Citrix FAS – Azure AD CBA Single Sign-On (SSO) without a PRT

Reading Time: 3 minutes

Table of Contents

Overview

With Azure AD’s certificate-based authentication (CBA) there is a way to get a Primary Refresh Token (PRT) inside the User’s Citrix Session. I’ve written about the details in Part1.

As the most negative requirement is to deploy User-Certificates to the Endpoints (difficult in a BYOD-scenario) – I’ve decided to work on another way to achieve SSO inside the Citrix Session for subsequent Applications, without a PRT. The goal is to have no additional user-interaction. That’s the content of this post, Part2.

The Login Process

Because of the default SAML / OAuth Loginflow with FAS, there is already a Smartcard certificate enrolled and used for the SSO to the VDA – why don’t make usage of this for other process? I will use the in-session certificate for auto-select Azure AD CBA SSO to M365 Apps – without any PRT.

Configuration

A configured and enabled Azure AD CBA authentication method, like described in Part1, is the basic requirement. There is no obligatory need for Azure AD Hybrid Join (HAADJ) of the Clients or the VDA, otherwise there are many other benefit for doing HAADJ.

FAS

Edit the default or your created Rule inside the FAS Console and enable in-session use:

GPO VDA FAS

Edit your FAS GPO, linked to your VDAs and enable In-session Certificates with a Prompt Scope of No consent required. The timeout will be ignored but the field can’t be empty, so insert for example 30 seconds.

You can check if the Certificate is visible to the user in a Citrix Session:

GPO VDA Edge

Configure the following GPO on your VDAs, so there will be no certificate prompt and Microsoft Edge (which is my default browser, so it’s used by all kind of M365 Apps for doing their authentication stuff) is silently signing in. Otherwise you’re getting the following popup and the User will not understand what to do 🙂

CBA Popup when do auto-select is enabled

Location:

Administrative Templates / Microsoft Edge / Content settings

Parameter:

Automatically select client certificates for these sites

Value (Replace hdxlab-HTZ-DC01-CA with the Common Name (CN) of your CA):

{“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”hdxlab-HTZ-DC01-CA”}}}

Enable auto-select of client certificate

PKI

If you followed the FAS Instructions from CTP Julian Mooren, you may have deleted the Client Authentication extension within the Citrix_SmartcardLogon certificate template. Double check if it’s included, otherwise you have to add the extension so it looks like this:

There you go. Apps like Office, Teams, MS Edge or OneDrive will silently sign-in with the User’s Citrix_SmartcardLogon certificate, available within the Citrix Session.

Summary

Here is the Azure AD Sign-in log for my Testuser, you can see a successful X.509 Certificate authentication for the Office, Teams and OneDrive Applications:

I hope this post provides another opportunity for the Users’ familiar SSO experience when dealing with FAS setups.

Hints

Make sure your Conditional Access policies are configured correctly for internal certificate-based authentication. Otherwise you’re getting a MFA prompt after the CBA auto sign-in.

7 comments

Pingback: Citrix FAS - Azure AD CBA with Primary Refresh Token (PRT)
Christoph says:

May 3, 2023 at 11:37 AM

Hi Julian – awesome article – congrats!
However – I do have an issue with the pattern for the Edge Policy. Maybe you have an idea what I did wrong.
My about:policy in Edge says the following:
Error: “Error at AutoSelectCertificateForUrls[0]: Error while parsing JSON value: Line: 1, column: 2, Dictionary keys must be quoted.”
I’ve entered following line to the policy:
{“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”MYCA”}}}

any help would be highly appreciated.
Thanks for your work
Christoph

1. Julian Jakob says:
  
  May 8, 2023 at 8:53 PM
  
  Hi Christoph,
  thank you! Is it a copy-paste issue with the quotation marks? Try copy this one:
  
  {“pattern”:”https://certauth.login.microsoftonline.com”,”filter”:{“ISSUER”:{“CN”:”MYCA”}}}
  
  Regards
  Julian
  
Christoph says:

May 12, 2023 at 8:07 AM

Hi Julian,
yes – you’re right. The quotation marks were incorrect.
Apologizes for not better checking myself.

In the meantime we’ve managed to get it working 🙂
Including PRT and X.509 Certificate authentication.
I suppose that this will save us ~250 Support Tickets a year.

Thanks again for your awesome work!!!!

br
Christoph

Cathy says:

November 17, 2023 at 9:22 PM

Hi Julian,
Great article! In our environment we have 2 different CAs that could issue the FAS certificate. How would I specify both CN certificate issuer names in the Edge GPO?

1. DJ says:
  
  March 29, 2024 at 5:07 PM
  
  Would love to know the same!
  
2. Joost Sannen says:
  
  April 8, 2024 at 3:51 PM
  
  Yeah, just add 2 rules, one for each issuer.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.