SSO to Office365 with NetScaler Unified Gateway

How-to configure SSO to Microsoft Office365 with Citrix NetScaler Unified Gateway

In this Blogpost I want to show you how-to configure Office365 as a SaaS Application in a Citrix NetScaler Unified Gateway. We will also make use of a SAML Based Authentication to realize a Single Sign-On experience. To get this working it is necessary that your Office365 Account is configured as a SAML Service Provider. I blogged about how to do this here, so I will move directly to the interesting part. :)

We start by creating the needed SAML SSO Profile. Go to NetScaler Gateway -> Policies -> Traffic and switch to the last Tab which is called SAML SSO Profiles. You will see that this SAML SSO Profile looks like your SAML IdP Profile except one small difference. The Relay State Expression. As Ingmar Verheij already explained in his Blog about SSO to Sharefile with Unified Gateway it doesn´t matter which  expression you are working with as long as it has a correct syntax. The rest of those Values should match your SAML IdP Policy or at least work with your Office365 configuration. My SAML SSO Profile does contain this values:

  • Assertion Consumer Service Url:
  • Relay State Expression: HTTP.REQ.COOKIE
  • Signing Certificate Name: Select your Certificate which you are using to sign the SAML Responses/Requests.
  • Issuer Name: Your external URL of your Unified Gateway
  • Audience: urn:federation:MicrosoftOnline
  • And make sure you set the Attribute1 Value to mail.

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

In the second Step we will create the Microsoft Office365 SaaS Application. Go to NetScaler Gateway ->Resources -> Bookmarks. After you hit Add you have to enter a Name and Display Name. Under Bookmark you have to enter the Microsoft Office365 Login Page. I do work here with Select SaaS as the Application Type and select SAML Based Authentication as the SSO Type. Under SAML SSO Profile you have to select your SAML SSO Profile which you created a few moments ago.

SSO Office365 NetScaler Unified Gateway

To finish the configuration you only have to bind the newly created Bookmark to your Citrix NetScaler Unified Gateway. You will do this in your Unified Gateway vServer under Published Applications->URL

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

If you open your Unified Gateway and login you should the Office365 SaaS Application. As soon as you start the Application, you will see your Office356 Landingpage without entering any Credentials.

SSO Office365 NetScaler Unified Gateway


NetScaler as a SAML IdP for Office 365

How-to configure Citrix NetScaler as a SAML Identity Provider for Microsoft Office 365

Since I got some spare time I thought it would be cool to upgrade my Lab Environment and add the SAML Identity Provider Role to my Citrix NetScaler so that my Microsoft Office365 Account would be able to authenticate against the Citrix NetScaler IdP.

Before we start this little how-to, I assume that you already got a Citrix NetScaler up and running. The same goes for your Microsoft Office365 Account and the sync of your Users between your On-Premise Active Directory and the Azure Active Directory. DirSync and Azure AD Connect are both fine. You will need a Citrix NetScaler AAA vServer or a Citrix NetScaler Gateway vServer which is public available through SSL and a SSL Certificate which is trusted by a public CA. Additional you need another SSL Certificate which will be used to sign the SAML Tokens. This Certificate can be self signed or you can use the same public Certificate which is used for the AAA / Gateway vServer. It´s up to you.

Let´s start with the Citrix NetScaler Part. First we create a AAA or Gateway vServer. Make it public available and bind the public SSL Certificate to the vServer. Because I’m quite limited on public IPs and it´s not possible to bind more than one VPN Server to a Content Switch, I am “forced” to use my NetScaler Unified Gateway.

We have to create an LDAP Server and an LDAP Policy. The important part here is that you have to set a Value for Attribute 1. With this setting the Mail Address will be extracted from LDAP Request, which is needed by Microsoft Office 365. My LDAP Server looks like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365

You also have to create a LDAP Policy and bind the created LDAP Server to it. Nothing fancy here :)

NetScaler as an SAML IdP for Office 365

In the next step we will create the SAML IdP Profile. Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Polices -> SAML IdP and switch to the Profiles Tab. You need to create a Profile like this:

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

The complete URL within Assertion Consumer Service URL is In the IDP Certificate Name you will have to choose your SSL Certificate with which you will sign your SAML Tokens. Make sure the Private Key for this Certificate is present on the NetScaler! The Issuer Name should represent the Public URL of your AAA / Gateway Server. replace with your public AAA / Gateway vServer. The other Values should match the Screenshots.

Of course we have to create the corresponding Policy.

