Risk based authentication (RBA) with Citrix StoreFront and Netscaler
Has anybody out there successfully configured RBA to work with Citrix Storefront (and Netscaler)?
I've tried following RSA's implementation guide, but the documentation is confusing and lacks detail. RSA Support has been less than helpful so far.
If you have got this working, could you share some config file samples? Specifically your working versions of am_integration.js, rba_logon.html, index_rba.html (sanitized of course).
- Auth Agent
- Auth Manager
- Authentication Agent
- Authentication Manager
- citrix netscaler
- Community Thread
- Forum Thread
- risk based authentication
- RSA SecurID
- RSA SecurID Access
- sitrix storefront
I've already reviewed that document.
I think most of our problems are with the the rba_logon.html and the instructions that RSA provides to configure this file. The instructions say to copy script blocks into the middle of other script blocks, leaves out important required stuff (like </script> blocks), etc. Loading the page in a browser generates errors.
I could really use some real life examples of the config files.
If you ever did the old NetScaler RBA integration, you may need to undo it. The NetScaler RADIUS client does not need to be deleted as it will be ignored by RBA to Citrix StoreFront, SF Agent.
You need to get DFA working through StoreFront with passwords 1st, following 33532 as Ed pointed out or talking to Citrix support. If DFA is not right for passwords, it will never work for RBA.
Once that works, then you add RSA agent for Citrix, do 2x Test Auths in the RSA Control Center with a Token or Fixed Passcode to create and read the node secret on the SF agent. You may need to enable RBA and other forms of authentication, not RBA only, on your agent for a passcode to work.
After that, logon to Citrix (I assume through your NetScaler) with a Token or Fixed Passcode.
Finally install the RBA helper, easier to do this on the StoreFront server itself
download the RBA script for the specific StoreFront Agent, selecting the DFA version
If you have internal and external Domain Names, use the external in the .js script
This part is kind of covered in another KB 33186, how to increase your chances of successfully configuring RBA for StoreFront
Once you get here, if you can successfully logon with an RBA password and either pass thru because risk is low, or with additional step up Security Questions or ODA if the risk is high, you will still need to authenticate a second time with your same password on the StoreFront. That can be fixed with Windows Password Integration. If this fails, get verbose Citrix agent logs and open a Support case.
If you get it all working, then you can configure a load balancer or High Availability HA, refer to KB 34328 000034238 - How to configure High Availability (HA) on multiple RSA Authentication Agents for Citrix StoreFront with Risk Based Authentication (RBA)
Please note that the Citrix StoreFront agent is designed to work with 3.0, but has not been qualified on 3.5 or 3.6. But it has worked.
Thank you Jay for the information. I rebuilt everything from scratch and I am able to login to storefront via DFA with SecurID passcode and LDAP password. However, I still can't get RBA to work. I've installed the RBA helper on another DMZ server, which each reachable by the clients browser. When I hit the NSVirtualServer, I am redirected to the Web Teir for RBA authorization, which succeeds, and then redirects me to the NSVirtualServer for Passcode authentication again. I have only enabled "Passthrough from Netscaler" as the auth method on the Storefront, and disable RSA SecurID, but still get prompted for SecurID.
you will still need to authenticate a second time with your same password on the StoreFront. That can be fixed with Windows Password Integration.
The Implementation Guide makes no mention of this "double login". In fact the Guide states:
3. After successful authentication at RSA Web Tier, the user’s browser will post the user’s username, RBA artifact and related information using SSL to the RSA RBA Helper application. The RBA Helper application stores this information in a secure session cookie in the user’s browser and then redirects the browser to a customized NetScaler Gateway virtual server logon page.
4. The customized NetScaler Gateway logon page extracts the user’s credentials from the cookie for logon.
5. The NetScaler Gateway Citrix Distributed Forms Authentication (DFA) authentication policy sends the user’s credentials to Citrix StoreFront for validation.
6. Citrix StoreFront invokes the RSA Authentication Agent for Citrix StoreFront which calls into RSA Authentication Manager to authenticate the user’s credentials.
There is nothing about requiring Windows Password Integration.
Is a second NSVirtualServer required to separate the Storefront and RBAHelper requests?
The double test logon is a support trick I learned to head off problems that could result in support calls. Your first successful authentication creates the node secret and the AM server sends it to the Agent. The second Successful authentication proves that the node secret was received by the Windows Agent and is readable in the C:\Program Files\Common Files\RSA Shared\Auth Data directory. This 'trick' is not in the docs because it is not required, and most of the time not needed. But if you did not have full Admin rights when you installed the agent, you might spend a significant amount of time find this permissions issue.
The whole purpose of the Citrix Storefront agent - which is a variation on the Windows agent - is to prevent the second Windows authentication required when you reach the StoreFront after authenticating with RBA through the NetScaler. Windows Password integration is listed as one of the topics in section 1 of the Authentication Agent for Citrix StoreFront Installation and Administration Guide, but the RBA Integration with Citrix NetScaler and RSA Authentication Agent for Citrix StoreFront Implementation Guide, fails to mention it. Not sure why, maybe Partner thought it would be redundant to the AM agent for Citrix StoreFront Admin Guide.
It does sound like you are close. You probably should open a case, and get us the agent logs. If necessary, sometimes we can do a Fiddler trace to figure out if the redirects are good, and we have some debug tools from Engineering.
Thanks again Jay. I have enabled Offline Authentication and Windows Password Integration in my default Authentication Policy on AM, however this does not seem to have had any effect on my problems. I've had a ticket with RSA Support open for a week now, but have yet to get any meaningful help with the issue.
When I try the login process with the browser developer toolbar open, I can clearly see this error is generated:
SCRIPT5009: 'Resources' is undefined
Which is a reference to a line of code that the Implementation Guide tells me to copy into that HTML file:
Which is why I'd really like to look at someones actual working implementation of these files to see where they inserted these code blocks to get this working.