Table of Contents
With Azure AD’s certificate-based authentication (CBA) there is a way to get a Primary Refresh Token (PRT) inside the User’s Citrix Session. I’ve written about the details in Part1.
As the most negative requirement is to deploy User-Certificates to the Endpoints (difficult in a BYOD-scenario) – I’ve decided to work on another way to achieve SSO inside the Citrix Session for subsequent Applications, without a PRT. The goal is to have no additional user-interaction. That’s the content of this post, Part2.
The Login Process
Because of the default SAML / OAuth Loginflow with FAS, there is already a Smartcard certificate enrolled and used for the SSO to the VDA – why don’t make usage of this for other process? I will use the in-session certificate for auto-select Azure AD CBA SSO to M365 Apps – without any PRT.
A configured and enabled Azure AD CBA authentication method, like described in Part1, is the basic requirement. There is no obligatory need for Azure AD Hybrid Join (HAADJ) of the Clients or the VDA, otherwise there are many other benefit for doing HAADJ.
Edit the default or your created Rule inside the FAS Console and enable in-session use:
GPO VDA FAS
Edit your FAS GPO, linked to your VDAs and enable In-session Certificates with a Prompt Scope of No consent required. The timeout will be ignored but the field can’t be empty, so insert for example 30 seconds.
You can check if the Certificate is visible to the user in a Citrix Session:
GPO VDA Edge
Configure the following GPO on your VDAs, so there will be no certificate prompt and Microsoft Edge (which is my default browser, so it’s used by all kind of M365 Apps for doing their authentication stuff) is silently signing in. Otherwise you’re getting the following popup and the User will not understand what to do 🙂
Administrative Templates / Microsoft Edge / Content settings
Automatically select client certificates for these sites
Value (Replace hdxlab-HTZ-DC01-CA with the Common Name (CN) of your CA):
If you followed the FAS Instructions from CTP Julian Mooren, you may have deleted the Client Authentication extension within the Citrix_SmartcardLogon certificate template. Double check if it’s included, otherwise you have to add the extension so it looks like this:
There you go. Apps like Office, Teams, MS Edge or OneDrive will silently sign-in with the User’s Citrix_SmartcardLogon certificate, available within the Citrix Session.
Here is the Azure AD Sign-in log for my Testuser, you can see a successful X.509 Certificate authentication for the Office, Teams and OneDrive Applications:
I hope this post provides another opportunity for the Users’ familiar SSO experience when dealing with FAS setups.
Make sure your Conditional Access policies are configured correctly for internal certificate-based authentication. Otherwise you’re getting a MFA prompt after the CBA auto sign-in.