Table of Contents

• What is this feature?
• What components are required to implement this feature?
• What are the supported customer environments?
• What is the Communication Flow?
• What authentication flows are supported?
• How can I trace this feature?
• How to review the trace?
• What is the expected trace output when a user authenticates?
• What is the expected trace output for a combined user authentication plus password change?
• Can the Explicit JSON service be disabled?

What is this feature?

The aim of this new feature is to reduce the NetScaler configuration complexity by enabling NetScaler to authenticate users with StoreFront (via LDAP) instead of the NetScaler Gateway performing an LDAP query to an Active Directory server. The NetScaler configuration is performed using the XenApp / XenDesktop wizard in the NetScaler, with only a minimal amount of information required from the Administrator to complete the configuration: the FQDN of the StoreFront server, and the name of the domain where users authenticate.

Back to top

What components are required to implement this feature? 

• NetScaler 12
• StoreFront: 3.11
• XenApp/XenDesktop 7.x
• Receiver: Windows (4.4.0 or later)

What are the supported customer environments?

• The StoreFront server must be in the same forest connected as the users’ domains.
• The StoreFront server must be trusted by all other domains used for logon.
• The use of the XML service to DDCs (XenApp/XenDesktop Delivery Controllers) to authenticate users is not supported.
• The domain infrastructure must support / have DNS suitable for querying Active Directory through Domain Controllers and Global Catalog servers based upon the users’ domain names.
• The resolved Active Directory servers should have a low latency to allow reasonable performance without having to manually configure specific servers to make queries to.

The above requirements are expected to cover a majority of customer environments.  If any of the above requirements are not met, StoreFront cannot automatically work without additional configuration.  The customer should then use a custom LDAP query from their NetScaler, which can specify service accounts with the relevant trust and target an appropriate AD server.

Back to top

What is the Communication Flow?

The web browsers and native clients connecting to NetScaler will use the existing logon process.

The communication between NetScaler and StoreFront uses JSON protocol to pass the username, password and the list of configured user account attributes.

Finally, StoreFront will handle the request by taking the credentials and using its existing Explicit Logon component to verify the user credentials and look up the specified account attributes from Active Directory.

Back to top

What authentication flows are supported?

These are three authentication flows that are supported:

Username & Password Authentication

Verifies the user account information and support returning additional AD account information from AD.

Note: Only user name and password authentication is supported.

Elective Password Change

After a successful logon the user may choose to change their password.

Expiring Password Change

When a user initially logs on, the response from StoreFront will include if their password is expiring and how many days until it expires. You may choose to force the user to change their password at this point, or just alert them to their imminent password expiry.

Back to top

How can I trace this feature?

To enable tracing of the JSON service in StoreFront perform the following: 

1. Find the Web.config file in the Auth folder for your store.  For Example:

   C:\inetpub\wwwroot\Citrix\storeAuth\web.config

2. Open the Web.config in a text editor.
   Change
    <add name="Citrix.DeliveryServices.ExplicitCore" value="Error" />
   To
    <add name="Citrix.DeliveryServices.ExplicitCore" value="Verbose" />

3. Save the Web.config.

4. Once the file is saved,  perform an iisreset. From the command line run the command:
   C:\iisreset.exe

Enabling tracing of the Default Domain Service. 

1. The Default Domain service performs the low-level authentication, password change and AD query operations. With a text editor open the service’s configuration file located at: 
   C:\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\ Citrix.DeliveryServices.DomainServices.ServiceHost.exe.config

2. Change the line:
   <add name="Citrix.DeliveryServices.Explicit" value="Error" />
   To
   <add name="Citrix.DeliveryServices.Explicit" value="Verbose" />

3. Save the file.

4. Restart the service by opening the Windows Services application. Find the service called:
     “Citrix Default Domain Service”

5. Right click on the service and Restart it.

Back to top

How to review the trace? 

To view the traces, you can use the Sysinternals DebugView application to monitor the IIS authentication Store application, and the Default Domain Service in real time.

1. To begin, download & run DebugView:
   https://technet.microsoft.com/en-us/sysinternals/debugview.aspx

2. Extract the zip on your StoreFront server and run the executable.

3. Once open, In the application’s Capture menu turn on the Global Win32 option and Capture Win32 option.

4. Try authenticating or do a password change.

5. If the password change fails, you should see a change-password error code similar to the sample below:
   Change Password Result was: ReasonWasXXX.

Back to top

What is the expected trace output when a user authenticates?

[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Attempt for user: test@test.com 
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] User can change their password
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Password Restrictions from test.test.com: Age [Min: 0 Max: -1] s, Min length: 1
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Max password duration: -1
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Result was: Success

Back to top

What is the expected trace output for a combined user authentication plus password change?

For a successful password change, you should get a trace like:

[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Attempt for user: test@test.com 
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] User can change their password
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Max password duration: -1
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Result was: Success 
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Change Password Attempt for user: test@test.com
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Attempting to change password for: test@test.com
[2992] Citrix.DeliveryServices.Explicit Information: 0 :
[2992] test@test.com successfully changed their password.
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Change Password Result was: Success 
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Attempt for user: test@test.com
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] User can change their password
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Max password duration: -1
[2992] Citrix.DeliveryServices.Explicit Verbose: 0 :
[2992] Authentication Result was: Success

Back to top

Can the Explicit JSON service be disabled?

The Explicit JSON service is enabled by default. You can use the following script to disable the integrated NetScaler Gateway authentication service that allows NetScaler Gateway to authenticate users directly with StoreFront. This script disables all explicit JSON services on a StoreFront server.

$stores = Get-STFStoreService
if($stores)
{
 if(-Not $stores.GetType().Name.Equals("Object[]") )
 {
   $singleStore = $stores
   $stores = @($singleStore)
 }
 foreach ($store in $stores) {
   $auth = Get-STFAuthenticationService -StoreService $store
   $auth.AuthenticationSettings["explicitBL"].JsonServiceEnabled = $false
   Save-STFService $auth
 }
}

If you disable the Explicit JSON service and need to later enable it, you can use the following script to enable the integrated NetScaler Gateway authentication service that allows NetScaler Gateway to authenticate users directly with StoreFront.

This script enables all explicit JSON services on a StoreFront server.

$stores = Get-STFStoreService
if($stores)
{
  if(-Not $stores.GetType().Name.Equals("Object[]") )
  {
    $singleStore = $stores
    $stores = @($singleStore)
  }
  foreach ($store in $stores) {
    $auth = Get-STFAuthenticationService -StoreService $store
    $auth.AuthenticationSettings["explicitBL"].JsonServiceEnabled = $true
    Save-STFService $auth
  }
}

Back to top

• How to Configure Authentication at StoreFront using NetScaler Gateway – Requirements and Limitations
• How to Configure Authentication at StoreFront using NetScaler Gateway - NetScaler Configuration
• How to Configure Authentication at StoreFront using NetScaler Gateway - StoreFront Configuration