OKTA Netscaler SAML SSO Storefront Errors

[Tom Swift]

We've followed the set up directions to configure out Netscaler to work with SAML auth using OKTA as the IDP.  Netsclaer 12.0, XA/XD 7.15 LTSR CU2 and Storefront 3.12.  We've had several calls with OKTA support but haven't been able to get an engineer verses in Citrix to get it working.  We got this working two years ago but seems like things have changes and now we can't.

 

Here's the flow:

1.  User enters https://citirx.mycorp.com

2.  User is redirected to mycorp.okta.com and presented with logon credentials

3.  User enters credentials and is redirected to Storefront but get's an error "Cannot complete your request."

4.  Triggers Event 7 & 10.  If we click the Cannot complete your request button over and over again it will add more error 7 and error 10's the the Application event logs

 

Error 7:

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity. The credentials supplied were; user: administrator domain: mycorp.com

 

Error 10: 

A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: https://127.0.0.1/Citrix/Authentication/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) 

 

As far as Error 7 is concerned the password is complex, with 11 characters, uppercase, lowercase, numbers and symbols.  Of course if we remove SAML from the Netscaler Gateway authentication method for the XenApp access VIP and go with LDAP it works flawlessly.

 

CITRIX SUPPORT SAYS FAS IS REQUIRED TO MAKE SAML WORK.

They will not help us without having FAS running.

 

OKTA has Youtube video's saying it'll work withouht FAS.

 

Two years ago when we did this I don't think we use ADFS or FAS (didn't exist in Citrix Xendesktop 7.9)

 

Any input would be greatly appreciated.

 

 

 

 

[Tom Swift]

Hi Chris,

 

Callback URL in Storefront for the Netscaler is REQUIRED.  It will not work if it's not configured.  It may be as simple as this to get you working.

 

Netscaler Gateway / Policies / Session / Profile

AC_WB_192.168.1.50

Published Applications Tab

ICA Proxy - On - Override Global Checked

Web Interface Address - https://192.168.1.60/Citrix/StoreWeb - Override Global Checked

Web Interface Address Type - IPv4

Web Interface Portal Mode - Normal

Single Sign-on Domain - MYCORP - Override Global Checked

Citrix Receiver Home Page - BLANK (Not configured)

Account Services Address - BLANK (Not configured)

 

Regards,

Tom

[Tom Swift]

BINGO...We got it working!!

 

Here's are the steps:

 

STOREFRONT - APPLICATION ENUMERATION

There are two simple configuration settings that need to be made to get applications to enumerate in the environment.  Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains .  You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use.  You can see what these values are by going to a command prompt and typing "SET U"  For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP.  Leave the .com or .local or whatever off.  Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway.  After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.

 

LAUNCHING APPLICATIONS:

If you click on an application it will request credentials to logon on to the server, meaning Single Sign-On (SSO) isn't working.  The reason is you MUST have an FAS server set up and properly configured.  The short steps of that are having a Domain Controller that acts as a Sign Signing SSL Certificate Authority and has a GPO configured so it knows where the Citrix FAS (Federated Authentication Server) is.  There are good documents online on how to do this and also the setup of FAS is pretty straight forward.  Finally, there are 8 lines of Powershell scripts that need to be run on the Storefront server so it knows to use FAS.

 

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

 

#REM - The next line assumes you're using the Default Store for Storefront.

#REM - If you aren't then you need to change it to what your store name actually is

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

 

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

 

After all this is done you can hit your Netscaler portal at https://citrix.mycorp.com be redirected to OKTA, enter your credentials, have it handshake back to Storefront, enumerate applications and when you click on one it'll start up just fine.

 

Hope this helps someone else.

 

Regards,

Tom

 

 

[Christopher Grider]

Hello Tom,

 

Great write up on your issue and your resolution, We are attempting to do the EXACT same thing you posted here.  :)

 

Same versions of all Citrix components you mentioned and we are seeing the exact same "Cannot Complete Request" and Event Log - ERROR 10: A CitrixAGBasic Login request has failed.  Although we are not seeing the ERROR 7.

 

Tried both of your fixes listed in the APPLICATION ENUMERATION section you posted (we already where using USERDOMAIN without .com etc..)  But did not have the Check - Fully delegate credential validation to Netscaler Gateway configured.  However, nothing we do seems to resolve the issue.