NetScaler as an SAML IdP for Office 365

Because it´s possible to bind multiple SAML IdP Policies to one AAA / Gateway Server which most certainly have different settings, I do check the Referer if it matches the Microsoft Login Page. This way you are able to create different SAML Identity Provider for different Service Providers with only one AAA / Gateway. To end the NetScaler Configuration Part it is necessary to bind the LDAP Policy and the SAML IdP Policy to our vServer. Make sure the SAML IdP Policy has the lower Priority. Your AAA / Gateway vServer should look something like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

We will now switch to the Microsoft Office365 Part. You need to open the Windows Azure Active Directory Modul for Windows Powershell. Connect to your Azure AD using the command Connect-MsolService. In Case your Domain is already Federated to have to undo this. You do this by set the Authentication back to Managed Set-MsolDomainAuthentication -DomainName -Authentication Managed. After that it is possible to Convert the Domain back to Standard with the following command Convert-MSOLDomainToStandard –DomainName -SkipUserConversion $false -PasswordFile c:\userpasswords.txt. For more Information please read this Microsoft Documentation

We will set a few variables in the Powershell Session:

  • $url = “”
  • $uri = “ /saml/login”
  • $ecpUrl = “https:// /saml/login”
  • $dom = “”
  • $fedBrandName = “Company Name”
  • $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\pathtocertificate\certificate.cer”) $certData = [system.convert]::tobase64string($cert.rawdata)

You will have to replace with the URL of you AAA / Gateway vServer. Now you have to run the following command to switch your Domain to use your SAML IdP                                   Set-MsolDomainAuthentication -DomainName $dom -federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $url –PreferredAuthenticationProtocol SAMLP

After a few Moments the changes should have been applied and Microsoft Online will redirect you to your AAA / Gateway vServer for Authentication :)


Some Tips and Resources:

NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode

Step By Step Guide to Single Sign-On to Storefront in Clientless Access Mode

While playing in my Lab with the Citrix NetScaler Unified Gateway I encountered the following problem. Within Clientless Access mode I could not access the Storefront Server. To be honest it wasn’t working at all.
Google Chrome showed me the following screen

NetScaler Gateway Frame Error

While the Internet Explorer gave me at least an error.

NetScaler Gateway Frame Error

Since the ICA Proxy Mode worked very well I started digging :)  Thanks to Maik Steppeler from Citrix who helped with the last missing piece of this jigsaw! I assume you have the NetScaler Gateway & the Storefront up and running. I assume also that you have everything configured till a point where “it should be working” 😉 If not please ping me.

At first we start on the Storefront Server(s). We navigate to the web.config file within your Webstore Folder. Something like this C:\inetpub\wwwroot\Citrix\YourStoreWeb.

You will find the followings entry three times:

<add name=”X-Frame-Options” value=”deny” />
<add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” />

If you are only using the Internet Explorer you have to change the Value within “<add name=”X-Frame-Options” value=”deny” />” from deny to allow. If you and your user are also using Chrome or FireFox you will also have to change <add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” /> from none to self.

After editing it should look like this:

Storefront web.config Fix Frame Error

Now restart you IIS. Also make sure you enabled Remote Access in your Storefront Store.

Storefront Remote Access

We are now switching to the NetScaler. Within the NetScaler change to your Session Profile and enable “Single Sign-on to Web Applications” if this is not already enabled.

NetScaler Signle Sign-on to Web Applications

Go back to the Global Settings of the NetScaler Gateway and go to “Configure Domains for Clientless Access”

NetScaler Gateway Global Options

And under “Allow Domains” add your local Domain.

NetScaler Gateway Allow Domains Clientless Access

That’s it! If you now login and change to your Application section you will see your Applications published through Storefont without providing additional credentials!

Single Sign-On to Storefront in Clientless Access Mode


Citrix XenMobile WorxMail as Google Chrome App

While reading about running a Android App as a Chrome App, I thought about running WorxMail and/or WorxWeb as Chrome App. This could be very handy, especially on Chrome Books.

So I played a bit around with ARChon. I was able to start WorxHome as a Google Chrome App and I was also able to sign on and access the App Store. But I was not able to install any WorxApps through WorxHome running as a Google Chrome App. My assumption is that this is a limitation (security feature) of the sandbox. Bumper :(

Therefore, we will not be able to connect WorxMail through a MicroVPN Connection with our Mail Server. But what if we want to use WorxMail as a normal Mail Client? Is this possible? Yes!

Citrix XenMobile WorxMail as Google Chrome App

Citrix XenMobile WorxMail as Google Chrome App

I could now explain in the long run how you have to modify manifest files, create folders and move files. But I found a really nice Google Chrome App which does exactly this for you 😉

ARC Welder. I suggest that you install ARCHon before and just create a .zip file with ARC Welder. Next, extract the .zip File and load the Application by using Google Chrome’s „Load unpackaced Extensions“ menu. This way you can import and start more than one app.

I suppose this is nothing more than a nice shenanigan based on the sandbox limitations but at least we spent some time doing interesting things :).

