Jump to content
Welcome to our new Citrix community!

FAS Server with Azure SSO

Recommended Posts

3 hours ago, Carl Stalhood1709151912 said:

Since SAML does not provide the user's password to StoreFront, when a user launches a connection to a VDA, the VDA will prompt the user for credentials. If you want to eliminate the VDA authentication prompt, then implement FAS.

Would this cause Storefront to not pass thru credentials when coming in from a NON-VPN connection and trying to be re-directed to external Storefront page?

Error states " Cannot complete your request":

SF Error:

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)"


Link to comment
Share on other sites

The ADC is doing Full Delegation of credential validation. In ADC>Session Profiles>Client Experience>Credential Index on both receiver and browser profile set to Secondary.

Also check box for "Single Sign-on to Web Applications" is checked.


Any changes you recommend to change any of these settings? Just a quick insight, this test SF page works when connected to VPN. However, when connecting from either mobile device, tablet or personal computer (no VPN) this test SF page does not resolve.


Link to comment
Share on other sites

So I was able to fix the whole re-direct issue when coming in from external. I guess going back to the original question that you answered, since we're logging into Storefront via SAML, we will get prompted with the windows sign in window when launching apps.


Would there be a way to do SAML Auth but without SSO to storefront? Example, user goes to ADC login page, puts in UPN, gets MFA prompt and authenticated but instead of going directly to SF window with all enumerated apps, user gets Storefront login page to input LDAP credentials?


Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...