 

We have tried Many, Many different configs to no avail.

Would you happen to be able to share what documentation you used to configure the Netscaler Gateway portion of this?  Just trying to double check everything at this point.

(We have tried enable Domain SSO checkbox in Netscaler, disable it etc.. ) nothing seems to change the results.

 

Just like you, we are able to Auth to OKTA from Netscaler and then get sent back to Netscaler and passed to Storefront, where we receive the "Cannot Complete Request" Dialog Box.  Very Frustrating at this point.

 

STORE is a newly configured Store.  couple of other questions since we have seen lots of different recommendations online.

1.  Did you use a Callback URL (we don't use smartaccess so generally don't do this, but have seen others say its needed)

2.  How is your Auth Method configured for both Receiver for Web and Normal Store Auth?  (We currently have Username and Password / Passthrough from Netscaler configured on both)

 

We would appreciate any insights you might have.  We already have a FAS server we use for another project we implemented awhile ago, but have not configured it for this yet.  Currently we just want to get apps to enumerate.

 

Thanks!

Chris

 

[Bruce McDonald]

On 10/20/2018 at 2:44 AM, Tom Swift said:

BINGO...We got it working!!

 

Here's are the steps:

 

STOREFRONT - APPLICATION ENUMERATION

There are two simple configuration settings that need to be made to get applications to enumerate in the environment.  Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains .  You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use.  You can see what these values are by going to a command prompt and typing "SET U"  For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP.  Leave the .com or .local or whatever off.  Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway.  After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.

 

LAUNCHING APPLICATIONS:

If you click on an application it will request credentials to logon on to the server, meaning Single Sign-On (SSO) isn't working.  The reason is you MUST have an FAS server set up and properly configured.  The short steps of that are having a Domain Controller that acts as a Sign Signing SSL Certificate Authority and has a GPO configured so it knows where the Citrix FAS (Federated Authentication Server) is.  There are good documents online on how to do this and also the setup of FAS is pretty straight forward.  Finally, there are 8 lines of Powershell scripts that need to be run on the Storefront server so it knows to use FAS.

 

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

 

#REM - The next line assumes you're using the Default Store for Storefront.

#REM - If you aren't then you need to change it to what your store name actually is

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

 

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

 

After all this is done you can hit your Netscaler portal at https://citrix.mycorp.com be redirected to OKTA, enter your credentials, have it handshake back to Storefront, enumerate applications and when you click on one it'll start up just fine.

 

Hope this helps someone else.

 

Regards,

Tom

 

 

 

Hi Tom,

Fantastic write up. I had the exact same issue as you except I am using a different external SSO as my SAML IdP which is Onelogin. The same or similar concepts apply though. In short, I had been banging my head against the wall for the best part of a day trying to get this configuration to work. As I mentioned we use Onelogin in our business and we want this to be our IdP and Netscaler to be the SAML SP. I configured Onelogin to use SAML auth, I configured (or tinkered and played with until it worked) Netscaler VPX 11 with SAML policies, bound this to my GW VIP and every time I tried to connect through Onelogin to SSO through the Netscaler into Storefront (3.6) it presented the error "cannot complete your request".

 

After following many guides, I found this one and it worked perfectly. I had the exact same errors on my storefront server Event ID 7 and 10. Event ID 7 said this "CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity."

 

I followed your tip on changing the USERDNSDOMAIN to USERDOMAIN and VOILA, it worked. I can now SSO into Storefront no problems. But, I will need to setup FAS because I too am getting prompted for credentials when launching an app on SF. Thats my next job. Tom, I cannot thank you enough for this write up, its been a massive help. thanks.

 

[Christopher Grider]

Interesting that you both got this working.  Now if only I can do the same :) ... 

 

One last question:

 

 Since adding the Callback URL I am now seeing Errors 10, 7, 2 ...   Not getting Password complexity error on 7, but this:

EVENT ID 7:

"CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed."

