You are not logged in.
Hello
In windows I can log into the citrix workspace application with my company details and then every time I just need to open the citrix app and select the host to connect to.
With arch linux I can't login to the Citrix Workspace app. I have to login every time to the website of my company in order to get the .ica link. Citrix works perfectly good, it's just that I would like to avoid logging in every time, just open citrix workspace and open the remote host.
Does anyone have the same issue solved? Any hints?
Thanks
Offline
Way it works is that under Windows, your login-credentials get "forwarded" to Citrix and are the same - Domain Auth helps with that. If you set up your Arch install to do the same, you can achieve that, btu it's a) complicated, and b) most likely won't work unless your Company allows Linux PCs into their domain.
Offline
another citrix user here - what you describe sounds like citrix works correctly as intented: you login into a from-outside-accessible web portal and download tempirary .ica link files and execute them with ICAclient
and the end of the session the used .ica file gets auto-deleted by the ica client - as having it is equivalent to have your access credentials
also: its common practice to lock the session token behind a timeout - which means even if the .ica file would not get deleted it would become invalid
the way the windows version works it just stores your credentials and perform a often less secure auto login
if this us possible highly depends upon if you require a OTP for login - if so it won't work on linux as you have to supply at least tge OTP every time - at which you're back to square one having to provide full credentials
but: this is on purpose and intented - it's supposed to be not be easy to get around
it's supposed to be an extra step in the case anyone gains access to your computer - as that's the threat vector it protect against: someone gain access to your client is not supposed to use that access to also gain access to your citrix without additional credentials like a token, OTP or whatnot - and that's likely the same reply you'll get from your IT staff
side note: if you want to live the easy live without bother with providing credentials but have all your accesses stored in your browser "save password" option you maybe not someone who should be trusted with something like a citrix remote access - as chances are high if you don't take your own security serious you likely treat your employers network the same - don't have your it staff notice you don't care - there's a lot of malicious stuff out there not even require your interaction - with access to your workspace somewhere lazy stored on your device means malicious code can abuse that, too - and it's exactly THAT what this additionsl request for your credentials is supposed zo protect against
Offline
Thanks all. Yes I require OTP to access.
I see your points, but why on Windows my credentials are stored and I can connect to host without login, while on Linux I have to login every time?
My linux partition is Luks encrypted, while the Windows one is not. I'm going also as further to say that generally windows "people" are on average less tech savy, so why allow windows the "unsecure" login while on linux I have to put the password + OTP key every time?
Offline
The answer lies somewhere in here: https://docs.citrix.com/en-us/storefron … rough.html and probably other config options, but the tl;dr: is: The way Domain Auth in Windows works allows Citrix to access that information. Linux standard has no such mechanisms. in Windows, you authenticate against a trusted* instance - the domain controller. Citrix itself also authenticates against that, so if you show Citrix your "I have just authenticated against the DC" passport, it'll let you in because it can cross-check with its own DC. On Linux, you usually log in locally against /etc/passwd etc. and don't have a "passport" from a shared trust source - Citrix doesn't trust your Linux to authenticate yourself. If your Linux would authenticate against the same DC (via sssd for example) it would work** just as fine.
If you don't authenticate your Windows against the company domain, then IDK what black magic your Citrix admins are tapping into to validate your trust - Maybe the stored SSO token from whatever web portal you use to authenticate against your Company. Many people use EntraID for that, so maybe that gets exposed. But the principle applies the same.
Do note that all this is a simplification of what's really happening - the details may very well vary.
*all that with a grain of salt - from the view of citrix, not from a "this is really secure" standpoint.
**with further neccessary configuration, but conceptually it'd work
Offline