How to Use Authentik as a SAML Identity Provider for Citrix NetScaler as Service Provider

by Leave a Comment

For a recent project, we needed users to log on with their accounts from a new domain and then be able to launch a CVAD desktop using SSO within an old legacy domain. In this blog, I’ll describe the steps I took to get this up and running.

First, let us briefly describe the components that were going to be used. Although it’s listed below, I won’t be covering the Citrix FAS configuration in this post. The main focus will be on configuring Authentik SAML in combination with a Citrix NetScaler.

  • Authentik as the SAML IdP
  • Citrix NetScaler as the SAML SP
  • Citrix Federated Authentication Service (FAS) to enable single sign-on (SSO) for CVAD
  • The sAMAccountName in the legacy domain was different from the sAMAccountName in the new domain
Read More →

Notes from the Field: Citrix Provisioning Server 2402 CU1 LTSR Upgrade

by Leave a Comment

While upgrading our Citrix Provisioning Server (2203 LTSR) to the latest LTSR version 2402 CU1, we ran into some difficulties that we didn’t encounter with earlier versions. In addition to issues with the Citrix Provisioning Server Console, we also had some struggles getting both Citrix Studio and Citrix PVS Console to run from a single admin server. In this blog, I’ll share our findings.

Until now, our default upgrade procedure was to upgrade all Citrix Provisioning Server Consoles, test the console, and then upgrade the Citrix Provisioning Server itself. However, we quickly noticed that the new PVS Console (based on LTSR 2402 CU1) was unable to successfully connect to a Provisioning Server running LTSR 2203.

Read More →

Citrix StoreFront Error “Cannot complete your request”

by Leave a Comment

While replacing Citrix StoreFront (2203 CU5 LTSR) servers running Microsoft Server 2019 with servers running Server 2022, we encountered an error message during login attempts to Citrix StoreFront. Users were shown an error message stating: “Cannot complete your request.”

We were running a GSLB setup with a multi-server group (across sites), each containing several Citrix StoreFront servers (2203 CU5 LTSR). As described in “Virtual Apps and Desktops – 1912/2203 – Citrix Infrastructure / OS Upgrade” (CTX278869), we exported the configuration from an old StoreFront server running Server 2019 and imported it onto the newly created StoreFront servers running Server 2022. All servers were deployed in the same OU, received the same GPOs/settings, and apart from the different operating systems, all settings were pretty much identical.

Read More →

Setup Authentik as Radius Provider

by Leave a Comment

For my home lab environment, I use Authentik as my Identity Provider. Authentik is an open-source authentication and authorization platform that enables Single Sign-On (SSO), identity management, and multi-factor authentication (MFA) via protocols like OAuth, SAML, and LDAP. For various applications, such as the Citrix NetScaler, I use RADIUS for secondary authentication. All my Authentik users have a TOTP token in their authenticator app, which I want to use for RADIUS authentication. While configuring RADIUS in Authentik, I found the available documentation somewhat limited, and it took considerable effort to achieve a working RADIUS setup. This blog describes all the steps I followed to get RADIUS successfully running within Authentik.

For this guide, I used Authentik version 2024.10.1. I assume you already have a working Authentik setup where users already have a TOTP authenticator code available.

Read More →

Another error: ‘Application can’t be started… (Instant Passthru could not be resolved)’ caused by the CWA upgrade.

by Leave a Comment

A while ago, I wrote a blog about the error message ‘Application can’t be started… (Instant Passthru could not be resolved)’ that we encountered when launching a published application from our Ivanti Workspace Control managed session. Recently, we received the same message again, but this time the cause was different.

Application can’t be started… (Instant Passthru could not be resolved)

Shortly after a relatively simple task—upgrading an outdated version of Citrix Workspace App (CWA) from 1912 LTSR to the slightly newer 2203 LTSR—we encountered some inexplicable issues that made it impossible to launch Citrix Published Apps via SelfService.exe.

