Citrix Workspace, Azure AD & DSAuthAzureAdNestedGroups

Citrix Cloud and Azure Active Directory is a logical combination for many customers. The integration makes sense to provide a high level of security and access controls via the Microsoft Azure AD Conditional Access engine.

There have been instances where integration with Azure Active Directory has not always consistently behaved as one might expect, in this post specifically, we are looking at a situation where users are intermittently (or in dire cases, never) displayed resources they are entitled to by either direct assignment in Citrix Studio or via subscriber access in the library. If the environment is switched back to use native Active Directory, the problem does not exist.

Cheers to Rob Sheppard for sticking with this and persisting over the months to get this sorted.

The root problem is due to the way that SID based Groups are enumerated by Citrix Cloud for Azure Active Directory. A SID based group is defined as one which is created in Active Directory, not Azure Active Directory.

In a scenario where nested group memberships are in play and the SID based groups are synchronized to AAD, the enumeration should work perfectly fine, however in the scenario where not all groups are synced, the DSAuth service can obtain group details through the Citrix Cloud Connector. The default mechanism for this lookup is an LDAP query for the groups defined in the TokenGroupsGlobalAndUniversal attribute of the user object. The challenge with this behaviour is it does not expand nested Groups, and in some scenarios or Domain configurations, can lead to missing Group info and thus enumeration problems.

Azure Active Directory was the first “non-Active Directory” IDP which was introduced into Citrix Cloud and as such identified what works and what didn’t. Lessons learned were included for additional IDP’s. Enter DSAuthAzureAdNestedGroups.

DSAuthAzureAdNestedGroups fundamentally changes how the Group enumeration occurs. When enabled the feature effectively performs a Kerberos S4U login, in which Windows does almost the same process as a normal logon, where all the nested groups are retrieved and a more accurate determination of the group membership is made.

DSAuthAzureAdNestedGroups is the default behaviour for all other IDP’s onboarded onto the Citrix Cloud solution, however with Azure Active Directory, it was felt to be safer by Citrix to not fundamentally change what wasn’t broken for everyone, and as such the feature is a toggle which needs to be applied on a per-customer basis.

If you are experiencing problems with Azure AD group enumeration, you will need to lodge a ticket with Citrix support and reference the DSAuthAzureAdNestedGroups toggle for escalation purposes. Note that doing so may well alter existing group assignments in place, so it’s worth planning, scheduling and testing this change accordingly to make sure that nothing unexpected occurs. Some basic good practices for Azure Active Directory integration with Citrix Cloud:

  • Sync as many groups as you can and try to avoid nested Group scenarios where not all Groups are synchronised
  • Make sure your Active Directory is well connected with your Cloud Connectors. Cloud Connectors are sensitive to Active Directory latency and any form of communication failure can have random effects and behaviours on operations

Hopefully, this will assist when troubleshooting enumeration issues when using Azure Active Directory as your IdP of choice. As always, thank you to Oscar Day at Citrix for taking the time to review and assist in getting this communicated

This blog was first published on jkindon.com on 5/10/20 and republished with permission.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Cloud and Modern Data Center]

Azure Site Recovery and MCS Provisioned Workloads

By [James Kindon]

Azure Site Recovery (ASR) is Microsoft’s multi-faceted solution for performing services such as Disaster Recovery (DR), Business Continuity Planning (BCP)...

[Cloud and Modern Data Center]

Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

By [James Kindon]

When working with Azure files, it is important to ensure that traffic destined for your files shares is both secured and routed in an optimal fashion.

[Cloud and Modern Data Center]

Automating Active Directory Domain Join for Azure Storage Accounts with Container Workloads

By [James Kindon]

Having the ability to Active Directory Domain Join (ADDS) an Azure Storage account has changed the game for many organisations deploying file service into Azure.