Single Sign On (SSO) to ADFS enabled Website from XenMobile SecureWeb

From ADFS 3.0 on Windows Server 2012 R2, a Powershell property defines which User Agents (Browsers) that are supported for 401 Windows Integrated Authentication instead of Form Based Authentication.

So In order to ensure that we can support SSO from XenMobile SecureWeb, we can change that property on ADFS (Option 1), or we could use NetScaler Rewrite engine, and rewrite user agent header when SecureWeb contacts ADFS sign in URL (Option 2).


  • Enable Single Sign On (SSO) to ADFS enabled web sites eg. office 365 sites, etc. from within XenMobile SecureWeb


  • XenMobile SecureWeb is set to “Tunnel to internal network” and “Secure Browse” mode in MDX Policy
  • NetScaler Gateway is doing LDAP authentication as one of the factors, or alternative Kerberos KCD against ADFS

Traffic flow

These steps describes high level steps for XenMobile SecureWeb traffic:

  1. XenMobile SecureWeb establish mVPN and authenticates at NetScaler Gateway
  2. XenMobile SecureWeb contacts eg. which redirects to ADFS sign in URL
  3. ADFS runs in Windows Integrated Authentication mode, and sends a 401 challenge to NetScaler
  4. NetScaler provides authentication token, NTLM or Kerberos and submits this to ADFS server, behind the scene, thus transparent for user

Implementation steps

Option 1 – Set WIASupportedUserAgents on ADFS

To show current WIASupportedUserAgents setting, run following Powershell command on ADFS server:

To add user agent string for WorxWeb, run following command:

Option 2 – Rewrite SecureWeb User Agent when contacting ADFS

Add Rewrite Replace Action with supported User-Agents:

Add Rewrite Policy and ensure only applied to SecureWeb from both iOS and Android:

Bind Rewrite Policy to NetScaler Gateway handling mVPN sessions:

Leave a Reply

Your email address will not be published. Required fields are marked *