ASA WebVPN - Citrix WebInterface - SSO

Unanswered Question
Jul 2nd, 2008

I have an ASA with WebVPN and am trying to fend of a CAG install. I have SSO for the Citrix WebInterface partially working. The fields setup in the bookmark POST are:

LoginType=Explicit

user=CSCO_WEBVPN_USERNAME

password=CSCO_WEBVPN_INTERNAL_PASSWORD

domain=<netbios-domain>

submitMode=submit

slLanguage=en

ReconnectAtLoginOption=DisconnectedAndActive

Now this works, believe it or not, but you have to click the bookmark (and see the Citrix Login page), click back to portal, then bookmark again. Then I can see the Citrix web interface apps with no problem, and the ASA logged me in.

At that point the Smart tunnel works great for icaweb32.exe and everything is kosher.

But you have to click twice. Why the ASA doesn't actually behave like a browser, I don't know, but something is wrong with the auth or cookie exchange or something.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Wed, 07/02/2008 - 05:45

Once smart tunnel opens, It leaves SSL VPN interface and starts another session , on another web page.

Now if you leave any steps, for the security reason... by nature of firewall.. It won't allow you in. It look as a attack.

Thanks,

Dharmesh Purohit

dlongpre Tue, 07/22/2008 - 10:35

I got the same problem; click twice to get authenticated. It's look like the ASA doesn't send the credential the first time. Is it normal ?????

Help!!

aronjsmith Tue, 07/22/2008 - 15:19

I have a TAC case open on this. They had me collect a httpwatch trace... then a few days later they had me collect a raw packet capture of the exchange between the ASA and the Citrix WI.

The TAC case is going on several weeks of age and is "Cisco Pend," so I'm hoping to have an answer to this very soon. I suspect it's a bug and will have to be fixed in 8.04 or higher of ASA code.

dlongpre Wed, 07/23/2008 - 04:16

Same here! TAC opened... collect trace with httpwatch... capture... some Webex sessions, and nothing for now. We also try the "post" plug-in, without any chance!

Please keep me inform if you have any news, I'll do the same :-)

aronjsmith Thu, 07/31/2008 - 09:56

TAC had me upgrade to the latest 803-19 version of code and they provided me a "special file access" for a plugin called post-plugin.zip that creates a "post:" url type. The fields then go on the line in the url field instead of in the normal bookmark post method.

Still doesn't work - same problem, but it's progress, at least they're working on a plugin to do this.

dlongpre Mon, 08/18/2008 - 17:36

Hi Aron,

TAC asked me to upgrade to the lasted release 8.0(4) and use the POST plug-in. The SSO is working fine now. However, there is no way to make group-policy customizition Homepage URL redirected with the POST protocol, only HTTP/HTTPS is allowed. So, if it's not required in your case, the bookmark with the POST plug-in will work fine for the SSO.

Thanks, Dominic.

aronjsmith Tue, 08/19/2008 - 18:29

Would you mind sharing the link/bookmark configuration you used? I could not get the post plugin to do what I was after...

snooter Thu, 07/31/2008 - 05:42

Guys, I'm working on the same thing, kind of, I'm just not getting as far as you guys are. I can't for the life of me get the username/pwd/domain etc to pass from the asa to the metaframe server (presentation server 4).

What are you guys using the for the url in the bookmark? Are you using the plain http://server/citrix/metaframe/ or are you using the direct http://server/citrix/metaframe/auth/login.aspx?

Also, the POST method on the book mark, are you entering them as:

Name "LoginType"

Value "=Explicit"

Or does the Value box not require us to use the "="?