The credentials supplied were;
user: First.Last
domain: DomainName

 

Whats interesting is that the name its sending and trying to verify is Firstname.Lastname (more of a UPN and not SAMACCOUNTNAME) I am guessing without the FAS configuration this wont work. (I simply want to get to the APP ENUMERATION at this stage, I know FAS setup will be needed to Launch apps SSO for phase 2)

 

EVENT ID 2: shows Error attempting to Authenticate the following format ( Domain\Firstname.lastname )...  The problem with this is our Domain accounts dont follow this format, this is more like the UPN and not SamAccount ...

 

So wondering in both of your configs do you have OKTA passing the UPN back to netscaler or the SamAccount name?

 

Thanks Again for all the help.  Much appreciated.

 

Chris

[Christopher Grider]

**** UPDATE ****

 

By changing the OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN.. We are now seeing apps enumerated...  

 

Thanks Again for the help on this!

[Bruce McDonald]

5 hours ago, Christopher Grider said:

**** UPDATE ****

 

By changing the OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN.. We are now seeing apps enumerated...  

 

Thanks Again for the help on this!

Hi there, good job on getting it to work. I too am passing the samaccountname from OneLogin. I suspect when I get fas up and running that I may need to change this to upn 

[Bruce McDonald]

5 hours ago, Christopher Grider said:

**** UPDATE ****

 

By changing the OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN.. We are now seeing apps enumerated...  

 

Thanks Again for the help on this!

 

[Bruce McDonald]

On 11/29/2018 at 1:45 PM, Bruce McDonald said:

 

Hi Tom,

Fantastic write up. I had the exact same issue as you except I am using a different external SSO as my SAML IdP which is Onelogin. The same or similar concepts apply though. In short, I had been banging my head against the wall for the best part of a day trying to get this configuration to work. As I mentioned we use Onelogin in our business and we want this to be our IdP and Netscaler to be the SAML SP. I configured Onelogin to use SAML auth, I configured (or tinkered and played with until it worked) Netscaler VPX 11 with SAML policies, bound this to my GW VIP and every time I tried to connect through Onelogin to SSO through the Netscaler into Storefront (3.6) it presented the error "cannot complete your request".

 

After following many guides, I found this one and it worked perfectly. I had the exact same errors on my storefront server Event ID 7 and 10. Event ID 7 said this "CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity."

 

I followed your tip on changing the USERDNSDOMAIN to USERDOMAIN and VOILA, it worked. I can now SSO into Storefront no problems. But, I will need to setup FAS because I too am getting prompted for credentials when launching an app on SF. Thats my next job. Tom, I cannot thank you enough for this write up, its been a massive help. thanks.

 

I just wanted to report back by saying, I got FAS up and running follow this guide https://www.carlstalhood.com/citrix-federated-authentication-service-saml/ and first time I connected to Onelogin > Citrix Netscaler app > it took me straight through to SF, I opened an app and a desktop and it logged me straight on. No prompts for usernames and passwords. Its worked a treat.

 

[Dean Johnson1709156672]

On 19/10/2018 at 4:44 PM, Tom Swift said:

BINGO...We got it working!!

 

Here's are the steps:

 

STOREFRONT - APPLICATION ENUMERATION

There are two simple configuration settings that need to be made to get applications to enumerate in the environment.  Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains .  You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use.  You can see what these values are by going to a command prompt and typing "SET U"  For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP.  Leave the .com or .local or whatever off.  Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway.  After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.

 

LAUNCHING APPLICATIONS:

If you click on an application it will request credentials to logon on to the server, meaning Single Sign-On (SSO) isn't working.  The reason is you MUST have an FAS server set up and properly configured.  The short steps of that are having a Domain Controller that acts as a Sign Signing SSL Certificate Authority and has a GPO configured so it knows where the Citrix FAS (Federated Authentication Server) is.  There are good documents online on how to do this and also the setup of FAS is pretty straight forward.  Finally, there are 8 lines of Powershell scripts that need to be run on the Storefront server so it knows to use FAS.

 

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

 

#REM - The next line assumes you're using the Default Store for Storefront.

#REM - If you aren't then you need to change it to what your store name actually is

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

 

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

 

After all this is done you can hit your Netscaler portal at https://citrix.mycorp.com be redirected to OKTA, enter your credentials, have it handshake back to Storefront, enumerate applications and when you click on one it'll start up just fine.

 

Hope this helps someone else.

 

Regards,

Tom

 

 

 

Fantastic! Have spend hours upon hours reading vague documentation on how to get past the dreaded 'Cannot Process Request' box and finally have a solution.

