If you don’t already know, you can now configure Citrix Secure Mail to provide single sign-on (SSO) for users through the use of an automatic provisioning mechanism during your first-time use.

Secure Mail consumes the user credentials that users enter to authenticate to Secure Hub to provision the users’ mailbox automatically. The automatic account configuration of Secure Mail in an LDAP authentication environment provides a seamless, SSO experience with minimal user input and intervention. In this article, we will cover how you can create an even more seamless user experience with Secure Mail SSO.

Prerequisites

To get started with Secure Mail SSO for your users, you would need the following prerequisites:

  • XenMobile Server version 10.4.0.116 or later
  • Secure Mail version 10.4.5 or higher (Public app store only)
  • First you would need to enable autodiscovery with an email address within XenMobile. For further details on how to do this, see  XenMobile autodiscovery in the product documentation.
  • Create a new server property in the XenMobile console.
    Key: MAM_MACRO_SUPPORT
    Value: true

    User-added image
  • Create a new client property in the XenMobile console.
    Key: SEND_LDAP_ATTRIBUTES
    Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},displayName=${user.displayName},mail=${user.mail}

    User-added image
  • Create a new client property in the XenMobile console.
    Key: ENABLE_CREDENTIAL_STORE
    Value: true

    User-added image
  • Configure email-based AutoDiscovery Service for the user’s Exchange Server mailbox. For details, see Auto Discover for Exchange in the Microsoft documentation. For support, reach out to your Microsoft Exchange administrator. This blog assumes that you configure Autodiscovery Service by querying DNS for an SRV record.
Secure Mail app policy configuration
  1. Upload the Secure Mail app to XenMobile. Use the Add App workflow of XenMobile console. Upload the .mdx file associated with the correct version of the Secure Mail app.
  2. Configure the following Secure Mail app settings:
    1. In Initial authentication mechanism, click User email address.
    2. In Initial authentication credentials, click userPrincipalName or sAMAccountName. Your selection is based on the authentication type configured against the user’s Exchange Mail Server.
      User-added image
    3.  Leave the Secure Mail Exchange Server and Secure Mail user domain fields empty.
      User-added image
    4.  Configure other policies of the Secure Mail app as required and make necessary delivery group assignments.
The end-to-end Secure Mail SSO user experience with automatic provisioning
  1. Ensure that you meet all six prerequisites outlined in this article.
  2. Install Secure Hub from the Apple App Store (iOS) or the Google Play Store (Android).
  3. Open Secure Hub and enter an email address and password for enrolling in XenMobile.
  4. Install Secure Mail from the Apple App Store (iOS) or the Google Play Store (Android).
  5. Open Secure Mail and tap OK. This step allows Secure Hub to manage Secure Mail.
  6. Upon opening, Secure Mail is automatically configured.
    1. The Exchange Server that corresponds to the user’s mailbox database is obtained from the Autodiscovery Service you configured.  The DNS SRV Record query makes use of the user’s email address fetched from Secure Hub.
    2. All the required details for account configuration, such as email address, userPrincipalName/sAMAccountName, and password are fetched from Secure Hub.
    3. When the account is configured, users can view details on the device in Secure Mail > Settings > Account.

Here is a video that walks you through the Secure Mail email enrollment user experience.

Troubleshoot Issues

If any issues occur with the SSO configuration, you can try the following steps.

  1. Ensure that the XenMobile Server version is 10.4.0.116 or later.
  2. Ensure that XenMobile is configured for AutoDiscovery Service and user enrollment is configured for use with an email address.
  3. Ensure that the Exchange Server domain is configured with autodiscovery and the query for the SRV record returns the expected mail server details for ActiveSync mail clients.
  4. In case of an issue with this functionality, collect the following information and contact Citrix Technical Support:
    1. Download XenMobile Server Diagnostic Logs.
    2. Collect Secure Mail Diagnostic Logs with the highest log level.
    3. Collect IIS logs from the directory C:\inetpub\logs\LogFiles\W3SVC1 from the Exchange Server hosting the Autodiscovery Service. For more details on Microsoft Autodiscovery Service, see the Microsoft TechNet site.