Jump to content
Welcome to our new Citrix community!

nFactor fails after upgrade to

Mark Brilman

Recommended Posts

My simple nfactor flow fails after upgrade to . It's just LDAP first with Radius Next. It always worked.

Since the upgrade to it stopped working. When logging in I get the error : Loginschema does not permit current login request


In ns.log:


 "ns_aaa_login_handler: Login request is not expected to be encrypted"
 "Claims allowed in current loginschema are 1000"
"password sent in login request when schema does not define it, flags 1000"
"Could not match login claims for user <user@domain.nl> with configured schema"
 "AAA Client Handler: Found extended error code 1245208, ReqType 16388 request /nf/auth/doAuthentication.do, cookie hdr "

Anybody else seeing the same with a possible solution?

Link to comment
Share on other sites

  • 3 weeks later...


Last week we installed the 13.0-52.24 update to our ADC's. While testing, our VPN worked fine, but out Dual-Auth for our Citrix Desktops was broken. While troubleshooting, we tested the default SingleAuth.xml  and found that this worked. We looked at that XML file and noticed that all the standard indents were gone! That's right...no spacing. Each section was a one-liner. It appears that the security requirements for the XML files were changed...


If you have custom login policies, like we do, try going through them and removing the spaces. You can use one of the new built-in policies for comparison.


Here is an example of one section of the XML policy:




















I hope this help!


  • Like 2
Link to comment
Share on other sites

  • 3 weeks later...

@Mark Plantenberg Thank you for the assistance. I don't know how you stumbled upon this fix but we faced the same issue and we also had to make similar changes to put everything on one line.


We also updated the header XML line from:

<?xml version="1.0" encoding="UTF-8"?>


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>


We also had to make sure that there was no new line at the end of the file.


Lastly, after copying the new xml files to the Netscaler, I found that we had to recreate the Login Schema profile (even though it is pointing to the same XML file).


After doing the above we were able to get past the error.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
  • 3 weeks later...

Had to back out of 57.18 upgrade after encountering "Loginschema does not permit current login request".  Doesn't even try to to Policy Label authentication items: "bind_vipconfig: got bind for 'schema_policy_blah' but didn't find it in the list".  Have a case, will try to update if I get a decent answer.

Link to comment
Share on other sites

mmiller48615, we don't have custom xml files in our deployment.  The Schema Profiles use 'noschema'.  The fix of deleting and recreating the Schema Policy and Profile may do it, but until Citrix gives me a warm and fuzzy on that, I'm gonna wait and beat them up.

Edited by clangst520
Link to comment
Share on other sites

Working with a Citrix engineer, we were able to resolve this by removing all the returns in the our custom schema files so it was a single line using WinSCP. After modifying them, I would need to go into the web GUI and goto the login schema profiles. I would edit the profile, edit the auth schema*, select the file and clicked "select" on the right side of the window. clicking "ok" on that window and out of the profile. My understanding is that you need to open and save the file after modifying via something like WinSCP. no bindings or recreating anything.

Link to comment
Share on other sites

  • 1 month later...
23 minutes ago, Sam Hernandez-Gill1709161206 said:

Did others see this resolved with either the 12.1 58.14nc that was released on August 14th or the 13.0 64.48 that was released on July 27th?

Both have NSHELP-22929 listed under Fixed Issues in the release notes,  but neither fixed the mfa nexfactor I have on my netscaler's.


If the new build did not fix it, and you have tried removing and recreating your Schemas, then it is likely you are experiencing a different issue and should open a case with support on the upgraded build.

Link to comment
Share on other sites

  • 2 months later...
On 7/14/2020 at 5:36 PM, Stuart Griffiths1709161866 said:

Had the same issue.  Using

  • Edited the .xml file to single line format
  • Unbound the Schema Profile from the Schema Policy
  • Deleted the Schema Profile
  • Recreated the Schema Profile specifying the .xml file previously edited
  • Bound the Schema Profile to the Schema Policy

Thanks everyone, now working again :-)



I also had to recreate all Authentication Policy Labels after Update to 12.1 Build 60.16

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...