We've followed the set up directions to configure out Netscaler to work with SAML auth using OKTA as the IDP. Netsclaer 12.0, XA/XD 7.15 LTSR CU2 and Storefront 3.12. We've had several calls with OKTA support but haven't been able to get an engineer verses in Citrix to get it working. We got this working two years ago but seems like things have changes and now we can't.
2. User is redirected to mycorp.okta.com and presented with logon credentials
3. User enters credentials and is redirected to Storefront but get's an error "Cannot complete your request."
4. Triggers Event 7 & 10. If we click the Cannot complete your request button over and over again it will add more error 7 and error 10's the the Application event logs
Error 7:
CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity. The credentials supplied were; user: administrator domain: mycorp.com
Error 10:
A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: https://127.0.0.1/Citrix/Authentication/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
As far as Error 7 is concerned the password is complex, with 11 characters, uppercase, lowercase, numbers and symbols. Of course if we remove SAML from the Netscaler Gateway authentication method for the XenApp access VIP and go with LDAP it works flawlessly.
CITRIX SUPPORT SAYS FAS IS REQUIRED TO MAKE SAML WORK.
They will not help us without having FAS running.
OKTA has Youtube video's saying it'll work withouht FAS.
Two years ago when we did this I don't think we use ADFS or FAS (didn't exist in Citrix Xendesktop 7.9)
Question
Tom Swift
We've followed the set up directions to configure out Netscaler to work with SAML auth using OKTA as the IDP. Netsclaer 12.0, XA/XD 7.15 LTSR CU2 and Storefront 3.12. We've had several calls with OKTA support but haven't been able to get an engineer verses in Citrix to get it working. We got this working two years ago but seems like things have changes and now we can't.
Here's the flow:
1. User enters https://citirx.mycorp.com
2. User is redirected to mycorp.okta.com and presented with logon credentials
3. User enters credentials and is redirected to Storefront but get's an error "Cannot complete your request."
4. Triggers Event 7 & 10. If we click the Cannot complete your request button over and over again it will add more error 7 and error 10's the the Application event logs
Error 7:
CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity. The credentials supplied were; user: administrator domain: mycorp.com
Error 10:
A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: https://127.0.0.1/Citrix/Authentication/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
As far as Error 7 is concerned the password is complex, with 11 characters, uppercase, lowercase, numbers and symbols. Of course if we remove SAML from the Netscaler Gateway authentication method for the XenApp access VIP and go with LDAP it works flawlessly.
CITRIX SUPPORT SAYS FAS IS REQUIRED TO MAKE SAML WORK.
They will not help us without having FAS running.
OKTA has Youtube video's saying it'll work withouht FAS.
Two years ago when we did this I don't think we use ADFS or FAS (didn't exist in Citrix Xendesktop 7.9)
Any input would be greatly appreciated.
Link to comment
27 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now