Jump to content
Welcome to our new Citrix community!

Trying to access Storefront with Receiver -- your account cannot be added using this server address


Recommended Posts

Hello

 

I'm setting up OTP/Google Authenticator/Multi factor auth for the first time for our Storefront environment. I created the environment using the Unified Gateway wizard and then had to add on/tweak it for OTP (referencing a AAA VIP using an authentication profile which then uses advanced authentication, login schemas, etc).  I can provide the config details.

 

So everything works very well when:

- I have a basic LDAP policy -- aka -- no Multi Factor authentication. Tested using Receiver for Web and Full Client

- I add in MFA and test with Receiver for Web

 

The thick client loads up and asks for the address. I enter it in. It asks for credentials -- username, password, passcode.  Now it doesn't matter here if I put total garbage in or correct credentials. It comes back with ""your account cannot be added using this server address. Make sure you entered it correctly. You may need to enter your email address instead".  I remove MFA references and it works again.

 

Any suggestions?

 

 

 

 

 

 

Link to comment
Share on other sites

I realize after reading your article Carl that I have my wording wrong. I'm trying to do nfactor not 2 factor. 

 

So I changed my session profile attached to my NS GW VIP for Citrix Receiver to SECONDARY.  I'm still getting the same error.  I ran cat /tmp/aaa.debug and it's not even hitting the LDAP server at all.  I'm reading this https://support.citrix.com/article/CTX223386 and adding in additional login schema policies now to see if that helps. 

 

Jacob, I did try yesterday that but reversed it. I'll try it again..

Link to comment
Share on other sites

Jacob, changing that setting didn't help.  The more I read on this subject the more confused I am.   Here's my config (filtered to the important stuff):

 

