How to increase the chances of successfully configuring Citrix Delegated Forms Authentication (DFA) with the RSA Authentication Agent 1.0 for Citrix StoreFront
RSA Product Set: SecurID RSA Product/Service Type: RSA Authentication Agent for Citrix StoreFront RSA Version/Condition: 1.0 Platform: Windows
The most common error with RBA and the RSA Authentication Agent for Citrix StoreFront is the message:
ERROR: RSA Credentials not found
The web page may stop there or it may redirect to a Citrix Receiver where it requires a passcode because RBA logon failed:
The most common reason for the message RSA credentials not found is the Citrix Delegated Forms Authentication (DFA) forms authentication was not correctly configured, so no form was presented to RBA in which to place our credentials; therefore no RSA credentials were found.
Before proceeding, you must get DFA working on Citrix StoreFront, including integrating with NetScaler, before introducing any RSA SecurID agent or configuration. You should be able to configure DFA without SecurID, and verify that both NetScaler and StoreFront are correctly configured by authenticating through DFA using a Citrix username and password.
As of Summer 2016 the RSA Authentication Agent for Citrix StoreFront only supported Citrix StoreFront version 3.0, and does not support versions 3.5 or 3.6.
Steps to follow are:
Install the RSA Authentication Agent for Citrix StoreFront and get authentication working with either a tokencode or passcode from a hardware or software token or when using a fixed passcode.
Install the RBA Helper.
Configure RBA with the Citrix NetScaler 11 with the DFA integration script for RBA.
Verify that the NetScaler is also configured to use DFA, via the NetScaler Admin Console.
Check DFA policy. DFA serverURL.
Check ClientID. In this example it is 2189.
And when debugging DFA:
Check that Authentication Policy has the correct DFA serverURL and Client ID.
Debug output is in LogonPoint files.
DFA enables NetScaler to defer authentication to StoreFront, extends RSA SecurID to external users, and is required to support integration with Authentication Manager RBA.
Then install RSA Authenticaiton Agent for Citrix StoreFront for tokens or fixed passcodes, with the StoreFront DFA configured to use RSA SecurID. Use the PowerShell cmdlet to configure SecurID and to verify that SecurIDAuthentication is set as the ConversationFactory.
Finally install the RBA Helper app and configure RBA on top of the working SecurID passcode setup.
The RBA Helper is a small IIS web application that provides a form which Authentication Manager needs to post the RBA credentials.
The RBA Helper performs no authentication and is not displayed to the user, but can be configured to be visible in order to debug.
The RBA Helper places the RBA credentials into a secure cookie and redirects the authentication to the DFA URL. An integration script running in the DFA URL collects the cookie and submits the credentials to the Citrix agent.
For details on Ctirix StoreFront DFA commands such as Add-DSCitrixPskTrustedClient, refer to any of the following;