cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6211
Views
0
Helpful
18
Replies

ASA WebVPN - Citrix WebInterface - SSO

aronjsmith
Level 1
Level 1

I have an ASA with WebVPN and am trying to fend of a CAG install. I have SSO for the Citrix WebInterface partially working. The fields setup in the bookmark POST are:

LoginType=Explicit

user=CSCO_WEBVPN_USERNAME

password=CSCO_WEBVPN_INTERNAL_PASSWORD

domain=<netbios-domain>

submitMode=submit

slLanguage=en

ReconnectAtLoginOption=DisconnectedAndActive

Now this works, believe it or not, but you have to click the bookmark (and see the Citrix Login page), click back to portal, then bookmark again. Then I can see the Citrix web interface apps with no problem, and the ASA logged me in.

At that point the Smart tunnel works great for icaweb32.exe and everything is kosher.

But you have to click twice. Why the ASA doesn't actually behave like a browser, I don't know, but something is wrong with the auth or cookie exchange or something.

18 Replies 18

purohit_810
Level 5
Level 5

Once smart tunnel opens, It leaves SSL VPN interface and starts another session , on another web page.

Now if you leave any steps, for the security reason... by nature of firewall.. It won't allow you in. It look as a attack.

Thanks,

Dharmesh Purohit

I am not using Smart Tunnel Option for this bookmark.

dlongpre
Level 1
Level 1

I got the same problem; click twice to get authenticated. It's look like the ASA doesn't send the credential the first time. Is it normal ?????

Help!!

I have a TAC case open on this. They had me collect a httpwatch trace... then a few days later they had me collect a raw packet capture of the exchange between the ASA and the Citrix WI.

The TAC case is going on several weeks of age and is "Cisco Pend," so I'm hoping to have an answer to this very soon. I suspect it's a bug and will have to be fixed in 8.04 or higher of ASA code.

Same here! TAC opened... collect trace with httpwatch... capture... some Webex sessions, and nothing for now. We also try the "post" plug-in, without any chance!

Please keep me inform if you have any news, I'll do the same :-)

TAC had me upgrade to the latest 803-19 version of code and they provided me a "special file access" for a plugin called post-plugin.zip that creates a "post:" url type. The fields then go on the line in the url field instead of in the normal bookmark post method.

Still doesn't work - same problem, but it's progress, at least they're working on a plugin to do this.

Hi Aron,

TAC asked me to upgrade to the lasted release 8.0(4) and use the POST plug-in. The SSO is working fine now. However, there is no way to make group-policy customizition Homepage URL redirected with the POST protocol, only HTTP/HTTPS is allowed. So, if it's not required in your case, the bookmark with the POST plug-in will work fine for the SSO.

Thanks, Dominic.

Would you mind sharing the link/bookmark configuration you used? I could not get the post plugin to do what I was after...

Hi Aron,

Here the bookmark post:

post://yourserver.domain/Citrix/AccessPlatform/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_PASSWORD&csco_preload=http://yourserver.domain/Citrix/AccessPlatform/auth/login.aspx&csco_ispopup=yes

Hope this help...

Dominic

on one line..!

snooter
Level 1
Level 1

Guys, I'm working on the same thing, kind of, I'm just not getting as far as you guys are. I can't for the life of me get the username/pwd/domain etc to pass from the asa to the metaframe server (presentation server 4).

What are you guys using the for the url in the bookmark? Are you using the plain http://server/citrix/metaframe/ or are you using the direct http://server/citrix/metaframe/auth/login.aspx?

Also, the POST method on the book mark, are you entering them as:

Name "LoginType"

Value "=Explicit"

Or does the Value box not require us to use the "="?

Believe me I don't want to hijack your thread, I'm just trying to get to the same end result as you. Thanks. -scott

The '=' character is put in by the app, don't add it. The POST method and url is servername/Citrix/AccessPlatform/auth/login.aspx

The rest of the parameters in my original post have the other fields you need.

Ah, I had the incorrect URL in the bookmark. At least now I'm getting "ERROR: The supplied credentials were invalid. Please try again or contact your system admin for help"

Are you guys using LDAP for authentication?

No ldap per se. Webvpn asks for internal password and passcode. Passcode controls access to vpn. Internal password is not used during webvpn login, but it is passed along to other apps for SSO.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: