Jump to content
Welcome to our new Citrix community!

Citrix Netscaler SAML FAS - Session not starting

Recommended Posts

Hello all,


i have to implement SAML authentication on Citrix Netscaler. For testing purpose I tried it with ADFS in our testdomain. Citrix lives in the production domain.

The plan is using the test netscalter in combination with the ADFS in the testdomain as IDP where the netscaler plays the role of the SP.


So I made a setup similar to the one of Carl Stalhood, described in this link: https://www.carlstalhood.com/citrix-federated-authentication-service-saml/


So far so good. I open my Website, that works fine. I get redirected to the IDP, enter my User with Password, that works fine too. I adjusted the user in the testdomain accordingly so that it has the same UPN as the user in the production domain. Usermapping works. Storefont lists all configured applications.


If I try to launch an application it doesn't work. I can't find any errors in the logs. I just see this screen:


In the BrokerConnectionLog (Get-BrokerConnectionLog) i see, that the session ist brokered. But on my FAS servers I cannot see an identity assertion.


I thought, storefront makes the voodoo with the FAS Servers and the VDA...


One last point. The production ist working fine using FAS. No problems with domain passthrough or user/pwd or user/pwd/token (the last one coming from the production Netscaler.).


So what I am missing? Could it be a firewall issue between the client and the netscaler?  HTML5 Receiver shows the same problem.


Thanks for helping!

Link to comment
Share on other sites

To confirm, you are saying that your internal user - storefront - cvad via FAS is working. Just the gateway config is failing with fas?  Or did I misundertand?

- IF the FAS is working internally, and only external via gateway is failing its probably a gateway/storefront setting.

- If the internal connections are working are not fas but based on some other mechanism, then you have to troubleshoot the gateway/storefront/cvad adfs/fas setup in whole in addition to the gateway/storefront external access.  Please, clarify what is and isn't working, so someone can better help.

- Identity assertion missing can be an issue on gateway saml, the storefront adfs integration (powershell commands), the cvad adfs setup, or the target domain adfs/saml setup. There are 4 things to confirm configuration for.


Gateway has to know about the authentication AND the storefront settings.

The storefront has to handle fas and the gateway integration.

CVAD has to be properly setup from ADFS too.

Also, which portal theme on gateway are you using?  Which Workspace App connection type (web or services client)?  Are you using Gateway with Authentication vserver and advanced authentication policies, or still classic?


So, usually you need some idea of gateway config, authentication, portal theme, and session policies, and possibly traffic policies.

StoreFront config for gateway and storefront for adfs.  Plus the gateway integration option on storefront, you need to go intot he advanced authentication parameters for gateway and if its doesn't have adfs details, then you likely didn't setup the storefront powershell for gateway + adfs.  Go to storefront > store, go to authentication for store, then look at the "gear" next to the gateway integration options.


You may need to look at both the syslog and aaad.debug on gateway to see its side of the authentication behavior.  The storefront logs.

And then if the connection is failing post ica file delivery, then you may need to look at the VDA logs too.


Try looking in Citrix Director to see if it identifies a specific category of launch failure with a reason, that might give you some insight into the config issue.


These are just generic config considerations.



Link to comment
Share on other sites



  • FAS is working internally (storefront only) and externally (via Netscaler). Internally with domain passthrough and externally via LDAP Auth combined with RSA token. 
  • I don' think i have a missconfigured storefront. The Applications are enumerated. 
  • I am using the generic RfWebUI portal theme. Before I used the same as I am using for LDAP / token login. Changing that helped not. 
  • I am using classic policies


The /var/log/ns.log looks good to me:

Apr  6 10:02:18 <local0.info> <Netscaler_IP_1>  04/06/2022:08:02:18 GMT ns-test 0-PPE-0 : default SSLVPN TCPCONNSTAT 1048 0 : Context <user>@<Domain>@<clientIP> - SessionId: 5 - User <user>@<Domain> - Client_ip <ClientIP> - Nat_ip <Netscaler_IP_2> - Vserver <Netscaler_IP_3>:443 - Source <ClientIP>:57753 - Destination <StorefrontIP>:443 - Start_time "04/06/2022:08:01:40 GMT" - End_time "04/06/2022:08:02:18 GMT" - Duration 00:00:38  - Total_bytes_send 0 - Total_bytes_recv 1204 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"
Apr  6 10:02:43 <local0.info> <Netscaler_IP_1>  04/06/2022:08:02:43 GMT ns-test 0-PPE-0 : default ICA Message 1049 0 :  "[Remote ip = <ClientIP>:57778] [CGP][ICAUUID=0005a335-4923-124d-9678-005056a07e9e] App/Desktop launch initiated {client=<ClientIP>:57778}"
Apr  6 10:02:43 <local0.info> <Netscaler_IP_1>  04/06/2022:08:02:43 GMT ns-test 0-PPE-0 : default SSLVPN ICASTART 1050 0 :  Source <ClientIP>:57778 - Destination <AppServerIP>:2598 - customername  - username:domainname <user>:<NETBIOSNAME> - applicationName FSV Reader - startTime "04/06/2022:08:02:43 GMT" - connectionId 13448
Apr  6 10:02:43 <local0.info> <Netscaler_IP_1>  04/06/2022:08:02:43 GMT ns-test 0-PPE-0 : default ICA Message 1051 0 :  "[Remote ip = <ClientIP>:57778][Username = <user>] [CGP][ICAUUID=0005a335-4923-124d-9678-005056a07e9e] Established connection to VDA successfully {vda=<AppServerIP>:2598}"



I found one difference between SAML and LDAP/ token. In the SSLVPN ICASTART line LDAP /token has as username:domainname <user>:<fqdn> and SAML <user>:<NETBIOSNAME>. Could this be the problem?!


Link to comment
Share on other sites



Thank you for your reply Carl. I checked my session policy. I have no single sign on domain configured.


What I found out is, that it doesn't matter what you write in the User Field of the authentication policy. If your IDP sends a field with NameID and as value the UPN it will work. No matter what the User Field says. I tried different values. For example surname with the value UPN. Got completely ignored. As soon as I send NameID with the value UPN it works. Okay for me, but not expected.



So I get my Apps presented by Storefront. No if im trying to start an app (Storefront and Citrix Receiver or Workspaceapp ) i run into my problems. 

Somehow SSLVPN ICASTART comes up with Source <IP>:52068 - Destination <IP>:2598 - customername  - username:domainname ctx_test:<NETBIOSName> - applicationName FSV Reader - startTime ...

Two loglines before:  default SSLVPN TCPCONNSTAT 918 0 : Context ctx_test@fqdn@<IP> - SessionId: 6 - User ctx_test@fqdn - Client_ip <IP> - Nat_ip <IP> - Vserver <IP>:443...

Correctly extracted from the UPN. 


In a working context i see:

 default SSLVPN TCPCONNSTAT 1066 0 : Context rzsa3_1@<IP> - SessionId: 9 - User rzsa3_1 - Client_ip 

--> so without the fqdn...

Link to comment
Share on other sites

  • 2 weeks later...



I was on vacation for a week, and today I looked again over my config. I wanted to start from scratch and made a new storefront server. I suspected the storefront server to be the problem. And I was partially right. I made the store for the SAML authentication but i forgot to set the "VdaLogonDataProvider".  Stupid small mistake with a big impact. 


$store = Get-STFStoreService -VirtualPath "/Citrix/IT-Store-SAML"
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

Thank you for your help!


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...