Applicable Products

• Before this process, 2 Citrix Cloud Connectors will be deployed in one Availability Group to provide an HA connection from the Citrix Cloud to Azure. Citrix Workspace Aggregation for on-premises Virtual Apps and Desktops, including XenApp 6.5 and Citrix 7.x support.
• Anyone got this to work with Azure MFA. I'm pretty stuck. Works fine on Windows Workspace App and Android but iOS's just does not invoke the Azure logon page after putting in the Citrix URL into the Workspace App for IOS.
• Explore Citrix Workspace pricing plans to determine what plan will deliver the best ROI for your enterprise. Try the Citrix pricing calculator options to address your needs.
• Citrix XenApp and XenDesktop have traditionally used Windows Server Active Directory domains to manage end user access and administrator roles. With the move to the cloud, the use of an Active Directory domain continues to remain a requirement. When using Azure as a Resource Location, Azure Active Directory also has a role to play.

• Citrix Cloud

Symptoms or Error

Overview:
Users may be prompted for additional authentication when navigating to Citrix Workspace URLS if Workspace is configured to use a federated identity provider.
Example:
Users may be prompted for Azure AD credentials when Using AAD for Authentication to Citrix Workspace, even if the user has a valid Microsoft authentication token.
Scenario

• Authenticate to an existing O365 or Azure AD provisioned resource
• Browser retains the Microsoft authentication token for the session
• Navigate to Citrix Workspace URL (configured to use AAD as the Workspace IdP)
• Previous authentication token is NOT accepted by Workspace
• User is prompted again prompted to provide Azure AD credentials to login to Workspace

Solution

IMPORTANT:
Customers should consult their internal security teams before requesting an exception to determine which settings are best for their environment and security posture.
This behavior is turned on by default for all Workspace customers as an additional security measure.
Customers can request an exceptions on an individual Citrix Cloud tenant basis.
Contact Citrix Technical Support to have the feature disabled for a specific Cloud Customer account.

Problem Cause

• Citrix recently made a change with within the Azure AD Workspace integration to resolve a security concern.
• To ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record.
• This parameter forces the user to be prompted for authentication whenever there is not a valid Citrix Workspace session.
• This was done to align with Industry-standard security practices.

Additional Resources

Citrix Azure Files