Jump to content
Welcome to our new Citrix community!

Storefront show "There was a failure with mapped account"


anant aggarwal

Recommended Posts

HI

 

I am using SAML authentication with Storefront

DDC and FAS are installed on same machine.

It is also installed on WS12R2 which is domain joined machine.

Here, we are using External IDP to authenticate user using SAML protocol.

NOw, user is redirecting while accessing receiver ,getting credential window, after complete authentication ,it show unable to "There was a failure with mapped account"

On IDP side configuration of storefront

Name ID:email

return attribute: UPN mapped to email address

Binding protocol:POST

verify request signature ON

 

Response:

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://win-9b/Citrix/mystoreAuth/SamlForms/AssertionConsumerService" ID="ID_3a7c5134-befa-483e-a10a-9b68ec8c4ea1" InResponseTo="id-7d059ff2-fa15-4ecf-b887-edf35b1c8c0f" IssueInstant="2019-12-03T10:16:39.405Z" Version="2.0" > <saml:Issuer>https://idp.test.com/auth/realms/BPSILF34FA-STA</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <dsig:Reference URI="#ID_3a7c5134-befa-483e-a10a-9b68ec8c4ea1"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <dsig:DigestValue>vksCccMJhKPKjEJg+JZkiL/W8TfAnJxj3lEDS5zjsVk=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>Gsnn9H/xRWqzkNp7K8p609ypETW9GPg9lG39qbRIoqOUAx9qfv5wxnEv5dd5VQ8NKccYKDYZrk4BUD3fjBEM21x2SjMM1PURmTihmLbhx+CotfhgkEOLBgPEVRCHsw7MU3o8zo9WZkwD2WWnxgG8DoFgu0J6OYf8TvAHZdofKXgpKqABI+rVfFozgAE6dne2X+O3kTas83ofL5SgdQq/8J2DFa8z6n1NhFyLuUDttDofZ6W5au4q9/vONY+zvbjwsqMYMyeudfDUGlNUOTGBfAfRIzrU0p8pKWBb7w9w6xNjPa96MX/arpJtBsulMZFzBTrn7NaC2kPNBU2Q95ZgDg==</dsig:SignatureValue> <dsig:KeyInfo> <dsig:KeyName>AX8E08J2h7eO1uKbbuXXpbQH4eq7RSxT80px7d30iP8</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate>MEwxc6TCDA9n4K9TDmOhfujWLdlXdIftV5nMviePrTttinO4vfbIvgShC4UvzGWr8qEyvu2PfcrpqIpNyEMvev6y15Q3gWIiSpBrnCFHYdNkxn6eLA9+7PeVFNco891msH5Y6pj87Vn01SQeTdYATwNPXTxbEMLfRlf0xgoy4rZroWDHDtQMQea0qwKddEKjQo61QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAEfyqqUZaOWeTu61oZ3TTxTcp5HX4vXDPL5vzYDBQr02NKDx9MM5LfoaJbeJfpvmwl9mehBKKCQwXHj252mD56iq4Abbe8yxCkYLRt3dq4d/pEf3XOX7rsZwl8YtnMncXOc9+0CP7qMmDRh+mB9YIuxnxN/FZixGYlbtJkbvsOZCMN+dJucY/MObfw0k/B/u/+r1KqNvfV5LH71d0Pp7OFnWdfCq7FpAwsTDxKxipMB1fBOAnOKKO7fL395LUgf3yCc4QInCqnJ8OJ6+n4e8rTYf88QiIRNqSgz7S4dOEJsZi59AMSB7GY9+svYZ2nwim11N867clQxhcVu0Nf1SmI</dsig:X509Certificate> </dsig:X509Data> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>iYYoT8u1gdXKs+v7T6kuwfEVZBXfqkZNwV/LGO7PKUB0jiCIXA1PqpEQ37Qx3iemu6vHS3ahc/jcSBwjxMsT94rEGs30/I/jwY1xQxLpACfD6HIGf6d6I/IXvU6g4t6Ewxc6TCDA9n4K9TDmOhfujWLdlXdIftV5nMviePrTttinO4vfbIvgShC4UvzGWr8qEyvu2PfcrpqIpNyEMvev6y15Q3gWIiSpBrnCFHYdNkxn6eLA9+7PeVFNco891msH5Y6pj87Vn01SQeTdYATwNPXTxbEMLfRlf0xgoy4rZroWck7EiUDP/v4E//qTRzQDHDtQMQea0qwKddEKjQo61Q==</dsig:Modulus> <dsig:Exponent>AQAB</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </dsig:KeyInfo> </dsig:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_694517af-9cc8-42f0-bf04-67e1eed33a44" IssueInstant="2019-12-03T10:16:39.405Z" Version="2.0" > <saml:Issuer>https://idp.test..com/auth/realms/BPSILF34FA</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user1@mydomain.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="id-7d059ff2-fa15-4ecf-b887-edf35b1c8c0f" NotOnOrAfter="2019-12-03T10:21:37.405Z" Recipient="https://win-9b/Citrix/mystoreAuth/SamlForms/AssertionConsumerService" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2019-12-03T10:16:37.405Z" NotOnOrAfter="2019-12-03T10:17:37.405Z" > <saml:AudienceRestriction> <saml:Audience>https://win-9b/Citrix/mystoreAuth</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2019-12-03T10:16:39.405Z" SessionIndex="c7e1e903-5c7b-4bf2-8397-feb475044359::e1945d5a-dd9e-4e67-ad55-6a499fcf0f91" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute FriendlyName="UPN" Name="UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >user1@mydomain.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>

Please let me which configuration i am missing

Link to comment
Share on other sites

You need to ensure that you have a "shadow account" in the target AD with userPrincipalName=user1@mydomain.com

If you think that such an account exists, then there may be an issue with your PKI. StoreFront uses Kerberos S4U to verify the account, if this fails there will be an error in the Windows Event log, under Security giving further details as to the issue.

Link to comment
Share on other sites

shadow account exists with same name,

event log error:

The security token failed validation.
System.IdentityModel.Tokens.SecurityTokenValidationException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated.
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token)
   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Citrix.DeliveryServices.Authentication.Saml20.SamlManager.ProcessSamlResponse(String base64EncodedResponse, Boolean compressed)

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...