ShareFile Connectors Authentication and Single Sign-on

ShareFile Connectors Authentication and Single Sign-on

ShareFile Enterprise includes support for connecting to existing network drives and SharePoint document libraries from within the ShareFile app for iOS and Android. This article details the authentication events for ShareFile Connectors when deployed as part of a XenMobile solution.

Figure 1: Authentication events

There are five authentication events involved for ShareFile Connectors in a XenMobile deployment:

User-added image

  1. Secure Hub authenticates to XenMobile.
  2. The ShareFile app authenticates to
  3. ShareFile app authenticates to NetScaler in the DMZ when accessing connectors.
  4. NetScaler authenticates to the ShareFile StorageZone controller. HTTP Basic is the default method for this step. However, Kerberos authentication is also possible.
  5. StorageZone Controller impersonates the domain user account and authenticates to the Network share or SharePoint server on behalf of that user. Kerberos and NTLM are supported.

Single sign-on to

When using MDX-wrapped apps with XenMobile, single sign-on form Secure Hub to is achieved using SAML. The App Controller acts as the SAML Identity Provider (IDP) configured in the ShareFile account. When the app is launched, Secure Hub obtains a SAML token for the user from App Controller and passes it to the ShareFile MDX app along with information about the ShareFile sub-domain. Secure Mail for iOS uses the same technique for authentication to ShareFile in order to present the user with a list of files and folders when they select the Attach from ShareFile option.

Separate Authentication Required for Connectors

The sign-on to enables access to native ShareFile data if the data resides in a Citrix-managed StorageZone in the ShareFile cloud or in a customer-managed StorageZone, but it does not authenticate the user to any StorageZone Connectors that may be assigned to the user.

To access Connectors data sources like Network drives and SharePoint document libraries, the user must also authenticate to the Active Directory domain in which the network shares or SharePoint servers reside. Steps 3 through 5 in
Figure 1 represent this separate authentication flow.

XenMobile MicroVPN Settings

ShareFile MDX-enabled mobile applications app can be configured to use the following Network access policies in XenMobile App Controller:

Network Access setting options

  • Blocked – In this mode of operation, which is the default setting for new applications, network access is not allowed and the ShareFile app cannot function. The network access setting must be changed to one of the preceding options.
  • Unrestricted – In this mode of operation, traffic from the ShareFile app is permitted to contact any host on the Internet. When communicating with the control plane, traffic flows directly from the client to, or directly to the external address of any storage zone.
  • Tunneled to the internal network – In this mode of operation, all network traffic from the ShareFile app is intercepted by the Worx MDX framework and redirected through the NetScaler Gateway using an app-specific MicroVPN.

    When the Network access settings is configured for Tunneled mode, the Initial VPN Mode setting becomes relevant to the connection.

Initial VPN Mode setting options

  • Full VPN Tunnel – In this mode of tunneling, traffic between the client and the destination is not modified in any way by NetScaler Gateway. This method is required for applications that perform end-to-end SSL connections using certificate-based authentication.
  • Secure browse – In this mode of tunneling, SSL/HTTP traffic from the MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf.
  • User-added image

Consider the following points as you design your XenMobile and ShareFile deployment:

  • Single sign-on to is available for the ShareFile MDX-wrapped applications and Secure Mail, by configuring App Controller with ShareFile account details.
  • Authentication to is not sufficient to authenticate users to domain-joined network shares and SharePoint document libraries.

Additional Resources

Configure ShareFile Single Sign-On with XenMobile

XenMobile ShareFile Mobile App SSO using SAML

Secure Mobile Data Access with Worx-enabled ShareFile


  • No Related Posts

'404 Not Found' when trying to browse a newly published Managed Path in SharePoint when accessed using Storage Zones Controller SharePoint Connector

After publishing a new Managed Path in SharePoint, you may find that attempts to access this resource by using Storage Zones Controller SharePoint Connector fail. Upon closer inspection, the Storage Zone Controller log files may contain error messages similar to the following:

ERROR GetParent:: Exception thrown Message(The remote server returned an error: (404) Not Found.) StackTrace( at System.Net.HttpWebRequest.GetResponse()

at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()

at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()

at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()

at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()

at SharePointConnector*Util.SharePointUtility.GetParent(ClientObject spItem))


  • No Related Posts

Indexing remote SharePoint documents (O365) using WebDAV

I need a solution


Good afternoon. Does anyone know how to format Sharepoint URL online (O365) for DLP indexing (IDM) use?

