”simulates” enrolling a device, authentication to both XenMobile and the NetScaler Gateway, browsing to internal URLs with Secure web as well as ShareFile SSO and Secure Mail Auto Discovery. When I’m setting up a new environment or troubleshoot an existing one, I usually start over here since it gives me a nice breakdown of which step fails as well as suggestions for possible fixes. One nice thing is that you can actually schedule reports to run at regular intervals, provided of course you allow enrolls without PIN.

XenMobile Analyzer results

XenMobile Analyzer is available at https://xmanalyzer.xm.citrix.com/ after logging in with your Citrix account.

XenMobile Connectivity Check

Available in the admin console, under Troubleshooting and Support > Diagnostics > XenMobile Connectivity Checks is this test. It is basically trying to reach other servers necessary for XenMobile to work, and allows you to see whether it works or not. It is a simple way to check if your internal firewalls are blocking something important:

XenMobile Connectivity Checks

 

Secure Mail Test Tool

If secure mail is what’s acting up for you, there is actually a dedicated test tool available to use. Much like the XenMobile Analyzer, it runs through a lot of tests and checks where it fails, but the Secure Mail Tool runs on your mobile device allowing you to see the other side of the equation. The only trouble with this tool is that you need to wrap it with the MDX tool in order to use it.

Secure Mail Test Tool

You can find more info about the test tool here: https://support.citrix.com/article/CTX141685

XenMobile Logs

Logs, of course, should hardly need to be mentioned. There are several layers of logs: Debug and User (and admin audit) logs on the appliance, iOS/Android logs on the devices as well as logs from Secure Hub. Make sure to use these to your advantage, and remember that you can change the log levels both when reporting a problem in Secure Hub as well as under Log Settings in the admin UI.

Browsing these logs, however, can be quite a daunting task. I usually start with only the appliance debug log, since you tend to get most of what you need from there. A good start with the debug log would be to check for exceptions, the first row usually gives you the information you need to fix it. Other than that you might need to search the logs for a username or something related to the problems (for example CSR if you’re having trouble enrolling client certificates). If you are able to reproduce the error, make sure you rotate the logs before you reproduce as that’ll leave you with a much shorter log to sift through.

NetScaler AAA log

Most implementations of XenMobile use NetScaler for load balancing and MAM Gateway, and of course a lot of problems could arise here as well. The most basic way to check the NetScaler is to see if it actually accepts your authentication.

To do this, logon to the NetScaler over CLI (PuTTY or other SSH client to the same hostname as the NetScalers, log on with your usual credentials) and run the commands below:

Now you can see the log live, if it’s a well used NetScaler this might be rather busy so you will have to start the logging just before you log on and then stop it afterwards. When you’ve done a logon you’ll get something similar to the image below:

NetScaler aaad.debug log

Here, the top (blurred) rows lists which AD groups the user is in, this is useful to see if the user is actually in that group you connected your delivery policy to. What you want to see is something like the ”sending accept to kernel” lines you can see on the screenshot. This means the user has authenticated to the NetScaler properly. Likewise a ”sending reject” means the user login was not accepted. If you’re lucky, maybe the user was inputting the wrong password all those times?

NetScaler Policy Hits

XenMobile depends heavily upon session policies for XenMobile to work properly, if these policies doesn’t ”hit” for the user you will most certainly see some problems. To check which policies hit when a user logs on, you can check the NetScaler CLI:

Run the commands and then let a user log on and you will get something like the output below.

NetScaler Policy Hits

Do note that this isn’t user specific, all hits occurring during your logging time will be present in the output so you will need to know what you are looking for. If you used the XenMobile Wizard to set up the NetScaler integration, the most important policy you’ll be looking for is the ”PL_OS_YOUR_NSGW_IP”-one i highlighted above, as it is the default name for the policy to apply on a log on from a mobile device. You can also see which LDAP policies apply, and if your certificate policies apply as expected.

 

 

 

 

Also, as a last, more specific tip. If your appliance is failing to boot, just looping on ”starting main app”, make sure that the database is available to the appliance. In my experience this is the problem almost every time.



NetScaler HA heartbeats in Azure

When using NetScaler with multiple NICs in Azure, heartbeats will not be seen on other interfaces other than the one NSIP is configured on.

To resolve this, disable heartbeats on the other interfaces (in my case, NSIP is on 0/1 and disabling on 1/1 and 1/2):