This article contains information about configuring the Single Sign-On (SSO) feature on a Citrix Access Gateway Enterprise Edition appliance and Web Interface.

The procedure to configure the SSO feature is based on the Smart Access feature of the XenApp application virtualization, where no Virtual Private Network (VPN) connection is used to connect to the Access Gateway Enterprise Edition appliance.

To complete the procedure, you require a Citrix Access Gateway Enterprise Edition appliance on a network with the following configuration:

Additionally, you require the Citrix Access Management Console and a Web Interface site deployed on the network.

Instructions

To configure the SSO feature, complete the following procedures:

• Configuring the SSO Feature on an Access Gateway Enterprise Edition Appliance

• Configuring the SSO Feature on the Citrix Access Management Console

Configuring the SSO Feature on an Access Gateway Enterprise Edition Appliance

To configure SSO on an Access Gateway Enterprise Edition appliance, complete the following procedure:

1. Ensure that you have created the correct Mapped IP (MIP) address or Subnet IP (SNIP) address so that the appliance communicates with the network subnet of the Web Interface server.

2. Expand the Access Gateway node of the Navigation pane.

3. Expand the Policies node.

4. Select the Session node.

5. Activate the Profiles tab.

6. Click Add to create a profile.

7. Specify the following details in the Create Access Gateway Session Profile dialog box:

   1. Specify a name for the profile.

   2. Select the Override Global option to override the global settings.

   3. Activate the Security tab.

   4. Select ALLOW from the Default Authorization Action list, as shown in the following screen shot:

      

   5. Activate the Published Applications tab.

   6. Select ON from the ICA Proxy list to enable ICA proxy.

   7. Specify the Web Interface address. Ensure that you specify the complete URL.

   8. Specify the Active Directory domain name in NetBIOS format in the SSO Domain field, as shown in the following screen shot. You cannot specify more than one domain.

      

   9. Click Create.

   10. Click Close.

8. Activate the Policies tab of the Access Gateway Session Policies and Profiles page.

9. Click Add to create a policy.

10. Specify the following details in the Create Access Gateway Session Policy dialog box:

    1. Specify a policy name.

    2. Select the required profile from the Request Profile list.

    3. Select the following options from the Named Expressions list:
       General
       True value

    4. Click Add Expression.

    5. ns_true is displayed in the Expression section, as shown in the following screen shot:

       

    6. Click Create.

    7. Click Close.

11. Expand the Access Gateway node and select the Virtual Servers node.

12. Open the required SSL virtual server.

13. Activate the Policies tab of the Configure Access Gateway Virtual Server dialog box.

14. Click Insert Policy.

15. Select the required session policy from the Policy Name list, as shown in the following screen shot:

    

16. Activate the Published Applications tab.

17. Click the Add link in the Security Ticket Authority section.

18. Specify the URL of the Secure Ticket Authority (STA) server in the Configure STA Server dialog box, as show in the following screen shot:

    

    Note: The STA server can be any XenApp server from the farm with the Citrix XML service deployed on the server. You can add more than one server. However, ensure that the list of STA servers must always match the same list of the STA servers in the Web Interface site Gateway settings, as specified in Step 2 of the Configuring the Single Sign-on Feature on the Citrix Access Management Console procedure.

Configuring the SSO Feature on the Citrix Access Management Console

To configure SSO on the Citrix Access Management Console, complete the following procedure:

1. To edit secure access settings of the Web interface site, select the Web Interface site on the left panel and select Secure Access from the Edit Settings menu, as shown in the following screen shot.

   

2. Click Edit in the Edit Secure Access Settings dialog box.

3. Select Gateway Direct from the Access method to switch to the Gateway Direct mode and click OK.

   

4. Click Next.

5. Specify the following details in the Edit Secure Access Settings dialog box:

   1. FQDN address of the SSL Virtual IP that is configured on the Access Gateway Enterprise Edition appliance and click Next.

      

   2. Click Add to specify the URL of the STA server.

      

      Ensure that the list of STA servers matches the same list of the STA servers in the Access Gateway Enterprise Edition STA setting, as specified in Configuring the SSO Feature on an Access Gateway Enterprise Edition Appliance.
      Note: When editing the Secure Access settings for the Secure Ticket Authority settings ensure that the STA URL has the following format: http(s)://<XenApp-server-address:portnumber>/scripts/ctxsta.dll
      Following is a sample STA address: http://xenapp.example.com:8080/scripts/ctxsta.dll

6. In the Web Interface Access Management Console, select the Web Interface site and click Manage Session authentication from the Common Task section.

7. Switch to the Access Control mode and specify the Authentication service URL of the SSL Virtual IP in the Manage Access Method dialog box, as shown in the following screen shot:

   

   You use an https protocol because the Virtual IP accepts secure communication on port 443. Additionally, ensure that the FQDN matches the imported certificate in the SSL Virtual IP on the Access Gateway Enterprise Edition appliance. The Web Interface server must be able to resolve the FQDN in the DNS or with the use of a local host file.

8. Download the root certificate from the Certificate Authority server, which was used to create the SSL certificate of the SSL Virtual IP on the Access Gateway Enterprise Edition appliance.

9. Import the root certificate to the Web Interface server operating system keystore because the secure connection with an https protocol between the Web Interface server and the Access Gateway Enterprise Edition appliance requires the root certificate.

10. On the Web Interface server, start the Microsoft Management Console (MMC) and complete the following procedure to import the root certificate.
    Note: Run the mmc command from the Start menu to open the MMC console.

    1. In the MMC console, select Add/Remove snap-in from the File menu.

    2. Select Certificates.

    3. Click Add.

    4. Select Computer account in the Certificates snap-in dialog box, as shown in the following screen shot:

       

    5. Select Local Computer and click Finish.

    6. Click OK.

    7. Expand the Trusted Root Certificates node in the left panel and click Certificates.

    8. Select All Tasks form the shortcut menu.

    9. Click Import from the All Tasks menu, as shown in the following screen shot:

       

11. Import the certificate using the Certificate Import wizard.

12. Refresh the Certificates list to verify if the SSL Certificate that you imported is displayed.

Note: If the Certificate Authority (CA) root certificate is imported correctly, the Web Interface site can establish a secure connection to the SSL Virtual IP on the Access Gateway Enterprise Edition appliance and receive the authentication credentials from the SSL Virtual IP.