Believe me I don't want to hijack your thread, I'm just trying to get to the same end result as you. Thanks. -scott

aronjsmith Thu, 07/31/2008 - 09:54

The '=' character is put in by the app, don't add it. The POST method and url is servername/Citrix/AccessPlatform/auth/login.aspx

The rest of the parameters in my original post have the other fields you need.

snooter Thu, 07/31/2008 - 10:09

Ah, I had the incorrect URL in the bookmark. At least now I'm getting "ERROR: The supplied credentials were invalid. Please try again or contact your system admin for help"

Are you guys using LDAP for authentication?

aronjsmith Thu, 07/31/2008 - 10:12

No ldap per se. Webvpn asks for internal password and passcode. Passcode controls access to vpn. Internal password is not used during webvpn login, but it is passed along to other apps for SSO.

snooter Thu, 07/31/2008 - 10:18

I see. I got a bit different of a setup. Our first point of authentication is tied to our Active Directory. Everything else I have setup, as far as ica, rdp, and http bookmarks goes, the sso works just fine with passing their username/password that they signed in with.

EDIT

Ok, I just changed my CSCO_WEBVPN_INTERNAL_PASSWORD that I got from you to CSCO_WEBVPN_PASSWORD and that worked. Bookmark goes straight to their apps.

aronjsmith Fri, 08/22/2008 - 05:28

Turns out ASA code 8.04 + post-plugin from 8/11/08 fixed it for me. Previously the plugin was passing the password macro to the web interface, after upgrade -- password got substituted properly.

Turn the following into a bookmark of type 'post://' after loading all the software above.

post://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_INTERNAL_PASSWORD&domain=netbiosdomain&csco_preload=http://servername.domain.tld/Citrix/AccessPlatform/auth/login.aspx

mstraessle Mon, 03/09/2009 - 03:29

Hi

I had the same thing.

The Problem is the Client Detection thing in Citrix. If you disable ClientDetection on your WebInterface, it will work. If you enable it again, you have to click twice again.

To solve the Client Detection issue, you have to pre-load the webpage. This can be done in several ways, but the best way is the following:

Instead of using a HTTPS Bookmark, try to use a POST Bookmark (only works after importing the POST Plugin from Cisco) without any Post Parameters. Just use a GET and enter the following URL:

post://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_PASSWORD&domain=DOMAIN&csco_preload=http://CITRIXSERVERIP/Citrix/XenApp1/auth/login.aspx&csco_ispopup=yes&csco_frame=yes

Of course you have to replace the CITRIXSERVERIP with your name or IP as well as the link itself.

This will show a "please wait" on the login during client detection.

Jason Nash Tue, 11/23/2010 - 04:49

I have now moved this to a new discussion (https://supportforums.cisco.com/thread/2054232) as this is a new issue not directly related to this discussion.

Hi All,

We have been running this setup with a Cisco ASA 5510 (8.3(2)) using WebVPN passing credentials through to a Citrix Web Interface for single sign on for sometime now. We have found it to work well and up until now have had no problems.

We do have a slightly different setup as we use the CSCO_WEBVPN_MACRO1 variable in order to pass the password rather than CSCO_WEBVPN_PASSWORD as we use a third party two factor authentication radius platform.

This is the URL we are using..

post://citrixserver/Citrix/MetaFrame/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_MACRO1&domain=domainname&csco_preload=http://citrixserver/Citrix/MetaFrame/auth/login.aspx&csco_frame=yes

The problem we have discovered is that if a user decides to set a password containing a '%' symbol this stops the system from working. The post plugin does not even seem to fire. It seems to authenticate fine but then all you see is a blank screen, rather than the usual loading bar from the post plugin.

We have also found from testing this also breaks if a user decides to have a '&' symbol in their password, although the outcome is slightly different in that it loads but at fails to authenticate to the Citrix Web Interface and so prompts for login details. This is not as much of an issue as you can still continue to login manually to the Citrix Web Interface.

I know most users do not have these symbols in their password but we have recently found a few that do! A workaround is of course to ask the user to change their password but it would be great to find a solution to this issue.

Has anyone else using this setup come across this issue? If so do you know of a fix?

Jason

Message was edited by: Jason Nash

Actions

This Discussion