Jump to content
Welcome to our new Citrix community!
  • 0

Single FQDN for Internal/External access issues


Chris Hide1709158712

Question

A client is using the URL: cloud.<domain.com> for both internal and external access.

 

Internally via Web Browser works fine

Internally via Receiver works fine

Externally via Web Browser works fine

Externally via Receiver has issues

 

When typing in the URL cloud.<domain.com> into Receiver it gives the error:

 

"Your account cannot be added using this server address. Make sure you entered it correctly. You may need to enter your email address instead."

 

The receiver log shows:

 

[2019-02-21 15:17:12:852] [18544] [v8interfaces.cpp:195] Gateway = https://cloud.<domain.com>/
[2019-02-21 15:17:12:852] [18544] [ctxaccountprovider.cpp:948] CtxAccountProvider::GetPrimaryVPNInfo(SRGateway) START: 
[2019-02-21 15:17:12:852] [18544] [ctxaccountprovider.cpp:908] CtxAccountProvider::GetPrimaryVPNInfo(SRStore) START: 
[2019-02-21 15:17:12:852] [18544] [ctxaccountprovider.cpp:942] CtxAccountProvider::GetPrimaryVPNInfo END: 
[2019-02-21 15:17:12:852] [18544] [ctxaccountprovider.cpp:973] Primary account doesn't contain VPN info
[2019-02-21 15:17:12:852] [18544] [ctxaccountprovider.cpp:985] CtxAccountProvider::GetPrimaryVPNInfo(SRGateway) END: 
[2019-02-21 15:17:12:852] [18544] [logonmanager.cpp:313] No gateway configured for primary account. Checking legacy location...
[2019-02-21 15:17:12:852] [18544] [windowsplatformfactory.cpp:1277] Running as Receiver Inside.
[2019-02-21 15:17:12:852] [18544] [logonmanager.cpp:333] Legacy gateway configured: 
[2019-02-21 15:17:12:852] [18544] [v8interfaces.cpp:212] No gateway is configured
[2019-02-21 15:17:14:148] [5408] [configurationprovider.cpp:1142] ConfigurationProvider::IsAccoutServiceURL: Actual url:  and retVal false
[2019-02-21 15:17:14:148] [5408] [winhttpclient.cpp:66] SendHttpRequest: url=https://cloud.<domain.com>/Citrix/Store/discovery
[2019-02-21 15:17:14:161] [5408] [winhttpclient.cpp:72] created request: 08524660
[2019-02-21 15:17:14:166] [15416] [v8interfaces.cpp:115] In CSDKV8Handler::ARGetConnectedVpnGateway
[2019-02-21 15:17:14:166] [15416] [windowsaccessgateway.cpp:603] ->connectedex
[2019-02-21 15:17:14:166] [15416] [windowsaccessgateway.cpp:609] <-connectedex
[2019-02-21 15:17:14:166] [15416] [windowsaccessgateway.cpp:981] ConnectedEx:  returns url = 
[2019-02-21 15:17:14:166] [15416] [windowsaccessgateway.cpp:982] ConnectedEx:  returns clientType = 0
[2019-02-21 15:17:14:166] [15416] [v8interfaces.cpp:127] Z4 gateway returns gateway URL = 
[2019-02-21 15:17:14:167] [11580] [v6interfaces.cpp:124] CSDKLocationAwareness::GetNetworkLocationForStore, storeAddr https://cloud.<domain.com>/Citrix/Store/discovery
[2019-02-21 15:17:14:168] [11580] [srprovider.cpp:521] SRProvider::GetStoreFromURL full store address not found, looking for scheme-host-port, shpAddress is cloud.<domain.com>
[2019-02-21 15:17:14:168] [11580] [networklocation.cpp:320] Store can't be found. Returning default LAN location.
[2019-02-21 15:17:14:168] [11580] [networklocation.cpp:323] Location for url https://cloud.<domain.com>/Citrix/Store/discovery is INSIDE
[2019-02-21 15:17:14:168] [11580] [v6interfaces.cpp:130] CSDKLocationAwareness::GetNetworkLocationForStore, network state:1
[2019-02-21 15:17:14:170] [11648] [v8interfaces.cpp:115] In CSDKV8Handler::ARGetConnectedVpnGateway
[2019-02-21 15:17:14:170] [11648] [windowsaccessgateway.cpp:603] ->connectedex
[2019-02-21 15:17:14:171] [11648] [windowsaccessgateway.cpp:609] <-connectedex
