Why does Netscaler 10.5 make users logon to 2 different times?

Hello:

We are using Citrix XenApp 6.0 and Citrix Netscaler 10.5.  We just recently updated to Netscaler 10.5 from Netscaler 10.1.  

When we were using Netscaler 10.1 our users only needed to logon 1 time from the Citrix Web portal.  Now with Citrix Netscaler 10.5, our users still must oipen the same web page (https://portal.company.net) ; but, they are re-directed to a Citrix Netscaler VPN page and then after they logon successfully, the user is redirected to a Citrix XenApp page.  Then the user must enter the exact same user id as from the 1st page.  Our users are finding these 2 web page prompts to be redundant and a waste of their time.  I must admit that I agree with the users.

When we were using Netscaler 10.1, our users opened the same web page (https://portal.company.net) ; but, they were then re-directed to a XenApp-Remote web logon page immidiately.   Then the user just entered their company username/password from that 1st page and then they were able to access the company applications.

The Citrix expert that I worked with told me that there are 8 years of code updates between 10.1 and 10.5 and that the extra logon web page is put in by design.  It is intended to add an extra layer of authentication and there is nothing that we can do about it.  

1.  The 2 web logon pages look almost exactly the same(close enough).
         a.  If one notices the actual web address, the web logon pages are actually different.

2.  Both of the web logon pages require the company username and password to authenticate in.
         a.  So one is entering in their username/password 2 times.

3.  After you enter your username/password on the first page then one is re-directed to the 2nd page.
       a.  It looks as if the original page just refreshed itself and you just need to enter your username and password again because it did not take the first time.
       b.  After one enters their username/password, on the 2nd page, then the one is able to access the company applications.
       c.  And one cannot just copy the web address for the 2nd page and try to cheat the system, that will not work.


My questions are:

1.  Are 2 web logon portal pages put in by design on Citrix Netscaler 10.5?

2.  Is there any way to only use 1 logon web page for authentication with Netscaler 10.5?
        a.  If yes, then what are we risking?

3.  I guess I am questioning the architecture or design of this security measure and the software work-flow.

4.  For what it is worth, we are planning on building a new Citrix Farm next week (XenApp 6.5).  Could anything be done to make a single sign on for Netscaler 10.5 if it is working with Citrix 6.5?
LVL 1
PkafkasNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

joharderCommented:
You may be able to get around this by configuring Traffic / Content Switching policies.
Dirk KotteSECommented:
1. two authentication pages are not by design. You can authenticate at the netscaler and pass this credentials to the backend.
if pass through don't work, possible you requested a second time for username/password.

2. the other option -  pass the whole request to the backend directly - should work with 10.5 also, but is less secure.

4. use storefront instead of webinterface with XenApp6.5 ... SF and NetScaler works great with credential passthrough

PS: consider using XenApp7.6 instead of 6.5. it is the most current version and it works great.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PkafkasNetwork EngineerAuthor Commented:
Hello dkotte,

Do you have any proof that 2 logon pages are no t by design?  I know it seems like common sense; but, do you know of anyone else that uses Netscaler 10.5 that does not have 2 logon pages?

If the pass-through doe snot work how can we get it to work?  Do we need to have a Citrix Consultant to look at that problem?

Also, the only reason that we are updating to Citrix XenApp 6.5 instead of 7.6 is because one of our software vendors recommended that we go to 6.5.  This software vendor has not tested their application (that we need) with any later versions.

But lets focus on the Netscaler situation.  2 logons is annoying for our users.  How can we make 1 logon work?  Do we need to speak with another Citrix expert than the one that setup the current Netscaler?

Will we be able to get 1 logon screen with Storefront instead of Web Interface Gateway?
btanExec ConsultantCommented:
1.  Are 2 web logon portal pages put in by design on Citrix Netscaler 10.5?
> I do not think so as in forum there is mentioned something of the double login issue though in a VDI-in-a-Box setup. They solved that via change in URL and domain setting. So I very doubtful and I do not see any official doc unless the support can lead you to that.
 http://discussions.citrix.com/topic/358125-single-sign-on-problems-nsg-105-viab-54/?p=1851020

2.  Is there any way to only use 1 logon web page for authentication with Netscaler 10.5?
        a.  If yes, then what are we risking?
> Suggest we explore in the forum sharing and into Traffic policy under the Gateway and its bind with (esp Form) SSO Profile. http://discussions.citrix.com/topic/365044-single-sign-on-to-web-applications-web-siteserver-requirements/
> Otherwise, I do see use of certificate may be another alternative  but leave that in future roadmap as this required user having client cert which can be not straightforward and is new to deployment to venture with this upgrade - still not stabilised yet. No risk with staging done instead and just to make sure no short change (e.g. no HTTPS at any pt of time or sending login info in plain ..).

3.  I guess I am questioning the architecture or design of this security measure and the software work-flow.
> The security is not any better off with two page because it is asking for the same login credential for SSL VPN and Portal access. Unless they are of different credentials, authentication mode or form factor, and furthermore not using certificate, I do not see any "enhancement" per se. Other may fare off with slight edge, by asking one time password (OTP) on Portal to safeguard particular resource access but there is not change to ACL policy that I see in this use case.
> The VPN session and Portal SSO should be different session and invalidated upon login or expiry policy consistently, so any of it invalidated should not affect one another - VPN expire, Portal session invalidated. Portal expire, VPN stay validated. I believe this stands , so what and where is the security enhancement? (at least to me) The "enhanced" workflow or architecture is more of security fatigue as a whole to admin and users.

4.  For what it is worth, we are planning on building a new Citrix Farm next week (XenApp 6.5).  Could anything be done to make a single sign on for Netscaler 10.5 if it is working with Citrix 6.5?
> Till the above Qs are cleared up by the Support and with verifiable evidence (with doc guidance), any majpr change is bound to new changes for team to manage. The "8 year of code changes" is major but it is all security centric to add such workflow - I am doubtful, and is there a security gap that is to be covered due to such double login. It is not convincing to  say further upgrade will make this work - did Support even advice alternative, if not it make no difference as default based on their code change in the SSO in VPN and Portal (not XenApp). Will be good to understand the meaning  of 10.5 mentioned in Pt 5
Single-Sign On to public IP: The SSO best practices suggest that SSO should not be triggered for any services running on public IP. NetScaler Gateway provides ability to SSO to public IPs using traffic policies. Traffic policies can be used for providing SSO to only those public IPs which are controlled by the trusted entities only.
http://blogs.citrix.com/2014/07/15/a-look-at-the-new-features-in-netscaler-gateway-10-5/

Indeed in the past this also support mobile device so I am wondering if it affect the client device used too....but as a whole the SSO profile used "HTTP.REQ.HEADER" ...http://www.jasonsamuel.com/2012/04/10/how-to-setup-your-citrix-netscaler-access-gateway-and-web-interface-for-ipads-and-mobile-devices-that-use-citrix-receiver/
Dirk KotteSECommented:
last week i go from NS 10.1 to 10.5 at a customer site.
i have one logon with this version also ... but we use Storefront.
SF is the       replacement for WebInterface, and the current NS versions are tuned for SF i think.
Installing SF beside of WI is not a problem and you can test/migrate smooth.
PkafkasNetwork EngineerAuthor Commented:
The consultant made some configuration changes on the Web Interface Server settings.  He basically the external logon and had users logon with SSL Encryption through the the XenApp site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.