Form SSO issue after upgrading to 13.1

[Jens Ostkamp]

Hey everyone,

 

I have already opened a support case with Citrix for this issue, but as it takes really long for them to answer and go through logs (already had some calls with them and it doesn't really seem to go forward), I thought to simultaneously ask here.

 

We have a pretty basic configuration for Exchange publishing - Content Switch in Frontend -> Loadbalancing (with Authentication enabled for webmail LB) -> LDAP Authentication -> SSO (with Traffic Profiles and Form SSO Profile) towards Webmail

 

This configuration worked perfectly with 12.1 major releases, after applying 13.1 most recent release, the SSO does not work anymore, ns.log tells me "Could not find Response Size in form of 60000" (i have configured the response size with 60000 as it is best practice from Citrix for Exchange 2016 and upwards).  Authentication Policies are already advanced and error message points towards something with the Form SSO Profile. I have already tried out different values (mostly bigger ones) with no success (same error message). When connecting directly towards OWA and checking Content-Length values, it always is below 60000 (mostly 58xxx). 

 

After authenticating at AAA Server the OWA Logonpage is displayed where I can enter credentials again and then I am logged into my webmail - but this is obviously not the best user experience

 

 

Did anyone encounter this issue after upgrading? When failovering towards the other appliance (active passive HA) where still 12.1 is installed, everything works just fine again. 

Doing the same configuration from scratch didn't change anything.

 

Thanks a lot in advance ?

 

Best Regards
Jens

[Gunther De Poortere]

Hi Jens,

 

This seems like yet another thing that's broken since 13.1. The response size of 60000 should be plenty indeed. Maybe worth checking is your Success Rule, which I usually set to:

 

HTTP.RES.SET_COOKIE.COOKIE("cadata").VALUE("cadata").LENGTH.GT(70)

 

If that's all good, I'm afraid you're going to be stuck with Ctx Support on this... Maybe it's a good idea to meanwhile downgrade to 13.0? I  can at least confirm that it is working on those builds.

 

Cheers,

G.

 

 

[Jens Ostkamp]

Hi Gunther,

 

thanks for your response. 

Yes the success rule is just as yours, i mean it is basically Citrix recommended configuration for OWA SSO and it worked throughout all the builds. Citrix Support still quiet / checking logs, so no progress here. Downgrading is an option, but we want to stick with 13.1, just hope it gets fixed. We don't use OWA that frequently so it is fine to leave it like that for a couple of weeks, but it is still a pain in the a.