[2019-02-21 15:17:14:171] [11648] [windowsaccessgateway.cpp:981] ConnectedEx:  returns url = 
[2019-02-21 15:17:14:171] [11648] [windowsaccessgateway.cpp:982] ConnectedEx:  returns clientType = 0
[2019-02-21 15:17:14:171] [11648] [v8interfaces.cpp:127] Z4 gateway returns gateway URL = 
[2019-02-21 15:17:14:498] [5408] [winhttpclient.cpp:102]     response: status=302
[2019-02-21 15:17:14:499] [5408] [configurationprovider.cpp:947] ConfigurationProvider::getConfigForLegacyProvider : not reachable for :  https://cloud.<domain.com>
[2019-02-21 15:17:14:499] [5408] [winhttpclient.cpp:66] SendHttpRequest: url=https://cloud.<domain.com>/Citrix/PNAgent/Config.xml
[2019-02-21 15:17:14:507] [5408] [winhttpclient.cpp:72] created request: 08524750
[2019-02-21 15:17:14:510] [18216] [v8interfaces.cpp:115] In CSDKV8Handler::ARGetConnectedVpnGateway
[2019-02-21 15:17:14:510] [18216] [windowsaccessgateway.cpp:603] ->connectedex
[2019-02-21 15:17:14:510] [18216] [windowsaccessgateway.cpp:609] <-connectedex
[2019-02-21 15:17:14:510] [18216] [windowsaccessgateway.cpp:981] ConnectedEx:  returns url = 
[2019-02-21 15:17:14:510] [18216] [windowsaccessgateway.cpp:982] ConnectedEx:  returns clientType = 0
[2019-02-21 15:17:14:510] [18216] [v8interfaces.cpp:127] Z4 gateway returns gateway URL = 
[2019-02-21 15:17:14:511] [14176] [v6interfaces.cpp:124] CSDKLocationAwareness::GetNetworkLocationForStore, storeAddr https://cloud.<domain.com>/Citrix/PNAgent/Config.xml
[2019-02-21 15:17:14:511] [14176] [srprovider.cpp:521] SRProvider::GetStoreFromURL full store address not found, looking for scheme-host-port, shpAddress is cloud.<domain.com>
[2019-02-21 15:17:14:511] [14176] [networklocation.cpp:320] Store can't be found. Returning default LAN location.
[2019-02-21 15:17:14:511] [14176] [networklocation.cpp:323] Location for url https://cloud.<domain.com>/Citrix/PNAgent/Config.xml is INSIDE
[2019-02-21 15:17:14:511] [14176] [v6interfaces.cpp:130] CSDKLocationAwareness::GetNetworkLocationForStore, network state:1
[2019-02-21 15:17:14:515] [18068] [v8interfaces.cpp:115] In CSDKV8Handler::ARGetConnectedVpnGateway
[2019-02-21 15:17:14:515] [18068] [windowsaccessgateway.cpp:603] ->connectedex
[2019-02-21 15:17:14:515] [18068] [windowsaccessgateway.cpp:609] <-connectedex
[2019-02-21 15:17:14:515] [18068] [windowsaccessgateway.cpp:981] ConnectedEx:  returns url = 
[2019-02-21 15:17:14:515] [18068] [windowsaccessgateway.cpp:982] ConnectedEx:  returns clientType = 0
[2019-02-21 15:17:14:516] [18068] [v8interfaces.cpp:127] Z4 gateway returns gateway URL = 
[2019-02-21 15:17:14:753] [5408] [winhttpclient.cpp:102]     response: status=302
[2019-02-21 15:17:14:754] [5408] [configurationprovider.cpp:947] ConfigurationProvider::getConfigForLegacyProvider : not reachable for :  https://cloud.<domain.com>
[2019-02-21 15:17:14:754] [5408] [genericworkqueue.cpp:999] CGenericWorkQueue::ARConfigureCRProcessing:    retVal=9
[2019-02-21 15:17:14:754] [5408] [windowsipc.cpp:171] CWindowsIPC::Connect CreateFile, GetLastError() returns 0
[2019-02-21 15:17:14:754] [5408] [clientcallback.cpp:79] Connected to client callback. Calling...
[2019-02-21 15:17:18:936] [23736] [windowsaccessgateway.cpp:230] Found AG version 11.0.71.22
[2019-02-21 15:17:18:936] [23736] [windowsaccessgateway.cpp:230] Found AG version 11.0.71.22
[2019-02-21 15:17:18:937] [23736] [windowsaccessgateway.cpp:557] ->connectedex
[2019-02-21 15:17:18:937] [23736] [windowsaccessgateway.cpp:563] <-connectedex
[2019-02-21 15:17:18:937] [23736] [windowsaccessgateway.cpp:572] connected() returned id=0

 

Interestingly it keeps showing "Running as Receiver Inside."