Thanks!

 

[Penta Penta]

Hello,

 

Would there be anyone kind  enough to help with the required setup. I've veen fighthing with this for 2 days now and I'm just going round in circles there.

I'm trying to log into Netscaler using Okta and SAML 2.0.

I have followed the Okta procedure.

I have followed the NetScaler/Storefront/FAS setup procedure step by step, word by word and I'm still even unable to enumerate the apps through NetScaler.

 

I'm not even looking for SAML single sign-on at this stage (using FAS), needless to say.

 

Every time I log in, I always get the meaningless "cannot complete request" error message and my storefront server shows error logs 10 and 7.

I have changed the setup in all the different ways I could think of, but no luck still.

I have disabled SSO in my session profiles' published apps, have the callback url and the Netscaler full delegated authentication enabled among other.

I'm helpless at this stage.

 

Here is the content of the error message (event id  I'm getting for even 7, Citrix Authentication Service

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: test@domain.local
domain: (it's blank)

 

Thanks in advance for your assistance.

[Bruce McDonald]

3 hours ago, Penta Penta said:

Hello,

 

Would there be anyone kind  enough to help with the required setup. I've veen fighthing with this for 2 days now and I'm just going round in circles there.

I'm trying to log into Netscaler using Okta and SAML 2.0.

I have followed the Okta procedure.

I have followed the NetScaler/Storefront/FAS setup procedure step by step, word by word and I'm still even unable to enumerate the apps through NetScaler.

 

I'm not even looking for SAML single sign-on at this stage (using FAS), needless to say.

 

Every time I log in, I always get the meaningless "cannot complete request" error message and my storefront server shows error logs 10 and 7.

I have changed the setup in all the different ways I could think of, but no luck still.

I have disabled SSO in my session profiles' published apps, have the callback url and the Netscaler full delegated authentication enabled among other.

I'm helpless at this stage.

 

Here is the content of the error message (event id  I'm getting for even 7, Citrix Authentication Service

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: test@domain.local
domain: (it's blank)

 

Thanks in advance for your assistance.

It certainly takes a bit to get your head around how to set this up. Since I posted on this forum I have ditched OneLogin and now I’m using Okta in the business I work for. I’m now running Citrix 7.15 ltsr cu4 with Netscaler Vpx 12 and fas. 

 

The way way I got my setup to work was doing this, hope this helps.

 

Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains .  You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use.  You can see what these values are by going to a command prompt and typing "SET U"  For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP.  Leave the .com or .local or whatever off.  Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway.  After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.

[Penta Penta]

16 minutes ago, Bruce McDonald said:

It certainly takes a bit to get your head around how to set this up. Since I posted on this forum I have ditched OneLogin and now I’m using Okta in the business I work for. I’m now running Citrix 7.15 ltsr cu4 with Netscaler Vpx 12 and fas. 

 

The way way I got my setup to work was doing this, hope this helps.

 

Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains .  You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use.  You can see what these values are by going to a command prompt and typing "SET U"  For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP.  Leave the .com or .local or whatever off.  Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway.  After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.

Hello bmcdona388,

 

I actually had tried your solution yesterday and did it just now again. And I have the exact same setup as you !

After performing the changes in the Session Profile's published app tab (single sign-on domain) and adding the same value as a trusted domain in the storefront authentication settings, I still have the same errors popping up on my storefront event viewer. I have also verified the full cred validation delegation in the pass-through from Netscaler Gateway method is checked.

 

I can see information log with event id 1 is also shown with the following content, which is probably the result of the event id 7 error I guess

"An authentication attempt was made for user: DOMAIN\test with realm context <unknown> that resulted in: Failed  (Windows Error code: -1073741715)"

 

Event id 7 error has now turned into:

"CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: test
domain: DOMAIN"

 

I'm clueless as this stage and would appreciate any further hint in the right direction from you or any other Citrix expert.

Thank you in advance.

 

 

 

[Bruce McDonald]

27 minutes ago, Penta Penta said:

Hello bmcdona388,

 

I actually had tried your solution yesterday and did it just now again. And I have the exact same setup as you !

