StoreFront + FAS: You cannot login using smart card

When you implement StoreFront and NetScaler Gateway with Citrix new Federate Authentication Service (FAS) for SAML authentication you almost inevitable will face the “You cannot login using smart card. Please close your browser to protect your account” error after you logout from StoreFront.

Update: Native Solution

In the meantime Citrix implemented their own solution for this – which is of course the preferred solution compared to my rewrites below!

On StoreFront just:

• Edit “C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom\script.js”
• Insert “CTXS.allowReloginWithoutBrowserClose = true”

Source: https://support.citrix.com/article/CTX227673

Background

This message typically pops up after you logout. You’ll first receive the following message asking you to close your browser.

Once you then refresh the page or browse to the StoreFront again without closing your browser you’ll receive the message “You cannot login using smart card”.

While this is an intended protection mechanism the wording is just confusing for users. The basic intention is to make the user close the browser for security purposes. However, the user doesn’t know about the SmartCard tricks FAS is performing internally.

Solution

StoreFront is handling this protection by setting and checking some cookies. And there are actually two cookies, one that’s asking the user to close the browser and one that’s causing the smart card error.

Now if we delete the cookie responsible for the smart card message the user will get the message just telling him to close the browser instead of a misleading “You cannot login using smart card”.

We can achieve this on NetScaler using the following simple rewrite on the logout page that’ll invalidate the corresponding cookie:

You’ll need to edit the /Citrix/StoreWeb paths accordingly

add rewrite action rw.act.expire-smartcard-cookie insert_http_header "Set-Cookie" ""CtxsSmartcardAuthenticated=xyz;Path=/Citrix/<strong>StoreWeb</strong>/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT; Secure""
add rewrite policy rw.pol.expire-smartcard-cookie.logout "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ("/Citrix/<strong>StoreWeb</strong>/logout.aspx")" rw.act.expire-smartcard-cookie
bind vpn vserver ngw.vs.citrix.nerdscaler.lab.ssl.443 -policy rw.pol.expire-smartcard-cookie.logout -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

I’ve noticed that this change doesn’t seem to work with the latest Internet Explorer. This seems to be due to the fact that the logout.aspx is called from within a JavaScript and the browser itself never navigates to that site. IE receives the Cookie expiration but doesn’t seem to react to it within JavaScript.

Optional

If you want to get rid of the browser close message as well you can also remove the cookie causing this. You can do this using the following rewrite.

add rewrite action rw.act.expire-browserclose-cookie insert_http_header "Set-Cookie" ""CtxsBrowserCloseToEndSession=xyz;Path=/Citrix/<strong>StoreWeb</strong>;expires=Wednesday, 09-Nov-1999 23:12:40 GMT; Secure""
add rewrite policy rw.pol.expire-browserclose-cookie.logout "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ("/Citrix/<strong>StoreWeb</strong>/logout.aspx")" rw.act.expire-browserclose-cookie
bind vpn vserver ngw.vs.citrix.nerdscaler.lab.ssl.443 -policy rw.pol.expire-browserclose-cookie.logout -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

Warning: StoreFront forces the user to close the session for a reason. The browser closure prevents situations where you logout from StoreFront but not from the IDP.

Let’s say you’re using a shared computer. You log off your StoreFront and you don’t close the browser. Chances are you’re still logged into your IDP at this stage. Now if the next user browses to StoreFront he’ll get logged into your account straight away as you’re still authenticated with the IDP.