Jump to content
Welcome to our new Citrix community!

SAML Auth through Netscaler using Azure IDP - Cannot complete request


Recommended Posts

Stood up SAML auth through DR Netscaler using the associated Storefront servers with no problems.  FAS is being used.  Azure as SAML IDP.

 

Created the same setup through Prod Netscalers and some accounts work, but most error out before application enumeration occurs through Storefront.  Cannot complete request.  I am aware of the standard troubleshooting for Cannot complete request and FAS, this is not related.

 

I have isolated this to the Prod Netscalers.   I am able to configure the DR Netscalers to point to Prod Storefront servers, which leads me to believe there is an issue with the Netscaler passing the authentication to Storefront.

 

No discernible difference between DR and Prod.  Netscalers are same version (12.1...) Azure side has been redone, with new apps/certs etc.

 

The Storefront servers log the following errors (in order):

 

The following error occurred during an authentication attempt for user: domain\user.name with realm: <unknown>
System.ArgumentOutOfRangeException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Specified argument was out of the range of valid values.
   at Citrix.DeliveryServices.Authentication.Kerberos.Native.Authenticator.Authenticate(String userPrincipalName, String clientRealm)
   at Citrix.DeliveryServices.Authentication.Kerberos.KerberosAuthenticator.Authenticate(String userPrincipalName, String clientRealm)
   at Citrix.DeliveryServices.Kerberos.Delegated.Server.DelegatedKerberosAuthenticator.Authenticate(String userPrincipalName, String clientRealm)

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: user.name
domain: domain

 

 

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.13.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://127.0.0.1/Citrix/StorefrontFASAuth/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

 

 

I've been working with Citrix support for some time now, so hoping the community may have some suggestions.  Thank you.

 

 

Link to comment
Share on other sites

Couple of suggestions based on past experience ..

 

1. Check the auth configuration on storefront for the prod gateway make sure pass through is selected and fully delegate credential validation to Netscaler Gateway is checked.

 

2. Callback url is mandatory in this scenario, please ensure it is configured and the callback url when accessed using the browser on SF server opens without any cert errors.

 

3. Keep the single sign-on Domain blank in Netscaler session profile, as long as azure returns the upn as the nameid.

Link to comment
Share on other sites

3 hours ago, Siddhartha Sarmah said:

Couple of suggestions based on past experience ..

 

1. Check the auth configuration on storefront for the prod gateway make sure pass through is selected and fully delegate credential validation to Netscaler Gateway is checked.

 

2. Callback url is mandatory in this scenario, please ensure it is configured and the callback url when accessed using the browser on SF server opens without any cert errors.

 

3. Keep the single sign-on Domain blank in Netscaler session profile, as long as azure returns the upn as the nameid.

 

Yep... verified all that.  Thanks.  Very odd issue.  Hoping Citrix can come up with something.

 

Link to comment
Share on other sites

  • 1 month later...

If you are using FAS in Prod now as well, did you enable FAS on the Store in StoreFront to authorize delegation? My hunch is it could be this.

Do you have the GPOs in place in Prod to ensure StoreFront maps to the correct FAS servers for Prod?

Were the FAS servers authorized to request certificates from the CA?

Trust XML Requests enabled on your Prod Citrix Site?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...