After performing the changes in the Session Profile's published app tab (single sign-on domain) and adding the same value as a trusted domain in the storefront authentication settings, I still have the same errors popping up on my storefront event viewer. I have also verified the full cred validation delegation in the pass-through from Netscaler Gateway method is checked.

 

I can see information log with event id 1 is also shown with the following content, which is probably the result of the event id 7 error I guess

"An authentication attempt was made for user: DOMAIN\test with realm context <unknown> that resulted in: Failed  (Windows Error code: -1073741715)"

 

Event id 7 error has now turned into:

"CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: test
domain: DOMAIN"

 

I'm clueless as this stage and would appreciate any further hint in the right direction from you or any other Citrix expert.

Thank you in advance.

 

 

 

Ok, so, have you set your Netscaler Gateway Session Profile single Sign-on domain as your USERDOMAIN? And have you also set, on storefront, under manage authentication methods > user name and password > configure trusted domains to your USERDOMAIN? Also, whilst still logged onto storefront make sure under configure delegated authentication that pass-through from netscaler gateway is ticked?

 

I just re-read you reply and its looks like you have the above set right?

 

Have you configured a call back URL?

 

Are you passing samaccount or UPN? If UPN, change to samaccount in Okta? (Change OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN)

[Penta Penta]

6 minutes ago, Bruce McDonald said:

Ok, so, have you set your Netscaler Gateway Session Profile single Sign-on domain as your USERDOMAIN? And have you also set, on storefront, under manage authentication methods > user name and password > configure trusted domains to your USERDOMAIN? Also, whilst still logged onto storefront make sure under configure delegated authentication that pass-through from netscaler gateway is ticked?

 

I just re-read you reply and its looks like you have the above set right?

Yes, that's right indeed. And thank you for your interest.

Everything is still working fine internally, but no way to get rid of that error message and enumerate my published apps and desktop in Citrix when going through NetScaler/Okta. I'm still facing errors 10 and 7 (as per my last message) in the storefront server's event logs.

[Penta Penta]

Hello bmcdona388,

 

it seems there's indeed a mismatch between the credentials supplied to the Citrix Authentication service (sAMAccountName) and what Okta needs to complete successful AD integration authentication.

Which is why I'm getting that "CitrixAGBasic single sign-on failed" error log:
 

user: test (sAMAccountName)

domain: DOMAIN

 

What Okta needs for this is the UPN (test@domain.local), not the sAMAccountName (test).

 

When I test the delegated authentication from the Okta admin portal, I can only login when the UPN (test@domain.local) is used. 

If I try to use the sAMAccountName instead (test), authentication is rejected.

 

If I could find a means for this to be passed onto the Citrix Authentication service, then the issue would be fixed I guess.

 

[Bruce McDonald]

50 minutes ago, Penta Penta said:

Hello bmcdona388,

 

it seems there's indeed a mismatch between the credentials supplied to the Citrix Authentication service (sAMAccountName) and what Okta needs to complete successful AD integration authentication.

Which is why I'm getting that "CitrixAGBasic single sign-on failed" error log:
 

user: test (sAMAccountName)

domain: DOMAIN

 

What Okta needs for this is the UPN (test@domain.local), not the sAMAccountName (test).

 

When I test the delegated authentication from the Okta admin portal, I can only login when the UPN (test@domain.local) is used. 

If I try to use the sAMAccountName instead (test), authentication is rejected.

 

If I could find a means for this to be passed onto the Citrix Authentication service, then the issue would be fixed I guess.

 

Can you change okta to login with samaccountname or is that not possible? That’s how I set mine environment up. 

[Penta Penta]

2 minutes ago, Bruce McDonald said:

Can you change okta to login with samaccountname or is that not possible? That’s how I set mine environment up. 

Could you please tell me how and where you did this in the Okta admin portal ? as that's exactly what I'm trying to do. So far no luck with this.

Storefront still displays the same username in the error log..

[Bruce McDonald]

1 hour ago, Penta Penta said:

Could you please tell me how and where you did this in the Okta admin portal ? as that's exactly what I'm trying to do. So far no luck with this.

Storefront still displays the same username in the error log..

sure, so in Okta > admin > directory > directory integrations > active directory > settings > import and provisioning > okta username format

Sorry for any confusion I don't think this is what you were after, its been a while since I looked at this. I have the above set to samaccountname but that probably doesn't really matter because thats just authenicating into okta.

