Citrix FAS – Azure AD CBA Single Sign-On (SSO) without a PRT

Reading Time: 3 minutes

Overview

With Azure AD’s certificate-based authentication (CBA) there is a way to get a Primary Refresh Token (PRT) inside the User’s Citrix Session. I’ve written about the details in Part1.

As the most negative requirement is to deploy User-Certificates to the Endpoints (difficult in a BYOD-scenario) – I’ve decided to work on another way to achieve SSO inside the Citrix Session for subsequent Applications, without a PRT. The goal is to have no additional user-interaction. That’s the content of this post, Part2.

The Login Process

Because of the default SAML / OAuth Loginflow with FAS, there is already a Smartcard certificate enrolled and used for the SSO to the VDA – why don’t make usage of this for other process? I will use the in-session certificate for auto-select Azure AD CBA SSO to M365 Apps – without any PRT.

Configuration

A configured and enabled Azure AD CBA authentication method, like described in Part1, is the basic requirement. There is no obligatory need for Azure AD Hybrid Join (HAADJ) of the Clients or the VDA, otherwise there are many other benefit for doing HAADJ.

FAS

Edit the default or your created Rule inside the FAS Console and enable in-session use:

Enable in-session use in FAS Rule

GPO VDA FAS

Edit your FAS GPO, linked to your VDAs and enable In-session Certificates with a Prompt Scope of No consent required. The timeout will be ignored but the field can’t be empty, so insert for example 30 seconds.

Enable in-session use in FAS GPO

You can check if the Certificate is visible to the user in a Citrix Session:

In-session Smartcard Certificate

GPO VDA Edge

Configure the following GPO on your VDAs, so there will be no certificate prompt and Microsoft Edge (which is my default browser, so it’s used by all kind of M365 Apps for doing their authentication stuff) is silently signing in. Otherwise you’re getting the following popup and the User will not understand what to do 🙂

CBA Popup when do auto-select is enabled

Location:

Administrative Templates / Microsoft Edge / Content settings

Parameter:

Automatically select client certificates for these sites

Value (Replace hdxlab-HTZ-DC01-CA with the Common Name (CN) of your CA):

{“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”hdxlab-HTZ-DC01-CA”}}}

Enable auto-select of client certificate

PKI

If you followed the FAS Instructions from CTP Julian Mooren, you may have deleted the Client Authentication extension within the Citrix_SmartcardLogon certificate template. Double check if it’s included, otherwise you have to add the extension so it looks like this:

Enable Client Authentication Extension

There you go. Apps like Office, Teams, MS Edge or OneDrive will silently sign-in with the User’s Citrix_SmartcardLogon certificate, available within the Citrix Session.

Summary

Here is the Azure AD Sign-in log for my Testuser, you can see a successful X.509 Certificate authentication for the Office, Teams and OneDrive Applications:

Azure AD X.509 Certificate Sign-in log

I hope this post provides another opportunity for the Users’ familiar SSO experience when dealing with FAS setups.

Hints

Make sure your Conditional Access policies are configured correctly for internal certificate-based authentication. Otherwise you’re getting a MFA prompt after the CBA auto sign-in.

8 comments

  1. Hi Julian – awesome article – congrats!
    However – I do have an issue with the pattern for the Edge Policy. Maybe you have an idea what I did wrong.
    My about:policy in Edge says the following:
    Error: “Error at AutoSelectCertificateForUrls[0]: Error while parsing JSON value: Line: 1, column: 2, Dictionary keys must be quoted.”
    I’ve entered following line to the policy:
    {“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”MYCA”}}}

    any help would be highly appreciated.
    Thanks for your work
    Christoph

    1. Hi Christoph,
      thank you! Is it a copy-paste issue with the quotation marks? Try copy this one:

      {“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”MYCA”}}}

      Regards
      Julian

  2. Hi Julian,
    yes – you’re right. The quotation marks were incorrect.
    Apologizes for not better checking myself.

    In the meantime we’ve managed to get it working 🙂
    Including PRT and X.509 Certificate authentication.
    I suppose that this will save us ~250 Support Tickets a year.

    Thanks again for your awesome work!!!!

    br
    Christoph

  3. Hi Julian,
    Great article! In our environment we have 2 different CAs that could issue the FAS certificate. How would I specify both CN certificate issuer names in the Edge GPO?

Leave a Reply

Your email address will not be published. Required fields are marked *