I know and I already use Sharepoint on-premise WebDAV, but I can not do the same with O365 Sharepoint. I’ve read that Sharepoint’s O365 also uses WebDAV for drive mapping.

Has anyone done anything similar that might help?




  • No Related Posts

Workspace: Personal Cloud Connectors

Notes and Limitations

Feature Availability
  • For information on plans and features, click here.
  • Due to compliance concerns, this feature cannot be used by users utilizing:
On-Prem Customer Restrictions
  • Personal Cloud Connectors are supported for accounts utilizing Customer-Managed storage zones that are associated with Citrix-Managed storage zones.
  • This feature is not available to accounts with no association to a Citrix-Managed storage zone including on-prem or tenant setups.
  • File uploads to Personal Cloud or SharePoint Online currently have a maximum upload size of 200 MB per file.
  • File uploads to the OneDrive for Business Connector currently has a maximum upload size of 15GB.
  • Currently, Connectors must have a unique display name. Users will be blocked from using a connector name that is currently in use elsewhere on the account.

Supported Apps

Web App Latest version
Mobile Apps iOS, Android, Universal Windows Platform
Desktop Apps Workspace Desktop, Drive Mapper

Enable a Personal Cloud Connector

A Personal Cloud Connector must be enabled by an Admin user before it can be accessed. Only users with the Create and Manage Connectors permission can enable connectors on the account.

Office 365 Connectors require additional steps – see the following section of this article for more info.

Navigate to Account Settings -> File Settings -> My Connectors to view the cloud services available. Once the connection is added, only you have access to the data.

User-added image

Click the Connect button to turn on that Connector for users on your account.

Once a Connector has been enabled, you can manage Connector Access. By adding a user to the access list for a specific Connector, that user is then able to use the Connector to link their account to another data storage service. Save your access changes to continue.

NOTE: The Connector creator and the Super User Group are automatically granted access to the Connector type.


  • No Related Posts

Connector Sharing

Connector sharing allows you to share files stored in on-premises Network Shares and SharePoint locations, as well as other file storage services like Dropbox or Box. When sharing on-prem files, a copy of the file is uploaded to the sender’s File Box.

This feature allows you to:

  • Share on-prem files securely via the Email with ShareFile or Get a Link options, without granting recipients access to your on-premises storage location.
  • Share files stored in other file storage services via the Personal Cloud Connectors feature.
  • Share files stored in a Connector with IRM protections. Click here for information on Protected Sharing. (This capability requires StorageZones Controller 4.2 or later)

System Requirements

  • StorageZones Controller 3.4 or later (if sharing on-prem files, not required for Personal Cloud Connector sharing)
  • Microsoft .NET 4.5.2 installed on the StorageZones Controller Server

Plan Requirements

  • This feature is available for Enterprise accounts

User Requirements

  • To share a file from a connector location, you must be an Employee user with the “Use Personal File Box” permission.
  • An Employee user’s ShareFile Username must match the user’s email address in Active Directory.
  • Users must be on the same Windows Active Directory domain as the StorageZones Controller.
  • Client users cannot utilize this feature.

Enable Connector Sharing

View Only Support

  • In order to share a file from your Connector as a View-Only message, you must have a View-Only enabled File Box.
  • Click here for more information on enabling View-Only Sharing.
  • This feature requires SZC v3.4.1 or later.

Share a File from Connectors (Web App 4.6 and later)

Navigate to the Network Share or SharePoint location where your file is stored. To share, right-click a file and choose Email with ShareFile or Get a Link.

This feature allows you to share on-premises files with the same customizable Notification and Security message options available for files stored on ShareFile servers. The Expiration Policy you set in Message Options will override that of the File Box. When sharing on-premises files, your file is copied to the File Box where it is subsequently downloaded by your recipient. Your recipient does not download files directly from your on-premises storage location. Due to this behavior, please allow your file time to upload to the File Box when using the Get a Link option.

Note Regarding File Version

Your file is copied to the File Box when it is sent. Due to this behavior, your recipient will receive the version of your file as it was at the time of the share. Updates to your file are not automatically uploaded to the File Box. If you update your file, you must compose another message to send the latest version of the file.

