Tag: Lightweight Directory Access Protocol
What is LDAP Injection and How to Prevent It
XenMobile Analyzer Tool
The new XenMobile Analyzer Tool is a cloud-based solution that allows XenMobile administrators to diagnose issues proactively and in real time. XenMobile Analyzer environmental checks can identify device issues, user enrollment issues, and authentication issues. Numerous use-cases and deployment options are supported including MDM, MDM + MAM, MAM-only and five different authentication scenarios on both iOS and Android mobile environments.
Citrix Cerebro functionality has now been integrated into XenMobile Analyzer!
Visit our YouTube channel for a demonstration of XenMobile Analyzer Tool. The XenMobile Analyzer Tool is currently available on the XenMobile Management Tools page .
Please note, XM Analyzer tool does not currently function in the Workspace. Citrix is aware of this issue and currently investigating.
Scheduling Periodic Health Check Using XenMobile Analyzer Tool
XenMobile Analyzer Tool now provides you with the facility to monitor your XenMobile environment periodically. You can choose the time and frequency of when the health check should run. During configuration you will have to provide an email address and this email will be used by the XenMobile Analyzer Tool to send notifications on the health check. The XenMobile Analyzer Tool runs health checks automatically at the scheduled intervals and sends you email notifications on the results of the health checks.
Adding a New Health Check Schedule
After you have set up your test environment, select it from the list and click Add Schedule.
Or, you can also do this when you are on the Report page of a completed test.
Click I Agree button to enable XenMobile Analyzer to store the test user credentials securely and click Continue.
Enter the user credentials used for testing and click Continue.
Select whether you want the health check to run Daily or Weekly and pick a time to run the health check. Select your time zone from the drop-down list.
Next, select a date for the health checks to stop running.
Finally, in the Recipients text-box, enter the email addresses (separated by comma if more than one) to which notification alerts about the scheduled tests will be sent.
Your scheduled health check is created.
After you successfully schedule a health check, you will receive an email from firstname.lastname@example.org confirming that the schedule has been added. The health check will run at the scheduled time in XenMobile Analyzer Tool. And every time the scheduled health check runs, you will get the notification email on the status of the health check.
Editing a Health Check Schedule
At any time, you can select the test environment where you want to edit the schedule and click Edit Schedule to change any of the variables entered. You can also pause/resume the health check schedule at any time using the ON/OFF switch.
Supported Test Environments for Adding Health Check Schedule
You will be able to only schedule tests which use:
- LDAP authentication
- Certificate authentication
- LDAP + Certificate based enrollment authentication
You will not be able to schedule tests which have the following type of enrollment:
- Invitation URL – because the invitation URL will be redeemed after the first enrollment and cannot be reused for next time.
- Two-factor authentication which uses Security Token – because the token will expire in a short period of time.
- Username + PIN enrollment
- Username + Password + PIN enrollment
Citrix Gateway Native OTP not working with Citrix IOS Workspace Client
1. Native OTP should be configured and working (i.e. Tested via Browser / Citrix Workspace for Windows / Citrix Workspace for Android)
2. identify the AAA Vserver used for Native OTP
If you followed the above configuration example: this it would be “authvs”
3. Identify the policy for LDAP Auth – this is the one bound to the LDAP Action with Authentication Enabled (Note – Authentication is enabled by default)
If you followed the above configuration example: this it would be “auth_pol_ldap_logon”
4. Identify the ldap action for OTP Verify – this is the ldap action with Auth Disabled
If you followed the above configuration example: this it would be “ldap_otp_action”
5. Identify the Gateway Session policy and profile for Receivers ensure the plugin-type is set to “Java”
Section1: Create a policy for OTP Verification for IOS Workspace Clients (Factor1)
- Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policies ==> ADD
- Name: IOS_WORKSPACE_Factor1
- Action Type: LDAP
- Action: ldap_otp_action (as noted in
- Expression: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“IOS”)
- Click OK
Section2: Create a policy label for LDAP Credential Verification (Factor2)
- Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policy Labels ==> ADD
- Click on Continue
- In the policy binding section Click on “Click to Select” and from the list select the policy for LDAP Auth (in this case “auth_pol_ldap_logon”, as noted in #3 in prerequisites)
- Click on Bind
Section3: Bind Factor1 with next Factor as Factor2 on AAA Vserver
- Navigate to: Security ==> AAA – Application Traffic ==> Authentication Virtual Servers
- Select the auth vserver (in this case “authvs”) and hit EDIT
- Click on “Authentication Policy”, this will bring up the list of Authentication policies bound to the AAA Vserver, make a note of the lowest priority no
- Click on ADD Binding
Set Priority to a lower no than then lowest priority number noted above
Set Goto Expression to “END”
Click on the “Select Next Factor” option, and from the list select the policy label created in Section2 i.e. “Plabel_LDAP_AUTH”
- Click Bind.
- Close the AuthPolicy list and hit Done
LDAP Windows Update (ADV190023) and Impact to Citrix Virtual Apps and Desktop Components
Impact to Citrix Technology
- This update will not impact Citrix Virtual App and Desktop Windows components: The update anticipated for the second half of 2020 requires SSL/TLS encryption for communication occurring over 389 and 636 to prevent any PLAINTEXT communication over both ports. Virtual App and Desktop Windows components do not rely on PLAINTEXT communication over 389.
- The update may impact Linux VDA. Linux VDA depends on LDAP for VDA registration and policy evaluation. To resolve, configure LDAPS for Linux VDA.
- The update may impact Citrix ADC/GW LDAP communication if the customer has configured the LDAP Service for PLAINTEXT. To resolve, you should modify the LDAP to use TLS or SSL as described in CTX269461.
Other Components not affected:
- Citrix Cloud Connectors
- Citrix Apps and Desktops – Virtual Delivery Agent
- Citrix Apps and Desktops – Broker
- Workspace App
- App Layering
- Workspace Environment Management
- Endpoint Management
- Enable LDAP channel binding
- Enable LDAP signing
For more details on the Microsoft update please refer to below link:
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- LDAP Channel Binding and LDAP Signing Requirements
This update is expected in March 2020.
Remove orphan ldap sync server from Vip enterprise gateway console
In our environment we have lost one of the gateways that synced the with ldap directory and we implemented a new one in a different ip, but we are still seeing in Home / user store in the vip gateway console the lost server.
How we can remove this orphaned instance of the gateway?
Injection Owasp Ldap
Owasp Ldap Injection
Getting Error “internal service Error” when accessing the gateway externally
If we get this error first thing to check is if we are able to resolve Storefront FQDN or base URL from netscaler.
If not make an A record in Netscaler DNS.
Or else give the IP of Storefront in session profile like: https://10.10.10.10/citrix/SFWeb.
*Where 10.10.10.10 is our SF IP and SF is our store name.
Also make sure that the SSO domain that we add in session profile is same as the Userdomain.
To check this run “set” command on storefront command line and check the Userdomain field.
If we still get errors like “cannot complete your request”, check the LDAP profile.
It may have an entry in SSO name attribute field like “cn.”
We need SSO name attribute in only multiple domain environment, and that should be set as “userPrincipalName ” in that case.