Summary
This document describes how to forward Citrix Access Gateway 4.x logon credentials to Web Interface in order to achieve single sign-on to Web Interface. It is assumed that Web Interface is already installed and functioning properly for internal users. The benefits of this solution include:
• Users can access Presentation Server applications through Access Gateway without installing the Secure Access Client
• Users authenticate once to the Access Gateway and are not prompted by Web Interface to re-authenticate
• Inbound HTTPS traffic is terminated and authenticated by the Access Gateway appliance, allowing Web Interface to reside on the internal network instead of the demilitarized zone (DMZ)
Requirements
• Citrix MetaFrame XP 1.0 or later
• Web Interface 3.0 or later
• Access Gateway Standard Edition 4.1 or later
Supported Deployment Scenario
• Access Gateway located in the DMZ
• Web Interface and Citrix Presentation Servers located on the trusted network
• Web Interface configured for only explicit authentication to a Microsoft Windows Active Directory domain
• Access Gateway configured for Lightweight Directory Access Protocol (LDAP), RADIUS, or NT LAN Manager (NTLM) authentication such that the credentials used to authenticate to the Access Gateway are valid for the Web Interface site
• If dual-source authentication is used on the gateway, the Web Interface credentials are drawn from the primary authentication source and the secondary credentials are ignored by Web Interface.
Access Gateway 4.x Configuration Steps
IMPORTANT: You should secure the connection between Access Gateway and the Web Interface before enabling this setting. Otherwise, user credentials will be sent from the Access Gateway to the Web Interface server in clear text.
1. Log on to the Citrix Administration Terminal by connecting to https://<AccessGatewayName>:9001 and click Launch Access Gateway Administration Tool.
2. On the Authentication tab, enter the information for one or more Secure Ticket Authorities (STAs). The STAs listed here must match the STA URLs defined in your Web Interface site configuration.
3. If you are not using the Default realm for authentication, the realm name must match the Windows domain name against which users authenticate.
4. In the Administration terminal, select the Groups tab.
5. Open the Default group (or whichever group you want to configure).
6. In the Portal Configuration section, select Redirect to URL or Redirect to Web Interface. Supply the Web Interface server address or FQDN in the Proxy Base Server or Web Server field and the path to Web Interface in the Proxy Page Path or Path field. For example:
• Path: /Citrix/MetaFrame/auth/login.aspx
• Web server: wi.company.net
7. Select the check box named Forward Logon Credentials or Single sign-on to the Web Interface
Web Interface script replacement
Next, configure Web Interface to accept the credentials that are passed by Access Gateway. The instructions for doing so vary according to the version of Web Interface.
1. Click the link at the top of this page to download AGWISSO.zip. Extract the zip file and locate the folder that corresponds to your version of Web Interface.
2. Follow the instructions to replace a script file given in the README.TXT file for your version of Web Interface.
Web Interface Site Configuration Steps
The Web Interface site should be configured for Explicit authentication only, with the domain name supplied and hidden from the logon page. Also, Web Interface should be configured to use Secure Gateway for ICA connections, but list the Fully Qualified Domain Name (FQDN) of the Access Gateway appliance when asked for the Secure Gateway address.
For Web Interface 3.0:
1. Open the Web Interface Admin UI by pointing a Web browser to http://localhost/Citrix/MetaFrame/WIAdmin. Choose Authentication from the left hand side and ensure that only Explicit Logon is enabled.
2. Specify the default domain that will be used for credentials passed to Web Interface. If multiple domains are listed, Access Gateway uses the first domain in the list. Click Save and then Apply Changes.
3. In the left pane, click DMZ Settings then Network Address Translation. Change the Default Address Translation Setting to Secure Gateway Server (with normal address). Click Save and then Apply Changes.
4. In the left pane, click DMZ Settings and then Secure Gateway Support. In the Secure Gateway Server section, supply the Access Gateway certificate FQDN in the field labeled Address (FQDN). If the Access Gateway appliance is listening on a port other than 443, change the port number as well.