Supported Apps

Connector Sharing is supported on the following ShareFile apps:

  • ShareFile for Android v4.1 and later
  • ShareFile for Windows 10 v4.1 and later
  • ShareFile for iOS v4.0 and later
  • ShareFile Web App v4.6 and later
  • ShareFile Plugin for Microsoft Outlook v3.9 and later
  • ShareFile Desktop App v1.4 and later.

Note Regarding Restricted Zones

A user cannot use this feature if their File Box is located on a Restricted Zone.

Note regarding Users Provisioned by XenMobile

User accounts provisioned by a XenMobile server do not receive File Box access. ShareFile recommends provisioning users via the User Management Tool or manually enabling the “Use personal File Box” permission for each user.

Known Issues

  • If the user attempting to share from a CIFS Connector has an on-premise File Box, the share may fail. In the event of this error, ShareFile recommends using NTLM authentication.


  • Folders cannot be shared using this method


    ASG | Maximum concurrent client connection limit of 2500 reached

    I need a solution

    Dear All,

      My customer have ASG S200-30-U500 and they use proxy type Explicit.

    We found issue about sometime client access to internet slowly. after i have check eventlog we found message as below,

    after i have check this message concern about license for client connection for U500 it have limit 2500

    if reached 2500 Proxy will take queue for client access internet because customer config it.

    and then i have check why client connection more than ever. We found they  have implement Office 365 OneDrive for Business.

    please see Report from Reporter

    before have request OneDrive

    after implementation OneDrive

    for imformation above it make client connection reached limit sizing of device.

    My customer have question before extend about license.

    They would like to know device can control usage of OneDrive & SharePoint by limited concurrent usage of it either connection or bandwidth.

    Please  recommend

    Best Regards,

    Chakuttha R.



    • No Related Posts

    Citrix Content Collaboration Connector SSO for Network Shares and SharePoint on‐prem

    Summary of items

    1. SharePoint Configuration
    2. NetScaler (internal load balancer) Configuration
    3. Configure SplitDNS
    4. Configure Citrix Storage Zone
    5. AD Delegation
    6. Browsers

    SharePoint Configuration

    Set the SPN for the SharePoint service account


    This is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

    1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
    2. Type the following:

    SetSPN -S HTTP/SharePoint domainserviceaccountname

    SetSPN -S HTTP/ domainserviceaccountname


    KCD work is not required for the Network Connectors, this will be using NTLM.

    SharePoint Configuration

    1. On the Central Administration page, under Quick Launch, click Security, and in the General Security section click Specify authentication providers.
    2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
    3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
    4. In the IIS Authentication Settings section, select Negotiate (Kerberos). Note: If you select Negotiate (Kerberos) you must perform additional steps to configure authentication (below).
    5. Click Save.

    NetScaler (internal Load balancer) Configuration

    The reason for this configuration is to split the to split the External and Internal traffic. Where AAA authentication is being used for external user authentication to Connectors, AAA is not a necessity for Internal use, especially where Web Access to Network shares/SharePoint SSO are required via web browsers.


    AAA requires a NetScaler Enterprise and above license to use.

    If the NetScaler wizard has been used to configure a storage zone, then you would typically see LBVIPs bound to a Content Switch, such as:

    _SF_CS_ShareFile = External Content Switch

    The External config would typically have:

    • 1 x Content Switch, with Policies, Responders, Callouts.
    • 3 x LBVIP’s
      • ShareFile Data LBVIP
      • Connectors LBVIP with AAA enabled


    If Web Access to Connectors are required then additional configuration is needed in addition to the wizard, which adds the OPTIONS LBVIP to the Content Switch. Please see this article in section “
    Configure NetScaler for restricted zones or web access to Connectors ”.

    Now we would need an additional configuration to route the internal traffic. This would typically be a Load Balancing virtual server (LBVIP) rather than a Content Switch. In this instruction we are going to:

    • Create the Server(s) – create a connection to all the storage zone controllers within a single Zone.
    • Create a Service Group – group the servers into a group
    • Create an LBVIP – create the Load Balancing virtual server

    Create the Server(s)

    1. Log into the NetScaler and browse to:
    1. Click Add.
    2. Create a name eg SZ_Server.
    3. Input the IP Address of the Citrix storage zone controller
    4. Click Create.
    1. Repeat for all storage zone controllers.

