Workspace ONE Access and Citrix Integration – An Undocumented Requirement!

Recently I ran into a fun little issue while integrating a Citrix environment into a brand new Workspace ONE Access tenant. This one was interesting because a third-party IdP was immediately in use, so no Password (Cloud) was ever configured, as it was assumed (hint, hint) not to be needed.

There are two primary components to a Citrix integration: 1) the sync and 2) the launch. These require two completely different methods of troubleshooting since each relies on different pieces to function. The sync relies on integration with your Desktop Delivery Controllers (DDCs) via PowerShell modules and admin delegations, and the launch relies on the Virtual App service communicating with the StoreFront API directly through API calls.

So, once everything was setup, applications sync’d successfully, network ranges were setup with appropriate URLs, etc., we were met with this fun Password not found for application launch error when putting in a knowingly GOOD password during the launch process:

(Not very helpful)

After doing some Wireshark captures and log analysis, it is clear that we were not even attempting to authenticate or reach out to StoreFront. After doing some comparisons with known good configurations, the one thing that stuck out is that we didn’t have Password (Cloud) configured with our Built-In IDP. But why would we need that? Where in the launch architecture diagram or pre-reqs does it say ANYTHING about Password (Cloud) being required? After all, we’re authenticating against StoreFront (or NetScaler Gateway if external)…

There is missing something…

Actually, that is not the case. We do indeed require Password (Cloud) being configured. Once you add a valid Password (Cloud) auth method and add it to your built-in IdP (see here), you can see via WireShark captures that we authenticate against AD first to validate the user credentials, and then once confirmed valid, we pass them onto StoreFront/NSG. So, it really looks more like this:

That’s more like it!

Hopefully the docs get fixed fairly soon to reflect the actual launch process and the pre-reqs needed here, and I hope this post helps anyone who runs into this. Have any questions around this or Citrix integrations in general? Feel free to reach out!