Author Topic: Multiple Domain authentication on AG  (Read 3895 times)

Offline micah78

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Multiple Domain authentication on AG
« on: November 05, 2012, 08:54:52 pm »
I've deployed a NS10 with AG and having issues connection from secondary domains.  Here's the specifics:

1 AG VIP
1 XenApp farm that is accessed potentially by users in 3 different domains:
chicago.company.loc
london.company.loc
tokyo.company.loc

XenApp servers all reside in "chicago.domain.loc"

Configured the NS/AG as normal with LDAP pointing to chicago.company.loc for authentication.
All works as expected.

First try:
On the Access Gateway vserver, applied the authentication policy for the second domain (london.company.loc).  When logging in, CAG authentication is successful for london user, but the redirect to the WI throws a HTTP 401 Not Authorized error.  If I reverse the priorties of the Auth Policy, london users work as expected but chicago users fail.

Second try:
Created a second session policy on the AG that points SSO Domain to the Chicago domain.  This also doesn't work but probably because I don't know how to write a rule/expression to determine what session policy should be used.

What are the best options for this scenario?


Offline micah78

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Re: Multiple Domain authentication on AG
« Reply #1 on: November 07, 2012, 07:58:24 pm »
I was able to get this working by doing the following:

First, follow the steps outlined here:
http://support.citrix.com/article/CTX118657
(When creating the dropdown menu, I actually set the OptionGroup names to match the site name to document a little better and make it easy to see at a glance what they were referring to.)

Second
Create an Authentication policy for each domain

Third Create a Session policy for each domain
Use the same expression as in the Authentication policy.  Then, you can set the "Single Sign On Domain" to match the domain in the Request Profile of the Session policy. 

Hope this helps someone else....

Offline jamie.harrison.au

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Re: Multiple Domain authentication on AG
« Reply #2 on: March 06, 2013, 04:23:08 am »
Hi there,

This has helped me set up the session policies needed for the actual WI site; but out of interest did you manage to get this going for PNAgent sites through the Netscaler as well? i.e. for iPad Receivers, etc. If so I'm curious how you got it going and whether there was anything special, as going through those Receivers I'd assume you the "cookie" header won't contain the domains usuable...

Cheers

Offline Ganesh Kumar

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Re: Multiple Domain authentication on AG
« Reply #3 on: May 10, 2013, 11:16:22 am »
Hi,

I have the same question. Please help me. Since IPAD does not set a cookie, which expression we can use?

How to make it work with IPAD?

Regards,
Ganesh

Offline jamie.harrison.au

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Re: Multiple Domain authentication on AG
« Reply #4 on: May 11, 2013, 11:11:44 pm »
In the end my experience was that there wasn't an expression to use. The SSO domain itself comes from the credentials passed via the Receiver (it asks for username, domain, password). I had to have my auth / session policies like this:

WebDomain1 (expression based on domain policy)
WebDomain2 (expression based on domain policy)
PNADomain1 (no expression, or just based on the receiver version)
PNADomain2 (as above)

This would in effect just try the credentials against the first auth server, and if it doesn't authenticate, then try the next one. And so on.

Catch is you're firing a failed authentication request at each domain till one passes (or the all fail), but it does seem to work.

Cheers

Offline Ganesh Kumar

  • Contributor
  • *
  • Posts: 2
  • Karma: 0
Re: Multiple Domain authentication on AG
« Reply #5 on: May 12, 2013, 03:29:30 am »
Hi Jamie,

Thanks for your response.

If I undestood correctly, I need to create 2 session policies for IPAD (1 for each domain) and add the respective domains in the session profile for each policy and bind these 2 session policies to the vserver and prioritize them.

Total 2 session policies and 2 session profiles.

Is that correct?

Regards,
Ganesh