https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# _general
s
This message was deleted.
n
gpo is applied and fas server are showing up in the registry. There are no SF servers in play.
r
Is the DaaS FAS Service enabled under workspace auth?
n
yes
do you know if there is a place you can view logs on the FAS servers?
i am using azure AD for MFA and the user principal is different there. can you add a second user principal to an AD? hmm..let me see..
r
Yea typically that is a conversation I have with customers, and update the UPN suffix in the domain trust section. Then companies use that inside the AD attributes. But it’s a bit more to it than what I’m saying.
n
yeah, thats what it is
they don't have their azure suffix. so it needs to get added.
m
you can use a SAML 2.0 app instead of the inbuilt app with citrix cloud and tell the custom app to map to onpremupn
then you don’t need to add the suffix
I’ve had to do this with a ton of clients where the UPN that azure sees is not the one in use on prem
r
so instead of using azure ad as the built in Idp, you use SAML 2.0, and create a Enterprise app in Azure?
m
yes
r
Good to know man
m
the built in app uses oidc and doesn’t let you change the mappings
r
Very true
m
SAML 2.0 is also useful if you want to use the same app for multiple URLs, like test, dev, prod
instead of creating 3 apps
r
Sounds like you need to write some blogs on this 🙂
m
or for DR sites that have a dedicated URL with OGR
I am supposed to be writing one for Alchemy lol, but our testing process got delayed when trying to figure out what environment we were going to link these apps to…
r
Ah, you still there. I was curious
m
I’m redoing my home lab over the break so I might just get my own okta dev tenant and test with that.
r
Do you pay for the Okta dev tenant?
m
there’s a free one I think
r
WHAT
I like free
@newbie1998 sorry I hijacked your thread.
m
it’s pretty basic, I haven’t actually tried it yet
r
Def will check this out. Thanks man
👍 1
n
hey guys
i just saw what Mike wrote
sorry for the late response
what do you mean using SAML 2.0 App?
m
Instead of just using the Azure AD connector
you then need to change the mappings on the enterprise app in azure ad to use OnPremUPN instead of just UPN
n
question for you is there a KB article on how to do this?
i am so sorry for these dumb questionss...but how do i have to create an app in enterpise applications?
m
n
thanks man. let me check that out
so will this work when users use their on-premise accounts to login?
like if the users uses Sly@rayrocks.nt to login to their machin but their azure ad has a upn of sly@rayrocks.com be enabling this will sly@rayrocks.nt work when access apps/desktops?
m
cip_upn user.userprincipalname needs to change to whatever holds the onpremupn
it’s the other way around, they need to log in with the email and it will match it to the on prem account
n
hmm..i think that what the issue is
they only have sly@rayrocks.nt as a upn
m
in azure?
n
in on prem AD
m
that’s fine, the SAML app will trnaslate the email to the on prem upn so that is what will be sent to storefront
n
what if they are not using storefront but citrix cloud workspace?
m
same thing
the cloud connector passes on the auth to FAS in that case, so it’s what sees the email instead of the upn
you need to change cip_upn to match a field that is syncing to Azure AD that holds the on prem upn, it’s normally called onpremupn or something similar
n
ok, i wish i could lab this out...
m
I’ll see if I can find what ours is called
n
thanks man
m
user.onpremisesuserprincipalname
n
thanks man. i'll check a user on my end as soon as i am off of this client call.
sorry for any stupid questions
m
it’s fine, took me a while to figure out how to make it work the first time
n
the last screen shot you sent me is that from custom security attributes screen?
m
it’s under Manage-Single Sign On
n
so we decided to go a different route but thanks for your help
they added the UPN suffix so i am waiting to test
so we added the upn suffix but its still not working. i still get these type of errors - https://support.citrix.com/article/CTX564342/unable-to-start-desktop-with-fas-enabled-and-assert-upn-error-event-102-on-fas-server
but it doesn't happen to everyone
i feel like its only happening to users where AD UPN doesn't match the e-mail address?
have you seen that before
m
yes, which is why I use tha SAML 2.0 app to remap it…
n
aaah!!!
i see
m
it doesn’t matter if you add the suffix and that suffix isn’t what they use
it’s passing through whatever they are logging in with
if that’s the email and the on prem upn isn’t the email, then you need to remap the cip_upn (whatever they type in) to the on prem upn (whatever is in AD)
this doesn’t happen with the inbuilt azure AD connector because it makes the assumption that your email is your on prem upn
Open in Slack
PreviousNext
Powered by