5. Supply URLs for one or more STA servers. This information should match the list of STAs defined on the Secure Ticket Authority tab in the Access Gateway administration terminal. Click Save and Apply Changes.
For Web Interface 4.x:
1. Launch the Access Suite Console and select the node for the Web Interface site into which you copied the modified login.cs file.
2. Click Configure Authentication Methods.
3. Ensure that Explicit is the only option selected. Click Next.
4. Under Authentication Types, ensure Windows or UNIX (NIS) is selected. Click Next.
5. Specify the default domain that will be used for credentials passed to Web Interface. If multiple domains are listed, Access Gateway will use the first domain in the list. Click Next, then click Finish.
6. Select Manage Secure Client Access > Edit Secure Gateway settings. In the Secure Gateway Address supply the FQDN of the Access Gateway certificate.
7. Supply URLs for one or more STA servers. This information should match the list of STAs defined on the Secure Ticket Authority tab in the Access Gateway administration terminal. Click OK.
8. Select Manage Secure Client Access > Edit DMZ settings.
9. Select the entry named Default and click Edit. Choose Secure Gateway Direct and click OK.
For Web Interface 5.x:
1. Launch the Access Management Console and select the node for the Web Interface site into which you copied the modified Login.java file.
2. Click Configure Authentication Methods.
3. Ensure that Explicit is the only option selected. Click Next.
4. Under Authentication Types, ensure Windows or UNIX (NIS) is selected. Click Next.
5. Specify the default domain to be used for credentials passed to Web Interface. If multiple domains are listed, Access Gateway uses the first domain in the list. Click Next, then click Finish.
6. Go to Manage Secure Client Access > Edit Secure Gateway settings. In the Secure Gateway Address supply the FQDN of the Access Gateway certificate.
7. Supply URLs for one or more STA servers. This information should match the list of STAs defined on the Secure Ticket Authority tab in the Access Gateway administration terminal. Click OK.
8. Select Manage Secure Client Access > Edit DMZ settings.
9. Select the entry named Default and click Edit. Choose Secure Gateway Direct and click OK.
Testing Auto Logon to Web Interface
1. Log on to the Access Gateway from an external client by browsing to https://<AccessGatewayFQDN>
2. Log on to the Access Gateway with an Active Directory username and password.
3. You should be redirected to the Web Interface Server defined in the Default group or the highest-priority group to which the user belongs.
4. Web Interface should display your published applications automatically with no additional prompts for authentication. When launching a published application, the ICA Client should direct traffic through the Access Gateway appliance en route to the Presentation Server farm.
Troubleshooting
When connecting to the Access Gateway, users are not prompted for credentials and are taken directly to Web Interface without being automatically logged in.
Enable Portal Page Authentication. In the Access Gateway administration terminal, select the Global Policies tab. Scroll to the bottom and enable the check box for Enable Portal Page Authentication or Enable logon page authentication.
IMPORTANT: If logon page authentication is disabled, unauthenticated traffic is forwarded to the Web Interface server. This is only recommended when Web Interface is located in the DMZ, not on the trusted network.
Users are forwarded to a page that asks whether to launch the Secure Access Agent.
In the Default group (or the highest priority group of the user logging in), the Full Client check box is selected, or the Use the multiple logon option page check box is selected. Clear this check box if this is not the behavior you desire.
Users are forwarded to the Web Interface server but applications are not displayed. An error message states that a Domain was not specified.
The Access Gateway only passes the user name and password to the Web Interface server. Use the Web Interface administration console to specify a domain or list of domains. If multiple domains are listed, Access Gateway uses the first domain in the list.
Users are forwarded to the Web Interface server but applications are not displayed. An error states that the credentials are invalid.
The most likely cause of this error is that a user logged into the Access Gateway with credentials that do not match the user’s Windows domain credentials.
If both Access Gateway and Web Interface are configured to authenticate users from multiple domains, the Access Gateway realm names must match the corresponding Active Directory domain names. To allow users to login with a realm name other than the default, name the realm after the domain in AD. Users then authenticate to the Access Gateway using REALM-NAME\username, and this string is interpreted as DOMAIN-NAME\username by Web Interface.
