Today I wanna talk about my last experience with Sharefile Storage Zone and Microsoft Active Directory Federation Services (ADFS) 3.0. There are some little things you have to take care about.
Our proof of concept consists of two servers:
-
1 x Storage Zone Controller
Microsoft Windows Server 2012R2 , 2 vCPU, 8 GB RAM, 60 GB system partition, 80 GB data partition.
-
1 x ADFS Server
Microsoft Windows Server 2012R2, 2 vCPU, 8 GB RAM, 60 GB System partition
Further the following tasks and prerequisites should be available before starting:
- Citrix Sharefile Control Plane (and subdomain) with at least one administrator account
- A public DNS entry for your Citrix Storage Zone, with translated to Netscaler content switch IP
- A public certificate for your Citrix Storage zone name (ex. Sharefile.demo.de)
- A public DNS entry for the ADFS Service, with translated to Netscaler content switch IP
- A public certificate for the ADFS Service name (ex. adfs.demo.de)
- A service account for Sharefile
- A service account for ADFS services
All other infrastructure components, like file server and Active Directory are already in place, as we are in a productive environment.
PLEASE NOTE:
- The Netscaler configuration is not part of this article. If you have some questions about the configuration, please contact me or leave a comment.
- The demo installation was done on server systems in German language. I’ve tried to translate all messages and menus, but some menus may look different on English systems.
Prepare Storage Zone Controller for Installation
First of all we need to prepare a network share, where all Sharefile data will be stored and managed. We also need an IIS web server for the StorageZone management services.
Installing and Configuring Storage Zone Controller
Now we want to install the StorageZone Controller components on the Server for StorageZone
After downloading the components from citrix.com, start the installation with administrative priviledges. | |
Click „Next“ to start the installation. | |
Accept the EULA. | |
Choose your preferred installation location. | |
Click „Next“ to start the installation process. | |
Uncheck the „Launch StorageZone Controller Configuration Page“ and click „Finish“ | |
Now restart the server. | |
Try to access the website https://localhost and you should see the page from the screenshot. | |
If you can see this Sharefile page, go to the site https://localhost/configservice/login.aspx and login with your Sharefile Admin account. Note: You need internet access to connect the control plane of your Sharefile subdomain. If you are using a proxy server select the „Networking“ menu to configure your proxy settings. |
|
If you have connected to your control plane you can select „Create new Zone“. | |
Fill out the required fields:
|
|
If you scroll down, you can select allowed connectors and paths. You also have to create Passphrase. To finish click „Register“. |
|
If the registration was successful you should see this overview. |
Installing ADFS
The Microsoft Active Directory Federation Services will be the authentication service for your Sharefile employees. This service needs an existing Active Directory and the web server must be available from the internet on port 443 / HTTPS.
Open Windows Server Manager and select install „Roles and Features“ and „Roled based installation“. | |
Select „Active Directory Federations Services“ and „Webserver“ | |
The „Feature“ installation can be done with the default settings. | |
Select „Next“ for the ADFS installation. | |
Select „Next“ for the Web server installation. | |
You don’t need any additional features. | |
Click on installation to start the installation. | |
Wait for the installation to complete. | |
If the installation was successful you see an exclamation mark in the server manager, with notices you to complete the ADFS installation. Click on this note to start the ADFS wizard. |
|
In our case this is the first ADFS service, so we have to select „First server“ and click next. | |
In the next dialog you have to insert an account with domain administration privileges to integrate the ADFS in the active directory. | |
Type your admin account and „Click“ ok. | |
In this page you need to specify a certificate for ADFS. In my case this a wildcard certificate. The Name of the service is adfs.domain.lab. | |
Now specify the service account for the ADFS service. In my case the account was admin.adfs | |
Create the database for ADFS on your ADFS server or specify a SQL server. | |
Click on „Next“ to do a pre-check for the ADFS integration. | |
If all pre-checks were successful you can click on „Configure“. | |
Wait for the installation to complete. | |
If the installation is completed click on close. | |
Start the ADFS Management Tool | |
Click right on „Relying Party Trusts“ and select „Add Relying Party Trust“ | |
Start the Wizard by clicking on „Start“ | |
Select „Enter data about the relying party manually“ and click on „next“ |
|
I usually use my Sharefile subdomain site as display name and identifier, e.g. https://DEMO.sharefile.eu/saml/acs | |
Specify AD FS- Profile and click on „Next“. | |
You can use the default settings for certificate and click on „next“. | |
Select the checkbox „Enable support for the SAML 2.0 WebSSO protocol“ and enter the URL e.g. https://demo.sharefile.eu/saml/acs | |
Type in your identifier for the site. | |
Select „Do not want to configure multi-factor authentication settings for this relying party trust at this time“ and click on „Next“. | |
Permit all users to access this relying party. | |
Click on „Next“. | |
Check the box to open the Claim Rules after finishing the wizard. | |
Click on „Add rules“. | |
For the first rule use the template „Send LDAP Attributes as Claims“. | |
Enter AD to Email for the Claim rule name. Choose Active Directory for the Attribute store.Choose E-Mail-Addresses for the LDAP Attribute.Choose E-Mail Address for the Outgoing Claim Type.Then click „Finish“. |
|
Click on „Add rules“ to add a second rule. | |
Use the template „Transform an Incoming Claim“. Then, choose „Next“. | |
For Claim rule name, enter „Email to Name ID“. Incoming claim type, choose E-Mail Address. |
|
Click „OK“ to return to the AD FS management. | |
Under „Trust Relationships“ open „Relying Party Trusts“, click right on the created trust and select „properties. | |
In the Advanced tab change the Secure hash algorithm to SHA-1 and apply. | |
Go to „Endpoints“ tab and add the SAML endpoint as shown in the screenshot. | |
Select the folder „Authentication Policies“ and click on „Edit Global Primary Authentication“. | |
Select Forms Authentication for both categories. Make sure all other types of authentication are unchecked. Choose OK. | |
In the AD FS management console, navigate to „Service“ and select „Certificates“. Choose the Token-signing certificate. Choose „View Certificate“ from the right click menu. | |
Open the „Details“ tab and click on the „Copy to File“ button to export the certificate. | |
Start the wizard by clicking on „Next“. | |
Select the Base-64 coded file and click on „Next“. | |
Browse a file location and type a name for the export file. | |
„Finish“ the wizard. | |
Accept the successful message. | |
If you plan to use Firefox or Chrome you also need to the Extented Protection Token to none, as this is not supported by other browsers than IE. |
Setting up Trust with Sharefile and ADFS Service
The last step is to setup the AD FS services for Sharefile as SAML provider. Please make sure the service is available for public access from the internet. I recommend a Netscaler Loadbalancer with open ports on 443/HTTPS. When you are sure the service is accessible login to your Sharefile control plane with an administrative account.
