Jump to content
Welcome to our new Citrix community!

Citrix Access gateway - LDAP authentication failure- sending Reject code 4009 "user not found"


Recommended Posts

Citrix Access gateway URL - LDAP authentication failure- sending Reject code 4009 "user not found" . 

Base DN is set to domain users. no security group has been created yet for access gateway portal. the intention is to have all Domain users to logon to vdi, hence the Base DN as Domain users. 

none of the domain users are able to logon to the citrix AG portal, 

 

Please see the screenshots, any help and advice is greatly appreciated. 

attached is the AAAD.debug  log. and wireshark trace to see the comms between citrix netscaler and LDAP. 

 

2Base DN.png

2ldap connectivity.PNG

2ldap policy screenshot.PNG

2netscaler AAAD debug log.PNG

screenshot of unable to logon.PNG

wireshark trace.png

Link to comment
Share on other sites

Jim's right.  So, if your LDAP Base DN targets a specific a specific container than the user and group (if using group extraction) must exist in that container.

In this case your base DN is targeting it to only look for accounts in group Domain users, but this might be better as a search filter not the base DN.

 

Usually the Base DN would be the Dc=domain,dc=com for your domain.com or a specific OU.  Not a specific group.

Use a search filter if needed to narrow scope to accounts meeting certain conditions, if needed.

 

Link to comment
Share on other sites

  • 2 months later...
On 8/15/2019 at 10:08 PM, Jim Grimm1709160134 said:

On the LDAP Server configuration, remove CN=Domain Users,CN=Users, and then save and  test again.

 

Let us know if that corrects the issue.

thanks, followed as mentioned by you, but now i get "cannot complete your Request" on the Netscaler access gateway page. 

when i login to the storefront directly, it works. only the netscaler access gateway logon shows cannot complete your Request

 

Aaad.debug shows

sending accept to kernel for : user

aaad_alloc_serialize_KeyValue_attrs 0-32: total attribute values to PE: 74, mail=user@xyz.com 

 

any thing that i'm missing ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...