    Create a Service Group

    1. Log into the NetScaler and browse to:
    1. Click Add.
    2. Create a name eg SZ_Service_Group.
    3. Protocol: SSL
    4. Click OK.
    1. Click on Service Group Members.
    2. Select Server Based option then click on Select Server.
    1. Click the checkboxes on each of the storage zone controller servers and then click Select
    2. Enter Port*: 443.
    1. Click Create.
    2. Click OK to continue
    3. Click Done.

    Create an LBVIP

    1. Log into the NetScaler and browse to:
    1. Click Add to create the storage zone LBVIP:

    Protocol: SSL

    IP Address Type: IP Address (this should be internally accessible)
    1. Click OK.
    1. Under Services and Service Groups, click the Virtual Server Service Group Binding option
    2. Select the Service Group created earlier and click Bind.
    1. Click OK.
    2. Attach wildcard certificate.
    1. Click Bind.
    2. Click OK and Done.

    Configure SplitDNS

    Configure SplitDNS to resolve to the new Internal LBVIP (ie SZ_LB_INTERNAL), which is important as you need to direct traffic internally to the internal load balancing vserver created in the previous step. If this is done via Active Directory in your environment, here are some example below.

    Configure DNS in AD

    1. Log into the Domain Controller and open dsa.msc.
    2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (
    3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
    4. Enter the IP, this should be the one of the Internal LBVIP (i.e. SZ_LB_INTERNAL) created in the previous section
    5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

    Configure Citrix Storage Zone

    StorageZone Controller IIS changes

    Network Connectors only:

    1. Log onto the StorageZone Controller(s) and open IIS.
    2. Click on the Default web site then to the CIFS virtual directory.
    3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
    4. Right-click on the Windows Authentication option and select Providers.
    5. Highlight NTLM and Move Up to the top of the list. Click OK.
    6. Ensure Basic Authentication is set to Disabled.

    SharePoint KCD only or either with Network Connectors:

    1. Click on the CIFS virtual directory, then on Authentication.
    2. Ensure Anonymous and Windows Authentication are Enabled.
    3. Right-click on the Windows Authentication option and select Providers.
    4. Highlight Negotiate and Move Up to the top of the list. Click OK.
    5. Repeat for the SP virtual directory.
    6. Ensure Basic Authentication are Disabled on both.

    If using port 80 on your StorageZone Controller for Load Balancing communication, refer to the AD Delegation section.

    1. If using port 443, then on the StorageZone Controller, then right-click the Default Web Site and select Edit Bindings.
    2. Add a new binding on port 443, assign the IP address, and insert a host header (just the first part of your storage zone FQDN, i.e. where, then input only sz in the hostheader).

    AD Delegation

    Changes might need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added.



    Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.

    Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.


    Internet Explorer

    1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:
    Citrix Content Collaboration URL – e.g.:

    FQDN StorageZone – e.g.:

    FQDN of AAAVIP – e.g.:

    Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
    1. Open GPMC and select the GPO controlling the behaviour of IE.
    2. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
    3. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:
    Note: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

    1 – Intranet zone – sites on your local network.

    2 – Trusted Sites zone – sites that have been added to your trusted sites.

    3 – Internet zone – sites that are on the Internet.

    4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.
    1. For external IE browsers, extra configuration is required as follows:
    Click on the Internet/Custom Level and ensure that:
    • Miscellaneous/Access data sources across domains is Enabled.
    • User Authentication/Log on/Prompt for Username and Password is selected.
    1. Click OK twice.


    1. Launch Firefox. In the Address Bar, instead of typing a URL, enter: about:config
    This opens the configuration interface. You may need to agree to a security warning in order to proceed.
    1. Double-click the line labelled automatic-ntlm-auth.trusted-uris and enter the following:
    ShareFile site –

    FQDN StorageZone –

    FQDN of AAAVIP –

    Note: Separate individual URLs with commas, but do not put spaces between them, for example:,

    1. Click OK when you’re finished.
    2. Double-click the line labelled negotiate-auth.trusted-uris.
    3. Enter the same information you entered in step 2 with the URLs separated by commas and with no spaces.
    4. Click OK.


    This should work. CORS should be enabled by default on Chrome but you can add the plugin to Chrome here .


    • No Related Posts