Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6251
Views
0
Helpful
18
Replies

ASA WebVPN - Citrix WebInterface - SSO

aronjsmith
Level 1
Level 1

‎07-02-2008 05:40 AM

I have an ASA with WebVPN and am trying to fend of a CAG install. I have SSO for the Citrix WebInterface partially working. The fields setup in the bookmark POST are:

LoginType=Explicit

user=CSCO_WEBVPN_USERNAME

password=CSCO_WEBVPN_INTERNAL_PASSWORD

domain=<netbios-domain>

submitMode=submit

slLanguage=en

ReconnectAtLoginOption=DisconnectedAndActive

Now this works, believe it or not, but you have to click the bookmark (and see the Citrix Login page), click back to portal, then bookmark again. Then I can see the Citrix web interface apps with no problem, and the ASA logged me in.

At that point the Smart tunnel works great for icaweb32.exe and everything is kosher.

But you have to click twice. Why the ASA doesn't actually behave like a browser, I don't know, but something is wrong with the auth or cookie exchange or something.

Labels:
0 Helpful
18 Replies 18

snooter
Level 1
Level 1
In response to aronjsmith

‎07-31-2008 10:18 AM

I see. I got a bit different of a setup. Our first point of authentication is tied to our Active Directory. Everything else I have setup, as far as ica, rdp, and http bookmarks goes, the sso works just fine with passing their username/password that they signed in with.

EDIT

Ok, I just changed my CSCO_WEBVPN_INTERNAL_PASSWORD that I got from you to CSCO_WEBVPN_PASSWORD and that worked. Bookmark goes straight to their apps.

0 Helpful

aronjsmith
Level 1
Level 1

‎08-22-2008 05:28 AM

Turns out ASA code 8.04 + post-plugin from 8/11/08 fixed it for me. Previously the plugin was passing the password macro to the web interface, after upgrade -- password got substituted properly.

Turn the following into a bookmark of type 'post://' after loading all the software above.

post://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_INTERNAL_PASSWORD&domain=netbiosdomain&csco_preload=http://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx

0 Helpful

mstraessle
Level 4
Level 4

‎03-09-2009 03:29 AM

Hi

I had the same thing.

The Problem is the Client Detection thing in Citrix. If you disable ClientDetection on your WebInterface, it will work. If you enable it again, you have to click twice again.

To solve the Client Detection issue, you have to pre-load the webpage. This can be done in several ways, but the best way is the following:

Instead of using a HTTPS Bookmark, try to use a POST Bookmark (only works after importing the POST Plugin from Cisco) without any Post Parameters. Just use a GET and enter the following URL:

post://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_PASSWORD&domain=DOMAIN&csco_preload=http://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx&csco_ispopup=yes&csco_frame=yes

Of course you have to replace the CITRIXSERVERIP with your name or IP as well as the link itself.

This will show a "please wait" on the login during client detection.

0 Helpful

Jason Nash
Level 1
Level 1
In response to mstraessle

‎11-23-2010 04:49 AM

I have now moved this to a new discussion (https://supportforums.cisco.com/thread/2054232) as this is a new issue not directly related to this discussion.

Hi All,

We have been running this setup with a Cisco ASA 5510 (8.3(2)) using WebVPN passing credentials through to a Citrix Web Interface for single sign on for sometime now. We have found it to work well and up until now have had no problems.

We do have a slightly different setup as we use the CSCO_WEBVPN_MACRO1 variable in order to pass the password rather than CSCO_WEBVPN_PASSWORD as we use a third party two factor authentication radius platform.

This is the URL we are using..

post://citrixserver/Citrix/MetaFrame/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_MACRO1&domain=domainname&csco_preload=http://citrixserver/Citrix/MetaFrame/auth/login.aspx&csco_frame=yes

The problem we have discovered is that if a user decides to set a password containing a '%' symbol this stops the system from working. The post plugin does not even seem to fire. It seems to authenticate fine but then all you see is a blank screen, rather than the usual loading bar from the post plugin.

We have also found from testing this also breaks if a user decides to have a '&' symbol in their password, although the outcome is slightly different in that it loads but at fails to authenticate to the Citrix Web Interface and so prompts for login details. This is not as much of an issue as you can still continue to login manually to the Citrix Web Interface.

I know most users do not have these symbols in their password but we have recently found a few that do! A workaround is of course to ask the user to change their password but it would be great to find a solution to this issue.

Has anyone else using this setup come across this issue? If so do you know of a fix?

Jason

Message was edited by: Jason Nash

0 Helpful
Customers Also Viewed These Support Documents