Read More →

How to Prevent SQL Database Locks and Improve Performance

by Leave a Comment

Within a large environment where Ivanti Workspace Control is used in combination with a Microsoft SQL Database, the SQL Server has to handle numerous connections initiated by all the Ivanti Workspace Control Agents.To minimize the load and connections on the SQL Server, Ivanti introduced the Ivanti Relay Servers, which act as proxies for all agent connections to the SQL Server, thereby reducing the total number of SQL connections and the overall load.

While monitoring our Ivanti Relay Server, we noticed that a couple of times a day, the Ivanti Relay Servers started queuing all messages. The transactions folder filled up with transactions that weren’t forwarded to the SQL Server. The Ivanti Relay Servers have a built-in failsafe option, where they stop accepting new transactions when the queue exceeds 50,000 transactions. So, in a short period of time, all Ivanti Relay Servers went offline because they hit the 50,000 transaction threshold.

Read More →

Why SQL Tables Are Created with domain\username.tablename Instead of dbo.tablename

by Leave a Comment

Let’s start by stating I’m not a SQL DBA 😉 when it comes to databases, I’m just a user who needs a database for my applications 🙂 Lately, in various environments, we’ve been creating different Ivanti Workspace Control and Automation Manager databases. We simply request an empty database from the SQL department and are assigned DBO rights. Subsequently, we establish a connection to the database from Ivanti Automation Manager (for example) and handle the initial database setup within the application itself.

After initializing the SQL database, the user who performed the initialization can start Ivanti Workspace Control, for example, without encountering any issues. Another user, who has the same permissions (DBO) on the database, is unable to launch the application. The second user is able to access the SQL Database using SQL Management Studio, where they seem to have full control over the database.

Read More →

The Citrix Workspace App sometimes detects an incorrect keyboard layout on OSX.

by Leave a Comment

Apple OSX users sometimes experience an incorrect keyboard layout loaded within their Citrix session. As a result, special characters are often located in different places. The cause of this issue is that Apple has a different keyboard layout compared to Windows, leading to an Apple US-international keyboard being recognized as a Dutch keyboard in Windows.

How to identify your Apple keyboard layout by country or region

Some time ago, we conducted extensive research together with Citrix Support to investigate the cause of this issue and whether there are possibilities to change this behavior. Unfortunately, it has been found that this behavior cannot be changed through a central solution. This behavior can only be altered by making adjustments on a per OSX system basis. This guide provides detailed instructions on what needs to be adjusted.

Read More →

How to manage Windows ACL Permissions on a Synology

by Leave a Comment

For quite some time, I’ve been using Synology PhotoStation to manage all my family photos. Since I’m not the only user—my children also use the app—I thought it might be a good idea to set some permissions on the different folders. In general, I use three different groups: full control, read-write, and read-only. This way, my kids can access all shared family photos but can’t accidentally delete them. Setting access permissions within Synology Photos is somewhat limited, so I had to reorganize my folder structure to fulfill my needs. However, in the end, it worked out very well.

Last week, I decided to move over some additional photos and reorganize parts of my original folder structure. Thinking it would be quicker than using the web GUI, I accessed my photo share through SMB. Immediately, I noticed something wasn’t right. Folders could not be renamed, data couldn’t be moved, and so on. When I looked at the Windows ACL permissions, I noticed they were different from the permissions set in Synology Photos. In my case, most permissions were inherited from the root photos folder.

Read More →

Managing Citrix Clientname in Double-Hop Scenarios Using Ivanti Workspace Control

by Leave a Comment

We manage a Citrix farm where users primarily launch a full desktop environment. From there, they can also connect to other applications running in Citrix Silo’s or access external Citrix farms. As an user environment manager (UEM), we utilize Ivanti Workspace Control (IWC).

When a user logs onto the primary desktop, the endpoint hostname is utilized by Ivanti Workspace Control within that session. Based on the endpoint hostname, we can set specific configurations using features like “location and devices”. In a double-hop scenario, where a user launches a Citrix published application or another Citrix desktop from within the primary session, the hostname of the primary session server is used as the hostname in the secondary session.

Read More →