 

I can confirm that the Internal Beacon in StoreFront is not resolvable externally. I created an internal DNS record of internalbeacon.<domain.com>, but I've also tried changing this to intranet.<domain.com> and others.

 

Also, the name of the StoreFront Store being referenced is incorrect /Citrix/Store, instead of /Citrix/CarlStore, despite this not being referenced in the NetScaler session policy configuration.

 

I've tried creating a second store with the default name to hope that it will correctly get the discovery file but it doesn't.

 

I've also tried logging in via StoreFront and clicking Activate to download the provisioning file, which shows the correct details:

 

Store
    Store description:   CarlStore
    Store address:         https://cloud.<domain.com>/Citrix/CarlStore/discovery
    Access Gateway
    Default Gateway:     https://cloud.<domain.com>/
    Other Gateways:      

 

But when I add it to Receiver it errors after a minute or so with: 

 

"Cannot add account

To resolve this issue, contact your help desk with this information:

Cannot retrieve discovery document."

 

Things worth mentioning:

The SSL for cloud.<domain.com> has been configured for Email Based account discovery with a Subject Alternative Name of discoverReceiver.<domain.com>, and the Account Services Address in the Self Service NetScaler Session policy is set to:

 

"https://cloud.<domain.com>/Citrix/Roaming/Accounts"

 

as per guide.

 

There is an SRV record of configured with the following details:


_citrixreceiver._tcp.<domain.com>  SRV service location:
          priority       = 0
          weight         = 0
          port           = 443
          svr hostname   = cloud.<domain.com

 

Clientless access is set to "On".

 

Does anyone have any ideas? Any help would be greatly appreciated!

Link to comment

3 answers to this question

Recommended Posts

So far it's looking as though this is to do with a rewrite policy that we have bound to the gateway to remove the 2FA password box. We have a RADIUS policy which prompts for approval on a mobile device using Microsoft Authenticator. 

 

We have the following policy configured:

Policy Name: rwp_mfa
Priority: 100
Expression: true
Action: rwa_mfa
Goto Expression: END
Action Name: rwa_mfa
Type: INSERT_HTTP_HEADER
Header Name: Set-Cookie
Expression: ("pwcount=\"+1")

 

We've changed the expression on the policy from "true" to:

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

..to ensure that this only affects browser based connections, and now Workspace prompts for credentials when using either the URL (https://cloud.<domain.com>) or via email based account discover (username@<domain.com>).

 

However, the only issue now is that we want to remove the dual password/passcode prompts for Workspace.

 

The only way I've found to do this so far is by moving the RADIUS policy from the "Secondary Authentication" section to the "Primary Authentication" section, along with the 1 LDAP Policy which is already set as the primary. However, doing so then prevents the browser logon from prompting for 2FA on mobile devices.

 

TIcket is still open with Citrix, I will update with any developments.

 

Update:

 

We used the below fix to finally remove the second password prompt from Receiver/Workspace:

 

https://support.citrix.com/article/CTX203775

Workaround 3

 

Complete the following steps to workaround this issue:

  • The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receivers.
  • Using WinSCP or any other SFTP tool, or using vi editor edit the /netscaler/ns_gui/vpn/index.html file.
  • Add the following line to this file:
<META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> below the line that reads <META http-equiv="Content-Type" content="text/html; charset=UTF-8">

The following is an example for your reference:

<!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Netscaler Gateway</title> <link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon"> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> <META content=noindex,nofollow,noarchive name=robots> <link href="/vpn/js/rdx/core/css/rdx.css" rel="stylesheet" type="text/css"/>
  • You can notice that the passcode field is hidden after making the preceding change:
  • After entering the password, you are prompted for OTP passcode by RADIUS.

 

Link to comment

We used the below fix to finally remove the second password prompt from Receiver/Workspace:

 

https://support.citrix.com/article/CTX203775

Workaround 3

Complete the following steps to workaround this issue:

  • The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receivers.
  • Using WinSCP or any other SFTP tool, or using vi editor edit the /netscaler/ns_gui/vpn/index.html file.
  • Add the following line to this file:
<META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> below the line that reads <META http-equiv="Content-Type" content="text/html; charset=UTF-8">

The following is an example for your reference:

<!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Netscaler Gateway</title> <link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon"> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> <META content=noindex,nofollow,noarchive name=robots> <link href="/vpn/js/rdx/core/css/rdx.css" rel="stylesheet" type="text/css"/>
  • You can notice that the passcode field is hidden after making the preceding change:
  • After entering the password, you are prompted for OTP passcode by RADIUS.
Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...