Jump to content
Welcome to our new Citrix community!

Password change via vpx stopped working

Luca Ferraro

Recommended Posts

Hi all,


I have a strange phenomenom.


We have a 2 node ha setup for our vpx. Login is always done via gatway, AD authentication + OTP. 

Everything is working fine, except one vpx node stopped working for user password change (normal login still works). The user is forced to change the password and can enter everything, but it fails in an endless loop "Cannot Complete Your Request".


The storefront servers log the following:


Citrix Authentication Service Error 7:

CitrixAGBasic-Single Sign-On ist fehlgeschlagen, da die Anmeldeinformationen aus folgender Ursache nicht überprüft werden konnten: FailedPasswordComplexity.

Die angegebenen Anmeldeinformationen waren:
Benutzer: myUserName
Domäne: my.domain



Citrix Receiver for Web Error 10:

Eine CitrixAGBasic-Anmeldeanforderung ist fehlgeschlagen.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   bei Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   bei Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   bei System.Net.HttpWebRequest.GetResponse()
   bei Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   bei Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   bei Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)





The strange thing is, that when I failover to the oder node, it works.

I already checked all certificates and downloaded the ns.conf and compared both with notepad++, but I cant see any difference except the encrypted passwords.


The vpx are v13.0.64.35 and StoreFront 1912 CU1. Normallly the vpx are not touched. But I suspect a recently internal education to may have opened a setting and "cancelled" but saved something incomplete. Do you have any advice what to check?


Many thanks and kind regards,





Link to comment
Share on other sites

This was fixed in the latest release.  Pretty sure it was this part of the release notes:


Single Sign-On (SSO) with the following authentication methods does not work if the SSO configuration in Citrix ADC and Citrix Gateway is enabled only at global level and not at per traffic level.


- CitrixAGBasic authentication

- Kerberos authentication

- OAuth bearer authentication

[ NSAUTH-9166 ]

Link to comment
Share on other sites

On 11/13/2020 at 10:23 PM, Daniel Weppeler1709159306 said:

Hey Luke,


Can you please check your HA Sync status, if it is enabled? Or do you use different firmware versions so that HA-Sync is automatically disabled?

Cli command: show ha node





Hi Daniel,


Thank you for your input. The HA sync status shows enabled/success. I also tried a force synchronization from the working vpx to the secondary vpx with status successful. 

Are there vpx instance specific things, that will not be synchroniced? I think, certificates are something not synced? 


I think I'll check our SSO policies again and then try the update.

Link to comment
Share on other sites

Hi all, 


My problem was solved by restarting the faulting vpx. Don't know if this was really the cause. But the faulty vpx was active during summer/winter time change.


The running configs showed the following:


vpx01: set ns param -timezone "GMT+02:00-CEST-Europe/Berlin"

vpx02: set ns param -timezone "GMT+01:00-CET-Europe/Berlin"


In the synclog I saw: 

exec: set ns param -timezone "GMT+01:00-CET-Europe/Berlin"
Warning: The configuration must be saved and the system rebooted for these settings to take effect


Also, the faulting vpx got stuck during reboot. I completly shut it down and bootet it. Resynced it, rebootet it again and now everything is working fine again on both vpx's.





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...