Intel I211 Windows Server 2012 R2 Drivers

For some time now i was looking for decent hardware which i wanted t0 use to build my home firewall with the Sophos UTM appliance. In the beginning i thought a Atom CPU would be ok to run the UTM bare metal. But i couldn´t find a decent mainboard with at least two NICs. Thanks to my father the Shuttle DS57U3 got my attention! It´s completely fanless, the Mainboard got two NICs and the whole setup requires really low power. In idle it takes about 12 Watt and with 100% CPU load the meter shows 24 watt.

Intel I211 Windows Server 2012 R2 Drivers

Intel I211 Windows Server 2012 R2 Drivers

But lets get to the point of this Blog post. As soon as you install Windows Server 2012 R2 to run Hyper-V you will notice that one of the NICs is not recognized. The Device Manager shows that there aren´t any matching device drivers. On the Intel Webseite are only driver for Windows 8.1. available. So i added the the necessary lines to the e1r63x64.ini file to get those 8.1. drivers recognized on a Windows Server 2012 R2 system. You can download the modified version of e1r63x64.inf here. You will have to replace the file which already exists in this directory “\PRO1000\Winx64\NDIS63”.

Since you now have an unsigned driver you have to disable the Driver Signature Verification. Open a command prompt as an administrator and enter he following commands:


Then reboot and you will be able to install the modified driver :).

Citrix XenMobile v10 SSL Offload

A quick description regarding SSL Offload in Citrix XenMobile V9 and Citrix XenMobile v10

Robin Hobo and Anton van Pelt have already published great guides on how to install and configure XenMobile v10. I would like to contribute with my own experience and will explain the differences between Citrix XenMobile v9 and v10 regarding the SSL Offload Part.
Some time ago Citrix published a CTX Article about SSL Offload in Citrix XenMobile v9. In Citrix XenMobile v10 and Citrix NetScaler v10.5 the process is basically the same. Some menu items have been replaced which I want to show you.
Step 1 in CTX200063 Article is to gather the Devices Certificate and also the Root Certificate. Since Citrix moved both parts into one appliance you can´t access the file system. But you will find the certificate under Configure -> Settings -> Certificate.

Citrix XenMobile v10 SSL Offload

Citrix XenMobile v10 SSL Offload

You will have to export the cacerts.pem Certificate and download it to your computer. If you open the file with your favorite text editor you will see that it contains both certificates which are mentioned in the CTX Article. You can follow the Citrix guide’s instructions to the end if you are using a version of NetScaler below 10.5. If you are using 10.5, you can follow the CTX Article up to step 8 where you bind your device and Root Ca to your Load Balancer (Groß?). This option is named slightly different.

Citrix XenMobile v10 SSL Offload

Citrix XenMobile v10 SSL Offload

Citrix XenMobile v10 SSL Offload

Citrix XenMobile v10 SSL Offload

On those Screenshots you can see where you have to bind both Certificates to your Load Balancer.

Citrix XenMobile licensing

Technical deep dive into Citrix XenMobile licensing

Recently I was asked by a customer what will happen to their XenMobile Device Manager Servers if the Citrix License Server will be unavailable. Especially if there is any impact for users which would be a huge problem. So I checked the eDocs from Citrix where I found the following statement regarding grace periods:

“The grace period is set by Citrix. It is typically 30 days but can vary depending upon the product. The Windows Event Log, and other in-product messages, indicate if the product has entered the grace period, the number of hours remaining in the grace period. If the grace period runs out, the product stops accepting connections. After communication is re-established between the product and the License Server, the grace period is reset.”

To be honest this is not a really satisfying answer. Particularly the “depending upon the product” gave us headaches. So I tested it in my lab environment and got to the following results. As soon as you connect your Device Manager v9 (haven´t had the chance to test v10 yet) to your Citrix License Server the Device Manager will somehow import the license. And from here on you are completely independent from the License Server. At least as far as i can tell. You can shutdown the License Server for the lifetime of your license if you want too. Only if your license is near of its lifetime you will get the typically Nag screen. But until then you don´t have to worry about this.

Microsoft Intune: New Features with the February update

Last week, Microsoft announced some changes coming to the standalone version of Intune.

See this link to check when your tenant will be updated. Your current Service Settings can be found in the Intune Administration Console.

The new features include:

– Management of Microsoft Office Apps for Android (Word, Excel and PowerPoint). This include the ability to restrict the usage of cut, copy and paste from managed to unmanaged apps.

– Management of the Microsoft OneNote App on iOS Devices. Let’s hope this possibility will quickly be added to the Android Version as well :)

– It is now possible to install applications from the Company Portal on Windows Phone 8.1 devices.

– Support for per-app VPN with Cisco AnyConnect on iOS devices.

