When you implement StoreFront and NetScaler Gateway with Citrix new Federate Authentication Service (FAS) for SAML authentication you almost inevitable will face the “You cannot login using smart card. Please close your browser to protect your account” error after you logout from StoreFront.
Update: Native Solution
In the meantime Citrix implemented their own solution for this – which is of course the preferred solution compared to my rewrites below!
On StoreFront just:
- Edit “C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom\script.js”
- Insert “CTXS.allowReloginWithoutBrowserClose = true”
This message typically pops up after you logout. You’ll first receive the following message asking you to close your browser.
Once you then refresh the page or browse to the StoreFront again without closing your browser you’ll receive the message “You cannot login using smart card”.
While this is an intended protection mechanism the wording is just confusing for users. The basic intention is to make the user close the browser for security purposes. However, the user doesn’t know about the SmartCard tricks FAS is performing internally.
StoreFront is handling this protection by setting and checking some cookies. And there are actually two cookies, one that’s asking the user to close the browser and one that’s causing the smart card error.
Now if we delete the cookie responsible for the smart card message the user will get the message just telling him to close the browser instead of a misleading “You cannot login using smart card”.
We can achieve this on NetScaler using the following simple rewrite on the logout page that’ll invalidate the corresponding cookie:
You’ll need to edit the /Citrix/StoreWeb paths accordingly
add rewrite action rw.act.expire-smartcard-cookie insert_http_header "Set-Cookie" ""CtxsSmartcardAuthenticated=xyz;Path=/Citrix/<strong>StoreWeb</strong>/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT; Secure"" add rewrite policy rw.pol.expire-smartcard-cookie.logout "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ("/Citrix/<strong>StoreWeb</strong>/logout.aspx")" rw.act.expire-smartcard-cookie bind vpn vserver ngw.vs.citrix.nerdscaler.lab.ssl.443 -policy rw.pol.expire-smartcard-cookie.logout -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
If you want to get rid of the browser close message as well you can also remove the cookie causing this. You can do this using the following rewrite.
add rewrite action rw.act.expire-browserclose-cookie insert_http_header "Set-Cookie" ""CtxsBrowserCloseToEndSession=xyz;Path=/Citrix/<strong>StoreWeb</strong>;expires=Wednesday, 09-Nov-1999 23:12:40 GMT; Secure"" add rewrite policy rw.pol.expire-browserclose-cookie.logout "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ("/Citrix/<strong>StoreWeb</strong>/logout.aspx")" rw.act.expire-browserclose-cookie bind vpn vserver ngw.vs.citrix.nerdscaler.lab.ssl.443 -policy rw.pol.expire-browserclose-cookie.logout -priority 110 -gotoPriorityExpression NEXT -type RESPONSE
Warning: StoreFront forces the user to close the session for a reason. The browser closure prevents situations where you logout from StoreFront but not from the IDP.
Let’s say you’re using a shared computer. You log off your StoreFront and you don’t close the browser. Chances are you’re still logged into your IDP at this stage. Now if the next user browses to StoreFront he’ll get logged into your account straight away as you’re still authenticated with the IDP.