How to configure ADFS Claim Rules and StoreFront with Multiple Domains
Article ID: CTX222407
Updated On:
Description
How to configure ADFS Claim Rules and StoreFront with multiple domains?
Instructions
Symptoms or Errors:
Authenticating:
Error: There was a failure with the mapped account
Or
Launching:
Event 28: Failed to launch the resource "Application Name" using the Citrix XML service at address"??". The user principal name could not be found.
Requirements:
The following requirements will be broken down into two parts, service provider domain and identity provider domain.
Service Provider Domain (Domain 1)
- StoreFront 3.9
- ADFS (Identity Provider for local domain)
- Claim Provider Trust configured for Domain 2
- Relying Party Trust configured for StoreFront 3.9
- XenApp / XenDesktop 7.9 or higher
- FAS server
- Resource Account for the user in Domain 2
- UPN Suffix with the
Identity Provider Domain (Domain 2)
- ADFS (Identity Provider)
- Relying Party Trust configured for Domain 1
Note: This article assumes that you have all the requirements installed and configured. For installation and configuration see the resources section.
Solution:
- Go to the ADFS of the Service Provider Domain > Trust Relationships > Claims Provider Trusts > Select the trust configured for Domain 2 > Edit Claim Rules.
- Click on Add Rule > Select "Pass Through or Filter an Incoming Claim" template > Click Next > Give it a name > select Incoming Claim Type as UPN > Select Pass through all claim values > Click OK.
- Add another rule > Select "Transform an Incoming Claim" template > Click Next > Give it a name > select Incoming claim type as UPN > Select Outgoing claim type as Name ID > Select Outgoing name ID format as Unspecified > Select Pass through all claim values > click OK.
- Once done, the rules should look something similar to this:
- Go to the ADFS of the Identity Provider Domain > Trust Relationships > Relying Party Trusts > Select the trust configured for Domain 1 > Edit Claim Rules
- Under the Issuance Transform Rules click on Add Rule > Select "Send LDAP Attributes as Claims" Template > Click Next > Give it a name > Select Active Directory as the Attribute Store > Under the LDAP Attribute select User-Principal-Name > Under the Outgoing Claim Type select UPN > Click OK.
- Once done, the rules should look something similar to this:
- Go to the ADFS of the Service Provider Domain > Trust Relationships > Relying Party Trusts > Select the trust configured for StoreFront > Edit Claim Rules
- Under the Issuance Transform Rules click on Add Rule > Select "Send LDAP Attributes as Claims" Template > Click Next > Give it a name > Select Active Directory as the Attribute Store > Under the LDAP Attribute select User-Principal-Name > Under the Outgoing Claim Type select Name ID > Click OK.
- Add another rule > Select "Pass Through or Filter an Incoming Claim" template > Click Next > Give it a name > select Incoming Claim Type as Name ID > Select incoming name ID format as Unspecified > Select Pass through all claim values > Click OK.
- Once done, the rules should look something similar to this:
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Issue/Introduction
This article explains how to configure ADFS Claim Rules and StoreFront with multiple domains
Additional Information
- StoreFront 3.9:
- ADFS:
- FAS server:
- Resource Accounts:
Was this article helpful?
Yes
No
Powered by
