Jump to content
Welcome to our new Citrix community!

Netscaler is authenticating twice (silently) when user logs on.

Recommended Posts

Good day.


To make a long story short:


I am trying to make thin clients work with a new Gateway that we are building in our Netscaler.  The thin clients are for users that are in a separate domain (an acquisition, lets say dom2).  We cannot authenticate to the Netscaler from the thin, reason is the user is not found.


The thins work with the netscalers, we have them configured and working from our domain (dom1).  


What I don't understand, when viewing the aaad.debug file while logging in, is that I get authenticated twice.  Once on Dom2 (first authentication, succeeds) and then on dom1 (second authentication, fails).  I can tell this because of the IPs the servers are authenticating too.


Is there any way to see each authentication steps as they are fired (maybe see the authentication profiles being engaged)?  There is a global authentication policy that is present, but I do not thing it triggers.  I unbinded it and it did not change the behaviour.  The account still authenticated twice.


When logging on a Gateway that points to dom1, I get authenticated twice, but since it passes both times then I get authenticated successfully.


I tried to look at the running configuration, and the only culprit I see is the global Policy.  I can try to delete completely, but I don't know how that will affect other things (a consultant did our setup for our Netscalers, and left us a bit of information.  He is now no longer in the business, so no longer reachable).


Any ideas?  I'm mostly looking at how I can view which policies are hit when the person is logged in.


Thank you for your help.







Link to comment
Share on other sites

So we identified part of the issue.  


We had the thins log in to a storefront store with cloud connectors in Dom1.  I think for some reason, when a thin log in, the Netscaler does not pass the authentication token correctly, so the Storefront needs to reauthenticate (which they do through the cloud connectors configured in the store).  Since the cloud connectors were not in the correct domain, the second authentication failed.

I created a store with cloud connectors in dom2 that points to the same delivery group, and made the thins login to that store and that has "resolved" the issue.  I don't understand why the web page completes the authentication correctly though.  


So its working for now, its just an odd setup.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...