{"id":1877,"date":"2020-10-15T01:00:00","date_gmt":"2020-10-15T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/citrix-workspace-azure-ad-dsauthazureadnestedgroups\/"},"modified":"2020-10-15T01:00:00","modified_gmt":"2020-10-15T01:00:00","slug":"citrix-workspace-azure-ad-dsauthazureadnestedgroups","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/cloud-and-modern-data-center\/citrix-workspace-azure-ad-dsauthazureadnestedgroups\/","title":{"rendered":"Citrix Workspace, Azure AD & DSAuthAzureAdNestedGroups"},"content":{"rendered":"

Citrix Cloud and Azure Active Directory is a logical combination for many customers. The integration makes sense to provide a high level of security and access controls via the Microsoft Azure AD Conditional Access engine.<\/p>\n

There have been instances where integration with Azure Active Directory has not always consistently behaved as one might expect, in this post specifically, we are looking at a situation where users are intermittently (or in dire cases, never) displayed resources they are entitled to by either direct assignment in Citrix Studio or via subscriber access in the library. If the environment is switched back to use native Active Directory, the problem does not exist.<\/p>\n

Cheers to\u00a0Rob Sheppard<\/a>\u00a0for sticking with this and persisting over the months to get this sorted.<\/p>\n

The root problem is due to the way that SID based Groups are enumerated by Citrix Cloud for Azure Active Directory. A SID based group is defined as one which is created in Active Directory, not Azure Active Directory.<\/p>\n

In a scenario where nested group memberships are in play and the SID based groups are synchronized to AAD, the enumeration should work perfectly fine, however in the scenario where not all groups are synced, the DSAuth service can obtain group details through the Citrix Cloud Connector. The default mechanism for this lookup is an LDAP query for the groups defined in the\u00a0TokenGroupsGlobalAndUniversal <\/em><\/strong>attribute of the user object. The challenge with this behaviour is it does not expand nested Groups, and in some scenarios or Domain configurations, can lead to missing Group info and thus enumeration problems.<\/p>\n

Azure Active Directory was the first \u201cnon-Active Directory\u201d IDP which was introduced into Citrix Cloud and as such identified what works and what didn\u2019t. Lessons learned were included for additional IDP\u2019s. Enter\u00a0DSAuthAzureAdNestedGroups<\/em><\/strong>.<\/p>\n

DSAuthAzureAdNestedGroups\u00a0<\/em><\/strong>fundamentally changes how the Group enumeration occurs. When enabled the feature effectively performs a Kerberos S4U login, in which Windows does almost the same process as a normal logon, where all the nested groups are retrieved and a more accurate determination of the group membership is made.<\/p>\n

DSAuthAzureAdNestedGroups<\/em><\/strong>\u00a0is the default behaviour for all other IDP\u2019s onboarded onto the Citrix Cloud solution, however with Azure Active Directory, it was felt to be safer by Citrix to not fundamentally change what wasn\u2019t broken for everyone, and as such the feature is a toggle which needs to be applied on a per-customer basis.<\/p>\n

If you are experiencing problems with Azure AD group enumeration, you will need to lodge a ticket with Citrix support and reference the\u00a0DSAuthAzureAdNestedGroups<\/em><\/strong>\u00a0toggle for escalation purposes. Note that doing so may well alter existing group assignments in place, so it\u2019s worth planning, scheduling and testing this change accordingly to make sure that nothing unexpected occurs. Some basic good practices for Azure Active Directory integration with Citrix Cloud:<\/p>\n