Click on „Admin“ in the top level menu. Then, choose „Configure Single Sign-On“.
|
|
|
|
Now we need to install the ShareFile User Management Tool. This will allow you to synchronize which users in AD will have access to ShareFile. You will need to obtain a copy of this tool from the Citrix website. | |
Configure a rule for synchronizing the AD users to sharefile. Make sure the e-mail attribute for all users is configured correctly. http://docs.citrix.com/en-us/sharefile-user-management-tool/1-7/sf-umt-provision-accts.html You can also schedule this job to do this synchronization e.g. every hour. I also recommend to create a Sharefile User Group in AD and use this group for the rule. Start an initial sync now! |
|
For a logon test, open a browser and Navigate to the following URL: https://demo.sharefile.eu/saml/login NOTE: „demo“ is your ShareFile subdomain.Now you should be redirected to you ADFS logon page.Enter AD credentials for one of the users that you Choose Sign On.NOTE: AD username must be entered like „email@domain.com“ or „domainuser“. |
|
After a correct logon you will be redirected to your Sharefile file box. | |
Verify also that the logout in functional. |
Customizing ADFS Services
In some cases, is it useful to customize the default ADFS webpage with text or logos. Here are some examples how to use. All these settings have to be done via Powersehll:
Show all current designs: | Get-AdfsWebTheme |
Create your custom design on local file system: |
New-AdfsWebTheme –Name custom –SourceName default |
Export Design: | Export-AdfsWebTheme -Name default -DirectoryPath c:ADFSTheme |
Insert Logo: |
Set-AdfsWebTheme -TargetName custom -Logo @{path=“C:ADFS-Designlogo.png“} |
Activate the custom design: |
Set-AdfsWebConfig -ActiveThemeName custom |
Insert custom links on the Logon Page: | Set-AdfsGlobalWebContent -HomeLink http://www.hompage.de -HomeLinkText Home Set-AdfsGlobalWebContent -HelpDeskLink https://myfile.sharefile.eu -HelpDeskLinkText Sharefile-Startseite |
Use your own onscript.js for logon: |
Set-AdfsWebTheme -TargetName custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js‘;path=“c:ADFSThemescriptonload.js“} |
Automatic insertion of the domain in the user name field. You have to insert these script into the onscript.js | if (typeof Login != ‚undefined‘){ Login.submitLoginRequest = function () { var u = new InputUtil(); var e = new LoginErrors(); var userName = document.getElementById(Login.userNameInput); var password = document.getElementById(Login.passwordInput); if (userName.value && !userName.value.match(‚[@\]‘)) { var userNameValue = ‚contoso.com‚ + userName.value; document.forms[‚loginForm‘].UserName.value = userNameValue; } if (!userName.value) { u.setError(userName, e.userNameFormatError); return false; } if (!password.value) { u.setError(password, e.passwordEmpty); return false; } document.forms[‚loginForm‘].submit(); return false; }; } |
Change the logon text: | var loginMessage = document.getElementById(‚loginMessage‘); if (loginMessage) { // loginMessage element is present, modify its properties. loginMessage.innerHTML = ‚Bitte melden Sie sich mit Ihrem Windows Benutzernamen an:‘; } |
Hope this can help somebody of you, if you also have to install Sharefile Storage Zone with AD FS 3.0.
Any feedback is welcome, so do not hesitate leaving a comment on this site or contact me directly.
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).
Hi Marco,
great article, do you have also nestcaler part to configure this implementation ?
Thanks
Michal
Hi Michal, sure – I try to publish the steps this. But I am not sure if there is enough time. Are you interested in specific part or in general?
Hi Marco,
to be honest in general if you have some docu will really appreciate. Seems to be that doing some mistake.
Thanks Michal
Hi Marco,
Good day!
Kindly clarify me on below:
You have mentioned that ,both Storaze zone DNS and ADFS DNS should point to same Netscaler content switching IP?
Is this true?
or we need to create 2 NSCS VIPs?
Thank you,
balamurali chemirthi
Hi,
in most cases we use two public IPs. But in general we can build a Netscaler CS for this use case and just need to set rules for based an Host names and the ADFS URL Paths.
Best Regards,
Marco