Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain.
A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn’t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my initial blog article from when I released the first version and the basics of how it works.
Today I want to release an early (beta) version of a new tool I created, “OTP4ADC” With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler.
When ADCS uses sha1 for their certificates, you might want to change it to sha254. NOTE: Make sure all your devices support sha256 sha1 sha256 To achieve this enter the following commands in an elivated DOS-box:
Requirements:
At least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled. All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher. The Forest must be running at Windows Server 2008 R2 functional level. Import the Active Directory modules in PowerShell
Stop de ADDS Service
ntdsutil activate instance ntds files compact to c: copy "c:ntds.dit" "c:WindowsNTDSntds.dit" del c:WindowsNTDS*.log Start de ADDS Service
NTFS Permissions for Roaming Profile Parent Folder User Account : Minimum Permissions Required Creator Owner : Full Control, Subfolders and Files Only Administrator : Full Control (Microsoft actually recommends none but it simplifies things if you give admins full control) Security group of users needing to put data on share : List Folder/Read Data, Create Folders/Append Data - This Folder Only Everyone : No permissions Local System : Full Control, This Folder, Subfolders and Files Share level (SMB) Permissions for Roaming Profile Share User Account : Minimum Permissions Required Everyone : No permissions Security group of users needing to put data on share : Full Control
How to place FSMO and Global Catalog roles in Active Directory During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers. If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server. It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server. Recommended Best Practice setup of FSMO roles. Domain Controller #1 Place the two forest roles on this server.
