Citrix Workspace Okta



In this post I wanted to discuss the use of Citrix Enlighted Data Transport with Citrix Gateway Service. This is a feature that has been available with Citrix ADC for quite some time but it is a new feature for Gateway Service. I wanted to take you through step by step on how to configure EDT and Adaptive Transport with Gateway Service, as well as discuss any system requirements that are needed to get you up and running.

Both internally and externally by utilizing Citrix NetScaler Gateway. It also provides multiple authentication methods such as Okta (Verify/Google Authenticator/SMS Authentication, E-mail Authentication, Voice Authentication) and Smart Card. It interacts with the Citrix Workspace App. Family & Community Services. Credential from Azure ADDS is used to logon at Citrix Cloud Workspace URL Solution Correct the SID in user's attribute at OKTA console, to match with the one which is used during Workspace URL logon. Okta integrates with Citrix Workspace to provide intuitive Single Sign-On (SSO) and Adaptive Multi-Factor Authentication (MFA), enabling a unified and secure workspace for each employee With apps, files, and other resources accessed in one convenient location, employees stay engaged and productive throughout the workday.

What is Adaptive Transport

Adaptive transport is a proprietary transport protocol that functions well on highly latent networks, which TCP alone finds challenging. This protocol is adaptive and can switch to TCP or UDP based on network conditions in order to ensure the best user experience for users using HDX.

Gateway

Enlighted Data Transport System requirements

  • VDA 1912 or later
  • Rendezvous protocol must be enabled and working ( We cover this next)
  • Ports UDP 443 and TCP must be open outbound from VDA to the Internet
  • Adaptive Transport must be enabled
  • EDT is supported with all supported OS’s. Citrix do recommend the use of Windows 10 and Windows 2019 when running EDT with Citrix Gateway Service
  • Latest Workspace App Version ( 1908 or above for Parallel connections)

Configuring Rendezvous Protocol

When you are configuring Rendezvous protocol for use with Citrix CVAD Service the following is required.

  • VDA 1912 or later
  • Enable the Rendezvous protocol in the Citrix policies in Studio
  • The Cloud Connectors must obtain the VDA’s FQDN when brokering a session. This can be achieved by using the the following commands in Powershell:
    • asnp citrix*
    • Get- XDAuthentication

Okta And Citrix Workspace

Set the DNS Resolution to True

Set-Brokersite -DNSResolutionEnabled $True

To check that the DNS Settings are configured correctly – Type Get-Brokersite

The DNS Resolution should now be set to True.

Netscaler Okta Mfa

Citrix Policy Requirements

Now that the DNS settings are complete, we need to ensure the Citrix Policies are also set for Rendezvous protocol. (The Rendezvous protocol allows HDX sessions to bypass the Citrix Cloud Connector and connect directly and securely to the Citrix Gateway service.)

Please see more detail here: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html

To set the Citrix policy, Open Citrix Studio and create a new policy for Rendezvous protocol.

Click enable , and also enable Adaptive transport.

Lets also set up Session Reliability setting, as our final policy requirement. Enabling Session Reliability will allow users to automatically reconnect to Citrix sessions after a disruption.

Now that Rendezvous protocol is setup, lets move on to complete the setup to allow for the use of EDT.

Open Microsoft Group Policy Manager, and create a policy that will allow for you to set the Cipher Suite for the VDA workloads. Choose Computer configuration, Network, SSL Configuration, SSL Cipher Suite Order.

Lets now check if the settings are working as expected

Within the HDX session, launch a desktop and open powershell

The transport protocols used are displayed as below when successfully using EDT

It is also possible to check via Director

downloadWhy can't I download this file?
Citrix Workspace OktaIn this scenario:
  • On-prem AD users where migrated to Azure ADDS
  • Individual users are specified to allow access to application
Refer section: Configure the Okta OIDC web application in this article - Step 4
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/okta-identity.html
  • Credential from Azure ADDS is used to logon at Citrix Cloud Workspace URL

Solution

Correct the SID in user's attribute at OKTA console, to match with the one which is used during Workspace URL logon.

Problem Cause

This could happen due to SID mis-match specified at OKTA console in individual user's SID attribute.
Additionally, you will see following error in DDC trace where DDC or Broker is unable to find or lookup the SID in Azure ADDS:
xxxxxxx,1,yyyy/mm/dd hh:mm:ss.xxxxx,xxxx,xxxx,x,BrokerDAL,1,Error,'AccountNameCache::TrySyncUniversalClaimsForAccount: ERROR SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX not found using Identity API Exception:Citrix.Fma.Sdk.Identity.Interface.IdentityLookupFailureException: The lookup failed as the domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' could not be located ---> Citrix.Fma.Sdk.Identity.Interface.IdentityNotFoundException: [customer id] Specified domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' was not found in: [Name:domainname.com NetBiosName:domainname SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX]
The Broker expects the user SID from Azure AADS and not the one from On-prem Active Directory




Comments are closed.