Forum Discussion
Mark_22062
Nimbostratus
NimbostratusCitrix Receiver on iOS
I have configured an APM to access our Citrix XenApp environment. Through a browser it works well, prompting the user for a username, password and a passcode (SecurID Token).
The APM is configured as follows:
Logon Page > SecureID > AD Auth (using a session variable) > Allow
When configuring the Citrix Receiver on the iOS device, I've configured it as "Access Gateway", configured all the authentication details and selected to use a Security Token.
The application verifies the settings and saves the config and attempts to login, prompting for the passcode. It then returns with a "Password Change Required" (even though the AD account password has not expired). Filling in this form, then returns with "The password has been updated, please log on again" (according to AD the user account password has not been changed). It then prompts for the passcode again and successfully logs on.
However, when you then logoff and attempt to log on again, this time prompting for the password and passcode, it fails with "The credentials provided have expired."
Looking at the various session logs it seems to fail because of user inactivity or errors, the bad password count on the AD account indicates the password was incorrect.
Has anyone else had issues with setting up APM for Citrix Receiver?
Mark_van_DCirrostratus
Forgot to add, that when deleting the profile from the Citrix Receiver and then adding it back in again, it goes through the same process (i.e. prompts for pw change, etc..)
Michael_Koyfma1Cirrus
What version of APM are you on?- Mark_van_DWe are running 11.1.0 HF2
- Michael_Koyfma1Ok, so you are on the latest and greatest - that helps. :) On the Receiver, what type of authentication did you specify? Just Token, or Domain+Token? If the RSA 2-factor is working just fine through the browser, then it should work just fine through the Receiver on iOS as well - but it does need to be setup for Domain+Token in this case.
- Mark_van_DIt's set to Domain+Token, but I tried both to see if that would make a difference.
Mark, the Citrix XenApp of course has different Web Interface settings/setups for "Web Browser" access vs "PNAgent" (Receiver client) access.
I take it the two sites are configured the same, ie Direct Access mode ?, with the Auhentication setup the same ? If not, successfull browser access != successfull reciever access.
Also, can you confirm that alll auth systems are set to get correct time from NTP (incl the bigip)
Lastly, can you adjust the policy temporarily to just Auth againt AD to see if the connectivity is successful ?
Regards
Gary- Mark, Are you based in Australia? If so, and you continue to struggle with this setup, please call me at the F5 Sydney office, so we can discuss you environment/setup.
Regards
Gary - Michael_Koyfma1Mark,
Also, does your VPE look exactly like you pictured above? If so, I am not sure how it can work in any mode, as you need to do some session variable assignments to swap out passwords. Take a look at the Deployment Guide for XenApp and APM for 10.2.x version - just pay attention to the RSA components - the field names in the logon page need to be named as in the guide, as well as the session variable assignment.
http://www.f5.com/pdf/deployment-guides/apm-xenapp-xendesktop-dg.pdf - Mark_van_DGary, I am based in Aus. If I get stuck I'll give you a call.
- Mark_van_DGary,
Citrix Xenapp is configured for Direct-Access for both straight web access and via the PNAgent. I tried your suggestion of just doing AD auth and that seems to work every time. So something weird is happening when throwing RSA in the mix. NTP is configured the same across the board.