#NS12.0 Build 57.24
add authentication authnProfile unifiedgateway_auth_profile -authnVsName unified_gateway_aaa_vs -AuthenticationHost otp.primarydomain.com
add authentication ldapAction secondarydomain_dc_lb_vs_pwd -serverIP LDAP-IP(2) -serverPort 636 -authTimeout 5 -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication ldapAction primarydomain_dc_lb_vs_pwd -serverIP LDAP-IP(1) -serverPort 636 -authTimeout 5 -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -ssoNameAttribute userPrincipalName -passwdChange ENABLED
add authentication ldapAction primarydomain_dc_lb_vs_BaseDN_UPN -serverIP LDAP-IP(1) -serverPort 636 -authTimeout 7 -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -ssoNameAttribute userPrincipalName -followReferrals ON
add authentication ldapAction primarydomain_dc_lb_vs_UPN -serverIP LDAP-IP(1) -serverPort 636 -authTimeout 7 -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -ssoNameAttribute userPrincipalName
add authentication ldapAction primarydomain_dc_lb_vs_UPN_otp -serverIP LDAP-IP(1) -serverPort 636 -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -secType SSL -ssoNameAttribute userPrincipalName -authentication DISABLED -OTPSecret userParameters
add authentication ldapAction secondarydomain_dc_lb_vs_UPN_otp -serverIP LDAP-IP(2) -serverPort 636 -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -secType SSL -authentication DISABLED -OTPSecret userParameters
add authentication ldapAction primarydomain_dc_lb_vs_UPN_otp_validation -serverIP LDAP-IP(1) -serverPort 636 -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -secType SSL -ssoNameAttribute userPrincipalName -authentication DISABLED -OTPSecret userParameters
add authentication ldapAction secondarydomain_dc_lb_vs_UPN_otp_validation -serverIP LDAP-IP(2) -serverPort 636 -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -secType SSL -authentication DISABLED -OTPSecret userParameters
add authentication loginSchema otp_management -authenticationSchema "/nsconfig/loginschema/SingleAuthManageOTP1.xml"
add authentication loginSchema otp_dual_auth -authenticationSchema "/nsconfig/loginschema/DualAuth1.xml" -passwordCredentialIndex 1
add vpn trafficAction OTP-TrafficProfile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn portaltheme OrgName-RfWebUI -basetheme RfWebUI
add authentication loginSchemaPolicy otp_management_pol -rule "http.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action otp_management
add authentication loginSchemaPolicy otp_login -rule true -action otp_dual_auth
add vpn trafficPolicy OTP-TrafficPolicy true OTP-TrafficProfile
add authentication vserver unified_gateway_aaa_vs SSL 0.0.0.0
add vpn vserver UG_VPN_UnifiedGateway_CS SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -authnProfile unifiedgateway_auth_profile -vserverFqdn UG_VPN_UnifiedGateway_CS
add cs vserver UnifiedGateway_CS SSL 10.10.10.10 443 -cltTimeout 180
add cs action UG_CSACT_UnifiedGateway_CS -targetVserver UG_VPN_UnifiedGateway_CS
add cs policy UG_CSPOL_UnifiedGateway_CS -rule "is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/OrgNameTestWeb/\") || http.REQ.URL.CONTAINS(\"manageotp\")" -action UG_CSACT_UnifiedGateway_CS
add cs policy UG_CSPOL_UnifiedGateway_CS2 -rule "http.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action UG_CSACT_UnifiedGateway_CS
add cs policy UG_CSPOL_UnifiedGateway_CS3 -rule "http.REQ.URL.CONTAINS(\"manageotp\")" -action UG_CSACT_UnifiedGateway_CS
bind cs vserver UnifiedGateway_CS -policyName UG_CSPOL_UnifiedGateway_CS -priority 63000
add authentication Policy sldap_primarydomain -rule "HTTP.REQ.BODY(500).AFTER_STR(\"domain=\").CONTAINS(\"primarydomain\")" -action primarydomain_dc_lb_vs_UPN
add authentication Policy sldap_secondarydomain -rule "HTTP.REQ.BODY(500).AFTER_STR(\"domain=\").CONTAINS(\"secondarydomain\")" -action primarydomain_dc_lb_vs_BaseDN_UPN
add authentication Policy ldap_auth_ManageOTP -rule "http.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action primarydomain_dc_lb_vs_pwd
add authentication Policy ldap_primarydomain_ManageOTP -rule "http.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action primarydomain_dc_lb_vs_UPN_otp
add authentication Policy ldap_secondarydomain_ManageOTP -rule "http.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action secondarydomain_dc_lb_vs_UPN_otp
add authentication Policy ldap_secondarydomain_OTPvalidation -rule true -action secondarydomain_dc_lb_vs_UPN_otp_validation
add authentication Policy ldap_primarydomain_OTPvalidation -rule true -action primarydomain_dc_lb_vs_UPN_otp_validation
add authentication policylabel otp_factor -loginSchema LSCHEMA_INT
add authentication policylabel secondarydomain_otp_factor -loginSchema LSCHEMA_INT
bind authentication policylabel otp_factor -policyName ldap_primarydomain_ManageOTP -priority 90 -gotoPriorityExpression END
bind authentication policylabel otp_factor -policyName ldap_primarydomain_OTPvalidation -priority 100 -gotoPriorityExpression END
bind authentication policylabel secondarydomain_otp_factor -policyName ldap_secondarydomain_ManageOTP -priority 90 -gotoPriorityExpression END
bind authentication policylabel secondarydomain_otp_factor -policyName ldap_secondarydomain_OTPvalidation -priority 100 -gotoPriorityExpression END
add vpn sessionAction UG_VPN_SAct_10.10.10.10 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON
add vpn sessionAction AC_OS_10.10.10.10 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential SECONDARY -icaProxy ON -wihome "https://storefronttest.primarydomain.com/Citrix/OrgNameTestWeb/" -ClientChoices OFF -clientlessVpnMode ON -storefronturl "https://storefronttest.primarydomain.com"
add vpn sessionAction AC_WB_10.10.10.10 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -icaProxy OFF -wihome "https://storefronttest.primarydomain.com/Citrix/OrgNameTestWeb/" -ClientChoices OFF -clientlessVpnMode ON
add vpn sessionPolicy UG_VPN_SPol_10.10.10.10 true UG_VPN_SAct_10.10.10.10
add vpn sessionPolicy PL_OS_10.10.10.10 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixVPN\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NSGiOSplugin\").NOT" AC_OS_10.10.10.10
add vpn sessionPolicy PL_WB_10.10.10.10 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_10.10.10.10
bind vpn vserver UG_VPN_UnifiedGateway_CS -staServer "http://ctxdc.primarydomain.com"
bind vpn vserver UG_VPN_UnifiedGateway_CS -portaltheme OrgName-RfWebUI
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy PL_OS_10.10.10.10 -priority 100 -gotoPriorityExpression NEXT -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy PL_WB_10.10.10.10 -priority 110 -gotoPriorityExpression NEXT -type REQUEST -urlName Webmail
bind vpn vserver UG_VPN_UnifiedGateway_CS -policy UG_VPN_SPol_10.10.10.10 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST -urlName Webmail
bind authentication vserver unified_gateway_aaa_vs -policy otp_management_pol -priority 100 -gotoPriorityExpression END
bind authentication vserver unified_gateway_aaa_vs -policy otp_login -priority 110 -gotoPriorityExpression END
bind authentication vserver unified_gateway_aaa_vs -policy ldap_auth_ManageOTP -priority 100 -nextFactor otp_factor -gotoPriorityExpression NEXT
bind authentication vserver unified_gateway_aaa_vs -policy sldap_primarydomain -priority 110 -nextFactor otp_factor -gotoPriorityExpression NEXT
bind authentication vserver unified_gateway_aaa_vs -policy sldap_secondarydomain -priority 120 -nextFactor secondarydomain_otp_factor -gotoPriorityExpression NEXT
 

Link to comment
Share on other sites

I didn't realize you were trying to implement nFactor authentication with the native Receiver. As you can see in the support article you reference, the native Receiver doesn't fully support nFactor, and you may be hitting one of the limitations.

Link to comment
Share on other sites

Yes I read there were limitations but I don’t understand what the limitations are exactly

 

I thought I’d simplify it by removing all nfactor and only have a drop down domain login scheme and I’m experiencing the same issue. I reread Carl’s documentation and noticed he was using storefront Auth while I’m using ldap. I tried to setup storefront auth but it errors out when trying to retrieve the stores (something about needing a minimum version of storefront which I’ve surpassed that). I ended up opening a ticket with Citrix support with a screenshot of the error

 

 

Link to comment
Share on other sites

I was playing around with the setup today for using Nfactor with Google Authenticator and Citrix receiver and I got a little bit further but still not working.

 

What I have got working is

 

I open receiver for web and everything works fine – I can log in with either of my 2 domains and google authenticator and I can get all my storefront icons

 

I open the full receiver and add an account. Before it would ask me for credentials + passcode and then fail right away.  Now it is successful and it’s asking me to select the Store from Storefront to connect to.  Two things I did to get this far

 

I added in an LDAP authentication policy after the other authentication policies

I reversed the entry of the password and pincode.  Ie. I put my pin in where it says password and my password where it says pincode.

 

It then allows me to select the Store. After I select the Store it says login failed and prompts me for credentials again.  So I think its trying to pass through my pincode as my AD password and vice versa to Storefront.

Link to comment
Share on other sites

  • 1 year later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...