 

I also have samaccountname set in my Citrix published app in okta. hope this helps

 

[Penta Penta]

I had done this previously thinking it would help and did it again after your recommendation, but I am still getting the same error :-(

When I test the AD delegation from Directory > Directory integration > MyActiveDirectory > Settings > Test delegated authentication and try to authentication with the sAMAccountName instead of the UPN I get an "authentication failed" error message. Only the UPN (test@domain.local) can go through.

 

Is that the expected behaviour with Okta AD authentication delegation ?

[Penta Penta]

6 hours ago, Bruce McDonald said:

sure, so in Okta > admin > directory > directory integrations > active directory > settings > import and provisioning > okta username format

Sorry for any confusion I don't think this is what you were after, its been a while since I looked at this. I have the above set to samaccountname but that probably doesn't really matter because thats just authenicating into okta.

 

I also have samaccountname set in my Citrix published app in okta. hope this helps

 

I have tried by all possible means to get this to work but it's currently just NOT working - just as though there was a software or hardware limitation beyond my control. I have recreated the whole Netscaler from sratch.

No problem with LDAP/Radius auth policies at all however, and internally all's working exactly as expected. Always those damn 10 and 7 errors logged eventually!

Would there be a limitation with the use of SAML related to the license version of Netscaler used ? We have a Standard license only and I cannot think of anything else at this stage.

[Bruce McDonald]

6 hours ago, Penta Penta said:

I have tried by all possible means to get this to work but it's currently just NOT working - just as though there was a software or hardware limitation beyond my control. I have recreated the whole Netscaler from sratch.

No problem with LDAP/Radius auth policies at all however, and internally all's working exactly as expected. Always those damn 10 and 7 errors logged eventually!

Would there be a limitation with the use of SAML related to the license version of Netscaler used ? We have a Standard license only and I cannot think of anything else at this stage.

I am also running standard licence version in Netscaler so its not that. I suspect its something in your Netscaler thats causing you the grief. 

If you followed this guide https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-NetScaler-Gateway.html then perhaps you may need to put a ticket in with Okta although I'm not sure they can help you much but its worth a try.

I would go back over your Netscaler setup. 

 

 

[Penta Penta]

Hello,

 

I'm so happy as my issue is fixed now!

FYI, the problem was actually caused by a backend setup problem in my FAS deployment.

Once I fixed this, I could access my LB backend SF without any further issue and enumerate my published resources as expected.

Also single-sign-on to my published resources works too now, which was not exepcted at such an early stage.

 

the Netscaler/Storefront setup was never to blame there as it was done by the book, but I had to use Wireshark captures between Netscaler and storefront and also enable verbose logs in storefront to realize FAS setup was the actual issue. 

 

Thank you bmcdona388 for your kind and patient help.

Have a great week-end in advance.

[Bruce McDonald]

5 minutes ago, Penta Penta said:

Hello,

 

I'm so happy as my issue is fixed now!

FYI, the problem was actually caused by a backend setup problem in my FAS deployment.

Once I fixed this, I could access my LB backend SF without any further issue and enumerate my published resources as expected.

Also single-sign-on to my published resources works too now, which was not exepcted at such an early stage.

 

the Netscaler/Storefront setup was never to blame there as it was done by the book, but I had to use Wireshark captures between Netscaler and storefront and also enable verbose logs in storefront to realize FAS setup was the actual issue. 

 

Thank you bmcdona388 for your kind and patient help.

Have a great week-end in advance.

Not sure I helped that much, I’m glad it’s working for you. Good job on working it out. 

[dpalchu521]

Very helpful thread. I have everything working with Shib SAML and Netscaler / FAS integration. One last thing I am trying to work out is logons from the Workspace client. The web connection works fine but the Workspace is giving "Your account cannot be added." There are several discussions pointing to configuring AAA policy as Advanced as opposed to basic. That did not fix the issue for me.

 

The environment in question is NS 11.1.67 and SF 7.15. 

 

Do I need to enable SAML on SF for the Workspace client to work via Netscaler? 

 

 

UPDATE: fixed here https://discussions.citrix.com/topic/399795-citrix-receiver-saml-authentication-with-netscaler-and-fas/page/2/

Edited December 4, 2019 by dpalchu521