Configure NetScaler and StoreFront for Delegated Forms Authentication (DFA)
Extensible authentication provides a single customization point for extension of NetScaler’s and StoreFront’s form-based authentication. To achieve an authentication solution using the Extensible Authentication SDK, you must configure Delegated Form Authentication (DFA) between NetScaler and StoreFront. The Delegated Forms Authentication protocol allows generation and processing of authentication forms, including credential validation, to be delegated to another component. For example, NetScaler delegates it authentication to StoreFront, which then interacts with a third party authentication server or service.
Installation recommendations
- To ensure communication between NetScaler and StoreFront is protected, use HTTPS instead of HTTP protocol.
- For cluster deployment, ensure that all the nodes have the same server certificate installed and configured in IIS HTTPS binding prior to configuration steps.
- Ensure that Netscaler has the issuer of StoreFront’s server certificate as a trusted certificate authority when HTTPS is configured in StoreFront.
StoreFront cluster installation considerations
- Install a third party authentication plugin on all the nodes prior to joining them up together.
- Configure all the Delegated Forms Authentication related settings on one node and propagate the changes to the others. See the “Enable Delegated Forms Authentication.”
Enable Delegated Forms Authentication
Because there is no GUI to setup Citrix pre-shared key setting in StoreFront, use the PowerShell console to install Delegated Forms Authentication.
-
Install Delegated Forms Authentication. It is not installed by default and you need to install it using the PowerShell console.
PS C:\Users\administrator.PTD.000> cd 'C:\Program Files\Citrix\Receiver StoreFront\Scripts' PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> & .\ImportModules.ps1 Adding snapins Importing modules Loading 'C:\Program Files\Citrix\Receiver StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' Loading 'C:\Program Files\Citrix\Receiver StoreFront\\Admin\Citrix.DeliveryServices.ConfigurationProvider.dll' PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Install-DSDFAServer Id : bf694fbc-ae0a-4d56-8749-c945559e897a ClassType : e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc FrameworkController : Citrix.DeliveryServices.Framework.FileBased.FrameworkController ParentInstance : 8dd182c7-f970-466c-ad4c-27a5980f716c RootInstance : 5d0cdc75-1dee-4df7-8069-7375d79634b3 TenantId : 860e9401-39c8-4f2c-928d-34251102b840 Data : {} ReadOnlyData : {[Name, DelegatedFormsServer], [Cmdlet, Add-DSWebFeature], [Snapin, Citrix.DeliverySer vices.Web.Commands], [Tenant, 860e9401-39c8-4f2c-928d-34251102b840]} ParameterData : {[FeatureClassId, e1eb3668-9c1c-4ad8-bbae-c08b2682c1bc], [ParentInstanceId, 8dd182c7-f 970-466c-ad4c-27a5980f716c], [TenantId, 860e9401-39c8-4f2c-928d-34251102b840]} AdditionalInstanceDependencies : {b1e48ef0-b9e5-4697-af9b-0910062aa2a3} IsDeployed : True FeatureClass : Citrix.DeliveryServices.Framework.Feature.FeatureClass <!--NeedCopy-->
-
Add Citrix Trusted Client. Configure the shared secret key (passphrase) between StoreFront and Netscaler. Your passphrase and client ID must be identical to what you configured in NetScaler.
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Add-DSCitrixPSKTrustedClient -clientId netscaler.fqdn.com -passphrase secret <!--NeedCopy-->
-
Set the Delegated Forms Authentication conversation factory to route all the traffic to the custom form. To find the conversation factory, look for ConversationFactory in C:\inetpub\wwwroot\Citrix\Authentication\web.config.This is an example of what you might see.
<example connectorURL="http://Example.connector.url:8080/adapters-sf-aaconnector-webapp"> <routeTable order="1000"> <routes> <route name="StartExampleAuthentication" url="Example-Bridge-Forms/Start"> <defaults> <add param="controller" value="ExplicitFormsAuthentication" /> <add param="action" value="AuthenticateStart" /> <add param="postbackAction" value="Authenticate" /> <add param="cancelAction" value="CancelAuthenticate" /> <add param="conversationFactory" value="ExampleBridgeAuthentication" /> <add param="changePasswordAction" value="StartChangePassword" /> <add param="changePasswordController" value="ChangePassword" /> <add param="protocol" value="CustomForms" /> </defaults> </route> <!--NeedCopy-->
-
In PowerShell, set the Delegated Forms Authentication conversation factory. In this example, to ExampleBridgeAuthentication.
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Set-DSDFAProperty -ConversationFactory ExampleBridgeAuthentication <!--NeedCopy-->
PowerShell arguments are not case-sensitive: -ConversationFactory is identical to -conversationfactory.
Uninstall StoreFront
Before you uninstall StoreFront, uninstall any third party authentication plugin, as it will impact the functionality of StoreFront.