Jump to content
Welcome to our new Citrix community!

Traffic SSO sporadic issue

Recommended Posts

I am troubleshooting an issue with AAA SSO with sporadic occurrence. The flow is as follows:


·      Users go to the application URL

·      ADC redirects them to AAA

·      Users log on with their credentials

·      ADC returns the 302 to selfauth, and a user gets the cookies, etc.

·      Then the page loads the script from a different URL, i.e., the NSC_TMAS cookie for that different URL/FQDN is necessary

·      ADC returns the 302 to AAA/cgi/tm?code=xxxxxxx

·      ADC returns the 302 to APP/cgi/selfauth, a user gets the NSC_TMAS cookie for that different domain, and that’s it.

In relatively rare cases, the response to AAA/cgi/tm?code=xxxxx is not 302 to /cgi/selfauth, but instead of that, the ADC return 302 to /vpn/tmindex, and the authentication is not successful, and a user does not get the NSC_TMAS .


Do you have any idea what could cause this behavior and why the /vpn/tmindex is returned occasionally? 


Thank you

Link to comment
Share on other sites

I don't have a specific idea on this one beyond if there's a chance the cookie is prematurely expired or left over from previous session which is breaking the hand off.

If you can see a saml trace of the event you might have an idea. Or if its specific to certain user/devices.


I would check the ADC's cookie version is v1 and not v0 with proper timezone/clock sets.  IF the cookie is v0, then possible issue is endpoint device's clock is wrong and so the cookie is expiring early or late in the flow.  The v1 cookie should negate this behavior.


But that's the only "intermittent" issue I can think of. Either that or a prior cookies is still present and not expiring so the system is skipping the intermediate steps but the login is failing with the old value.  Without being to repro under specific conditions this would be hard to check.


Otherwise, you would need either a network trace, a saml trace, or AAA events (/tmp/aaad.debug) from when the "failure" occurred and if the issue is intermittent it's going to be hard to come by that for more info.


Detailed login reference here:  http://intelligentsystemsmonitoring.com/knowledgebase/citrix/saml-sp-initiated-sso-traffic-flow-explained/


Hopefully, someone else has better ideas.

If you can do some issue tracking on when issue occurs and which device(s) are affected it might help you find a better root cause.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...