Jump to content
Welcome to our new Citrix community!

ADC Push Notification - External authentication server denied access


Paul Cross

Recommended Posts

Been attempting to get ADC Push notifications working. All seems to work up to the point I test the push. I've followed Carl's guide here https://carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/ 

 

As it stands:

  • I can login and add a device using the QR code via the /manageotp link
  • I can log into the gateway using 2FA if I manually enter the code displayed within the Citrix SSO app
  • I can't log in if I just enter U/N and Password and wait for the Push notification

 

In the NS.log I see the following after LDAP has been authenticated :

Jun 17 11:21:13 <local0.notice> 192.168.100.151 06/17/2019:10:21:13 GMT NSVPX 0-PPE-0 : default AAA Message 4313 0 :  "sslvpn_aaad_login_handler : (0-198): sslvpn_aaad_login_handler: Reply Received, status from aaad: 2, aaad flags 4001" 
Jun 17 11:21:13 <local0.err> 192.168.100.151 06/17/2019:10:21:13 GMT NSVPX 0-PPE-0 : default AAATM Message 4314 0 :  "OAUTH RESP: ns_aaa_oauth_resp_handler, response code 400 is not 200 OK, bailing out
Jun 17 11:21:13 <local0.info> 192.168.100.151 06/17/2019:10:21:13 GMT NSVPX 0-PPE-0 : default AAA Message 4315 0 :  "Core 0: aaad_authenticate_req: current auth failed for paul, rest of the bitmask 0x0 " 
Jun 17 11:21:13 <local0.info> 192.168.100.151 06/17/2019:10:21:13 GMT NSVPX 0-PPE-0 : default AAA Message 4316 0 :  "Core 0: aaad_authenticate_req: Auth failed, no further policies in current user-defined factor, sending appropriate schema back for user paul " 
Jun 17 11:21:13 <local0.warn> 192.168.100.151 06/17/2019:10:21:13 GMT NSVPX 0-PPE-0 : default AAA LOGIN_FAILED 4317 0 :  User paul - Client_ip 81.131.240.107 - Failure_reason "External authentication server denied access" 

 

I've tried two different Citrix Cloud accounts just to make sure. The Push Service actions show as COMPLETE.

 

Regards. Paul.

Link to comment
Share on other sites

  • 4 months later...

Even I am also facing a similar issue.

 

Currently, I am using netscaler version 13.0 build 41.20. 

 

HINT: according to Citrix release note some known issue in 13.0 build 41.20

 

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

[# NSAUTH-6106]

 

What to know from which build onwards push notification, let's check with ver 12.1

 

Link to comment
Share on other sites

  • 1 month later...

Push notification was not able to register with citrix SSO token using QR-Code scanner. Getting error "Push Notification Failed BAD request" on both iOS & android devices. 

 

1. we found that client was properly encoding the data of scan to netscaler.

2. ADC was not able to use that data, and since it was not able to understand that request, it was sending the http 400 bad request error to client.

 

Finally, Problem got resolved by upgrading netscaler firmware to version 12.1 build 55.13.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...