VIRTUAL-HAWK.COM

Citrix Storefront, Server Group Join

By

On March 20, 2025

In Uncategorized

This week with a Citrix Storefront upgrades a ran into an error, when joining a Citrix Storefront Server to a Storefront Server Group.
In the upgrade i follow this process:


• Disable Server A in the Citrix NetScaler configuration
• Remove Server A from the Citrix Storefront Group
• Reboot Server A
• Upgrade Citrix Storefront on Server A
• Enable Server A in the Citrix NetScaler configuration
• Disable Serve B in the Citrix NetScaler configuration
• Uninstall Citrix Storefront
• Install Citrix Storefront new version
• Join Citrix Storefront Server Group

When doing the Join Citrix Storefront Server Group a got this error:

When examining the Windows Event log I found this error:

That did’t help me, as this do not explain what was going on.

After some trial an error, a finely found this in the Citrix Storefront log files (C:\Program Files\Citrix\Receiver StoreFront\Admin\logs)

After searching for the “Cannot load Counter….” I got a hit on rebuilding the Performance Monitors whit the commando “lodctr /r” in a admin command prompt.

After the rebuild of the Performance Monitors there was no problem joining the Citrix Storefront Server Group.

Citrix NetScaler, EntraID – SAML

By

On August 28, 2024

In Uncategorized

Yes, I am back, sorry but due to a lot of work, I has not had the time to write new blogs.

This blog is about using EntraID with SAML for the NetScaler authentication. To configure this I normally look at this: https://www.deyda.net/index.php/en/2023/09/08/saml-authentication-between-citrix-microsoft-with-azure-mfa/. Thanks to Manuel Winkel for writing a good blog post on how to configure this.

I was called out to a customer to change their authentication to SAML with EntraID. I did the configuration as described in Manuel’s blog post. When we tested it worked for some user but failed for other users, whit the Storefront error:

In Citrix Storefront this is basically a “General Error”. Something went wrong but we don’t know what.

After some investigation I found that the users that were failing did not have matching SamAccountName and UserPrincipalName. When we configure SAML with EntraID we are sending the UserPrincipalName as the login to the Citrix Storefront, but the domain was not able to log the users on. After searching for a way to change this a found a lot of people writhing about the same problem, but no solutions.

I found a way to send the SamAccountName from EntraID to the NetScaler in the SAML response by configuring the following.

I the EntraID Enterprise Application change this:

Change to “user.onpremisessamaccountname”

In the NetScaler SAML Profile I set this:

After changing this all users were able to logon and getting there Citrix Application/Desktops.

Citrix ADC, LDAP Test Fails

By

On January 3, 2022

In Uncategorized

After Citrix implemented the security of ns.conf with the KEK keys I have notices that the “Test Network connectivity” through an error in the GUI:

Well, how do we the test the LDAP configuration and connection?

This can be done by the CLI, in shell mode 😊

From the shell mode you can run the following command to test the LDAP configuration:

ldapsearch -b “DC=contoso,DC=com” -D “user1@contoso.com” -h 192.168.1.1 -p 389 -w “Password1”

If your username and password are not valid you will get something like this:

If there are connection to a Domain Controller and username and password are valid you will receive information of the users in the Active Directory.

So, we can use the CLI shell mode to test the LDAP connection and validate the username and password. But there is one problem. To test we need to type the password in clear text. In my blog “NetScaler CLI, Watch Out” I wrote about the “history” of the CLI commands and that password in clear text are stored until the Citrix ADC is rebooted.

We have the same problem when we test the LDAP connection when using CLI in shell mode. If I run the “history” command I get this:

It is therefore my recommendation that you create a temporary user account on the Citrix ADC. Then run the command to test the LDAP. And finally remove the temporary user account.

By doing this the password for the LDAP users can not be accessed through the “history” command.

Citrix ADC, DTLS DDoS

By

On April 12, 2021

In Uncategorized

Some customers currently experience high outgoing traffic from there Citrix ADC/NetScalers. Citrix has reported more about this in there article here:

Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

The fix is to upgrade to one of these versions:

  • Citrix ADC and Citrix Gateway 13.0-71.44 and later releases
  • NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases
  • Citrix ADC 12.1-FIPS 12.1-55.210 and later releases
  • NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases

Or you can disable DTLS.

In their article it is describe how-to disable DTLS on the Citrix Access Gateway configuration, but if you have a Content Switch in front this will not do it as the client session it terminated on the Content Switch vServer.

A quick test to show that:

My Content Switch vServer configuration:

My Access Gateway vServer configuration:

When I make a Citrix Session, I get this:

As you can see this Citrix Session is using DTLS.

If you have a Content Switch in front of your Access Gateway function you need to disable DTLS on the Content Switch configuration, or else you are still vulnerability for the DDoS attack. This is missing from the Citrix article.

Citrix ADC, Storefront SSO

By

On September 7, 2020

In Uncategorized

With the release of Citrix ADC 13.0 build 64.35, Citrix have made some change to the “Single Sign-on to Web Application” in the Session Profiles:

This is new and can affect the SSO to Citrix Storefront. In my test environment after upgrading to 13.0 build 64.35 I got this error when logging in to the Access Gateway:

 There were no errors in the event viewer of the Storefront Server to help me.

In the release note for ADC 13.0 build 64.35 Citrix state, the flowing:

Title: Support to disable the weak Basic, Digest, and NTLM authentication globally

The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication

– Digest Access Authentication

– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

[ NSAUTH-7747 ]

I got my test environment to work with a simple traffic profile and traffic policy.

Traffic profile:

Traffic policy:

Just bind the policy to the Access Gateway, and you will not get the Storefront error, 😊

CLI commands:

add vpn trafficAction traf_prof_sf_sso http -SSO ON

add vpn trafficPolicy traf_pol_sf_sso true traf_prof_sf_sso

bind vpn vserver <NAME> -policy traf_pol_sf_sso -priority 100 -gotoPriorityExpression END -type REQUEST

Page 1 of 5

Next

Powered by WordPress & Theme by Anders Norén