– Option to make device encryption mandatory on Windows 8.1 devices.

–  WiFi profiles can now be deployed via XML import for Windows Devices, or via OMA URI for Windows Phone devices.

Microsoft also announced their plans to add conditional access control with Intune for SharePoint Online and OneDrive for Business. After seeing this option for Microsoft Exchange, I can’t wait to get my hands on this feature.

How to configure a Software Raid with XenServer 6.5

A quick Tutorial how to configure a Software Raid with XenServer 6.5

even Citrix does not support a Software Raid with XenServer anymore i would assume that there a a few how are running their lab server with XenServer by using a Software Raid. And since the old Tutorials how to configure a Software Raid with XenServer 6.2 won´t apply to XenServer 6.5 i wrote down the necessary steps. I assume you have a clean XenServer 6.5 installation and you also didn´t create any SR while installing. Let´s start :)

sgdisk –zap-all /dev/sdb
sgdisk –mbrtogpt –clear /dev/sdb
sgdisk -R/dev/sdb /dev/sda #
sgdisk –typecode=1:fd00 /dev/sdb
sgdisk –typecode=2:fd00 /dev/sdb
sgdisk –typecode=3:fd00 /dev/sdb
modprobe md_mod
mdadm –create /dev/md0 –level=1 –raid-devices=2 –metadata=0.90 /dev/sdb1 missing
mdadm –create /dev/md1 –level=1 –raid-devices=2 –metadata=0.90 /dev/sdb2 missing
mdadm –create /dev/md2 –level=1 –raid-devices=2 –metadata=0.90 /dev/sdb3 missing
mkfs.ext3 /dev/md0
mount /dev/md0 /mnt
cp -xR –preserve=all / /mnt
sed -i ‘s/LABEL=[a-zA-Z\-]*/\/dev\/md0/’ /mnt/etc/fstab
mount –bind /dev /mnt/dev
mount -t sysfs none /mnt/sys
mount -t proc none /mnt/proc
chroot /mnt /sbin/extlinux –install /boot
dd if=/mnt/usr/share/syslinux/gptmbr.bin of=/dev/sdb
chroot /mnt
mdadm –detail –scan > /mnt/etc/mdadm.conf
mkinitrd -v -f –theme=/usr/share/splash –without-multipath /boot/initrd-`uname -r`.img `uname -r`
sed -i ‘s/LABEL=[a-zA-Z\-]*/\/dev\/md0/’ /mnt/boot/extlinux.conf
cd /mnt && extlinux –raid -i boot/
sgdisk /dev/sdb –attributes=1:set:2
cd && umount /dev/md0

Make sure to boot from sdb now!

sgdisk -R/dev/sda /dev/sdb
sgdisk /dev/sda –attributes=1:set:2
mdadm -a /dev/md0 /dev/sda1
mdadm -a /dev/md1 /dev/sda2
mdadm -a /dev/md2 /dev/sda3

You can watch the build process with the following command: watch “mdadm –detail /dev/md* | grep rebuild”


Time to participate in the Project VRC “State of the VDI and SBC union 2015” survey!

The independent R&D project ‘Virtual Reality Check’ (VRC) ( was started in early 2009 by Ruben Spruijt (@rspruijt) and Jeroen van de Kamp (@thejeroen) and focuses on research in the desktop and application virtualization market. Several white papers with Login VSI ( test results were published about the performance and best practices of different hypervisors, Microsoft Office versions, application virtualization solutions, Windows Operating Systems in server hosted desktop solutions and the impact of antivirus.

In 2013 and early 2014, Project VRC released the annual ‘State of the VDI and SBC union’ community survey (download for free at Over 1300 people participated. The results of this independent and truly unique survey have provided many new insights into the usage of desktop virtualization around the world.

This year Project VRC would like to repeat this survey to see how our industry has changed and to take a look at the future of Virtual Desktop Infrastructures and Server Based Computing in 2015. To do this they need your help again. Everyone who is involved in building or maintaining VDI or SBC environments is invited to participate in this survey. Also if you participated in the previous two editions.

The questions of this survey are both functional and technical and range from “What are the most important design goals set for this environment”, to “Which storage is used”, to “How are the VM’s configured”. The 2015 VRC survey will only take 10 minutes of your time.

The success of the survey will be determined by the amount of the responses, but also by the quality of these responses. This led Project VRC to the conclusion that they should stay away from giving away iPads or other price draws for survey participants. Instead, they opted for the following strategy: only survey participants will receive the exclusive overview report with all results immediately after the survey closes.

The survey will be closed February 15th this year. I really hope you want to participate and enjoy the official Project VRC “State of the VDI and SBC union 2015” survey!

Visit to fill out the Project Virtual Reality Check “State of the VDI and SBC Union 2014” survey.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.