Citrix Secure Access auto log on for Windows Azure AD joined machines

Auto log on to NetScaler Gateway virtual server

Citrix Secure Access client can perform SSO to NetScaler Gateway virtual server using PRT and auto-connect the user to the NetScaler Gateway URL mentioned in the AlwaysOnURL registry. For more information, see NetScaler Gateway Windows VPN client registry keys.

Admin must configure the following to enable SSO to NetScaler Gateway virtual server using PRT:

  • Microsoft Entra ID must be configured as the SAML IdP.

  • NetScaler Gateway must be configured as the SAML SP.

  • Citrix Secure Access client must be configured in Always On or Always On service mode.

To configure Citrix Secure Access client to perform SSO using PRT, you must complete the following steps:

  1. Join the windows machine to Azure Entra ID. Admin must visit the following url and join the windows machine:

    https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

  2. Configure NetScaler Gateway as SAML SP and Microsoft Entra ID as SAML IdP. For more information, see Configure Microsoft Entra ID as SAML IdP and NetScaler as SAML SP.

  3. Configure Citrix Secure Access client in Always On and Always On service mode. For more information, see Always On VPN before Windows Logon (formally Always On service) and Always On.

Users must use their credentials and login for the first time. During subsequent system reboots, Citrix Secure Access client auto-connects the user to NetScaler Gateway virtual server using PRT.

Auto log on to the Secure Private Access service

Citrix Secure Access client can perform SSO to Secure Private Access service using PRT. This works when the client is configured in Always On or Always On service mode.

To configure Citrix Secure Access client to perform SSO using PRT, you must complete the following steps:

  1. Join the windows machine to Azure Entra ID. Admin must visit the following url and join the windows machine:

    https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

  2. Log in to the Citrix Cloud account.

  3. Click the hamburger icon and navigate to Identity and Access Management.

    Identity and access management

  4. On the Identity and Access Management screen, click the Authentication tab and then click the Add an Identity provider button.

    Add identity provider

  5. Select the authentication type as Azure Active Directory, provide a name to the identity provider in the Identity Provider name text box, and click the Add button.

    Identity provider name

  6. Azure Active Directory is listed on the identity providers list as shown below. Click Connect.

    Azure Active Directory connect

  7. On the connect screen, enter the URL name and click the Confirm button.

    Authenticate Citrix Cloud

  8. Admin is redirected to the Microsoft sign-in page. Sign in using an Azure Entra ID user account. Once login succeeds, Azure Active Directory shows as connected.

    Azure Active Directory

  9. Go back to Workspace Configuration, click the Authentication tab, and select Azure Active Directory.

    Workspace Configuration

  10. Navigate to Workspace Configuration -> customize -> preferences and deselect the checkbox below Federated Identity Provider Sessions to disable Federated Authentication Service.

    Federated Identity Provider Sessions

Users must use their credentials and login for the first time. During subsequent system reboots, the Citrix Secure Access client auto-connects the user to Secure Private Access using PRT.

Citrix Secure Access auto log on for Windows Azure AD joined machines