07-02-2008 05:40 AM
I have an ASA with WebVPN and am trying to fend of a CAG install. I have SSO for the Citrix WebInterface partially working. The fields setup in the bookmark POST are:
LoginType=Explicit
user=CSCO_WEBVPN_USERNAME
password=CSCO_WEBVPN_INTERNAL_PASSWORD
domain=<netbios-domain>
submitMode=submit
slLanguage=en
ReconnectAtLoginOption=DisconnectedAndActive
Now this works, believe it or not, but you have to click the bookmark (and see the Citrix Login page), click back to portal, then bookmark again. Then I can see the Citrix web interface apps with no problem, and the ASA logged me in.
At that point the Smart tunnel works great for icaweb32.exe and everything is kosher.
But you have to click twice. Why the ASA doesn't actually behave like a browser, I don't know, but something is wrong with the auth or cookie exchange or something.
07-31-2008 10:18 AM
I see. I got a bit different of a setup. Our first point of authentication is tied to our Active Directory. Everything else I have setup, as far as ica, rdp, and http bookmarks goes, the sso works just fine with passing their username/password that they signed in with.
EDIT
Ok, I just changed my CSCO_WEBVPN_INTERNAL_PASSWORD that I got from you to CSCO_WEBVPN_PASSWORD and that worked. Bookmark goes straight to their apps.
08-22-2008 05:28 AM
Turns out ASA code 8.04 + post-plugin from 8/11/08 fixed it for me. Previously the plugin was passing the password macro to the web interface, after upgrade -- password got substituted properly.
Turn the following into a bookmark of type 'post://' after loading all the software above.
post://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_INTERNAL_PASSWORD&domain=netbiosdomain&csco_preload=http://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx
03-09-2009 03:29 AM
Hi
I had the same thing.
The Problem is the Client Detection thing in Citrix. If you disable ClientDetection on your WebInterface, it will work. If you enable it again, you have to click twice again.
To solve the Client Detection issue, you have to pre-load the webpage. This can be done in several ways, but the best way is the following:
Instead of using a HTTPS Bookmark, try to use a POST Bookmark (only works after importing the POST Plugin from Cisco) without any Post Parameters. Just use a GET and enter the following URL:
post://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_PASSWORD&domain=DOMAIN&csco_preload=http://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx&csco_ispopup=yes&csco_frame=yes
Of course you have to replace the CITRIXSERVERIP with your name or IP as well as the link itself.
This will show a "please wait" on the login during client detection.
11-23-2010 04:49 AM
I have now moved this to a new discussion (https://supportforums.cisco.com/thread/2054232) as this is a new issue not directly related to this discussion.
Hi All,
We have been running this setup with a Cisco ASA 5510 (8.3(2)) using WebVPN passing credentials through to a Citrix Web Interface for single sign on for sometime now. We have found it to work well and up until now have had no problems.
We do have a slightly different setup as we use the CSCO_WEBVPN_MACRO1 variable in order to pass the password rather than CSCO_WEBVPN_PASSWORD as we use a third party two factor authentication radius platform.
This is the URL we are using..
post://citrixserver/Citrix/MetaFrame/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_MACRO1&domain=domainname&csco_preload=http://citrixserver/Citrix/MetaFrame/auth/login.aspx&csco_frame=yes
The problem we have discovered is that if a user decides to set a password containing a '%' symbol this stops the system from working. The post plugin does not even seem to fire. It seems to authenticate fine but then all you see is a blank screen, rather than the usual loading bar from the post plugin.
We have also found from testing this also breaks if a user decides to have a '&' symbol in their password, although the outcome is slightly different in that it loads but at fails to authenticate to the Citrix Web Interface and so prompts for login details. This is not as much of an issue as you can still continue to login manually to the Citrix Web Interface.
I know most users do not have these symbols in their password but we have recently found a few that do! A workaround is of course to ask the user to change their password but it would be great to find a solution to this issue.
Has anyone else using this setup come across this issue? If so do you know of a fix?
Jason
Message was edited by: Jason Nash
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide