000033532 - How to increase the chances of successfully configuring Citrix Delegated Forms Authentication (DFA) with the RSA Authentication Agent 1.0 for Citrix StoreFront

Document created by RSA Customer Support Employee on Jul 19, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000033532
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent for Citrix StoreFront
RSA Version/Condition: 1.0
Platform: Windows
IssueThe most common error with RBA and the RSA Authentication Agent for Citrix StoreFront is the message:
ERROR: RSA Credentials not found


The web page may stop there or it may redirect to a Citrix Receiver where it requires a passcode because RBA logon failed:

Citrix Logon Fails -> PassCode

The most common reason for the message RSA credentials not found is the Citrix Delegated Forms Authentication (DFA) forms authentication was not correctly configured, so no form was presented to RBA in which to place our credentials; therefore no RSA credentials were found.
If you are running a Fiddler HTTP trace you may see the errors shown here.  For a quick introduction, watch the Fiddler Quick Start Guide - HTTP Debugging Software.

Error Message: 405 HTTP verb error.  Redirect Loop Blank screen, never re-directs Agent Integration Error

Error Message: 405 HTTP verb error. 

Agent Integration Error

TasksBefore proceeding, you must get DFA working on Citrix StoreFront, including integrating with NetScaler, before introducing any RSA SecurID agent or configuration.  You should be able to configure DFA without SecurID, and verify that both NetScaler and StoreFront are correctly configured by authenticating through DFA using a Citrix username and password.  
As of Summer 2016 the RSA Authentication Agent for Citrix StoreFront only supported Citrix StoreFront version 3.0, and does not support versions 3.5 or 3.6.
Steps to follow are:
  1. Install the RSA Authentication Agent for Citrix StoreFront and get authentication working with either a tokencode or passcode from a hardware or software token or when using a fixed passcode.
  2. Install the RBA Helper.
  3. Configure RBA with the Citrix NetScaler 11 with the DFA integration script for RBA.
  4. See article 000033186 How to increase chances for successfully implementing Risk Based Authentication on the RSA Authentication Agent for Citrix StoreFront, as well as the RSA Authentication Agent for Citrix StoreFront 1.0 Installation and Administration Guide.
ResolutionRun the DFA PowerShell cmdlet to configure DFA to use the Citrix user name and password authentication method and confirm it is working properly.
  1. Launch an Administrator PowerShell window and set up the Citrix DFA-related PowerShell commandlets.
  2. Enable the DFA Server using Install-DSDFAServer.
  3. Create the DFA Client (used by NetScaler) using the command Add-DSCitrixPSKTrustedClient.  For example, 
    Add-DSCitrixPskTrustedClient -clientid 2189 -passphrase <passphrase>

  4. Verify that the NetScaler is also configured to use DFA, via the NetScaler Admin Console.
  5. Check DFA policy.  DFA serverURL.
  6. Check ClientID.  In this example it is 2189.

Client ID

  1. And when debugging DFA:
    1. Check that Authentication Policy has the correct DFA serverURL and Client ID.
    2. Debug output is in LogonPoint files.
    3. DFA enables NetScaler to defer authentication to StoreFront, extends RSA SecurID to external users, and is required to support integration with Authentication Manager RBA.
  2. Then install RSA Authenticaiton Agent for Citrix StoreFront for tokens or fixed passcodes, with the StoreFront DFA configured to use RSA SecurID.
    Use the PowerShell cmdlet to configure SecurID and to verify that SecurIDAuthentication is set as the ConversationFactory.
Set-DSDFAProperty -ConversationFactory “SecurIDAuthenticationEnter

DFA SID1st -ConversationFactory

  1. Use PowerShell cmdlets to verify that DFA is enabled on the Citrix StoreFront.  See the section of the RSA Authentication Agent for Citrix StoreFront 1.0 Installation and Administration Guide on how to "Configure Delegated Forms Authentication to Use RSA SecurID Authentication."
  2. Finally install the RBA Helper app and configure RBA on top of the working SecurID passcode setup.
    1. The RBA Helper is a small IIS web application that provides a form which Authentication Manager needs to post the RBA credentials.
    2. The RBA Helper performs no authentication and is not displayed to the user, but can be configured to be visible in order to debug.
    3. The RBA Helper places the RBA credentials into a secure cookie and redirects the authentication to the DFA URL. An integration script running in the DFA URL collects the cookie and submits the credentials to the Citrix agent.
NotesFor details on Ctirix StoreFront DFA commands such as Add-DSCitrixPskTrustedClient, refer to any of the following;