Jump to content
Welcome to our new Citrix community!

ADC Smart Access Cannot complete your request


Kent Soumlderlund

Recommended Posts

Hello!

Have an Secure Private Access setup with dual authentication in AAA server, LDAP and SAML. Word perfect

Adds Smart tags to be able to add to policies in DaaS, follow tis to the letter, https://docs.citrix.com/en-us/citrix-secure-private-access/smart-access-using-adaptive-authentication.html

The EPA scan runs, enter user name and password, result: Cannot complete your request"

 

In NS.Log:

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default SSLVPN Message 732436 0 :  "INFO NSVersion = NS13.1.12.131 Func = ns_nws_tunnel_bitpump_handler Clientip = 400a8c0:61605 Destip = a00000a:80 Sessid=0  Connection Id = (4f8b5be5c77876023c91c1532863c9_1704284_____0): Transaction Id =  CorrelationId =  [NS_AAUTH_TUNNEL] Entering bitpump for Connection1 => Src : 192.168.0.4:61605, Dst : 10.0.0.10:389 , Connection2 => Src : 20.240.129.76:1028, Dst : 20.82.250.84:443"

Sep  9 16:32:22 <local0.notice> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAA Message 732437 0 :  "sslvpn_aaad_login_handler : (0-632): sslvpn_aaad_login_handler: Reply Received, status from aaad: 2, aaad flags 81"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAATM Message 732438 0 :  "AAAD RESP: received resp,user: <commaxx\kent>, factor: <ldap>, trans id 254975, pcb trans id 254975, q_flags 1342210048 aaad-resp 2 aaad-flags 81"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default SSLVPN Message 732442 0 :  "marking authv2 session for user: <commaxx\kent>"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default SSLVPN Message 732443 0 :  "get_session user: <commaxx\kent>, aaa_info flags 240081 flags2 1f20000, new webview 0, sess flags2 200023, flags3 78040 flags4 400 ssoDomain <commaxx>, ssoUsername: <commaxx\kent>, ssoUsername2: <commaxx\kent>"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAA EXTRACTED_GROUPS 732444 0 :  Extracted_groups "sid:S-1-5-32-544,Administrators,sid:S-1-5-21-4002744311-4012841116-2026900095-518,Schema Admins,sid:S-1-5-21-4002744311-4012841116-2026900095-519,Enterprise Admins,sid:S-1-5-21-4002744311-4012841116-2026900095-512,Domain Admins,sid:S-1-5-21-4002744311-4012841116-2026900095-520,Group Policy Creator Owners,sid:S-1-5-21-4002744311-4012841116-2026900095-1106,ADSyncAdmins,sid:S-1-5-21-4002744311-4012841116-2026900095-2102,Citrix,FileExists"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default SSLVPN Message 732459 0 :  "Invalid hash attribute received 2 18"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default SSLVPN Message 732462 0 :  "SAMLIDP: LOGIN SUCCESS; Core <0>, adding SAML/OAUTH entry with action <AAuthAutoConfig_oauthIdpProf> in session for user <commaxx\kent>"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAATM LOGIN 732464 0 : Context commaxx\kent@83.68.247.229 - SessionId: 632 - User commaxx\kent - Client_ip 83.68.247.229 - Nat_ip "Mapped Ip" - Vserver 20.82.250.84:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - Group(s) "N/A"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAA Message 732469 0 :  "SmartAccess : No DeviceId  , will return error"

Sep  9 16:32:22 <local0.info> 192.168.0.4  09/09/2022:16:32:22 GMT adaptive-auth-0 0-PPE-0 : default AAATM LOGOUT 732477 0 : Context commaxx\kent@83.68.247.229 - SessionId: 632 - User commaxx\kent - Client_ip 83.68.247.229 - Nat_ip "Mapped Ip" - Vserver 20.82.250.84:443 - Start_time "09/09/2022:16:32:22 GMT" - End_time "09/09/2022:16:32:22 GMT" - Duration 00:00:00  - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "InternalError" - Group(s) "N/A"

Sep  9 16:32:25 <local0.info> 192.168.0.4  09/09/2022:16:32:25 GMT adaptive-auth-0 0-PPE-0 : default EVENT MONITORUP 732513 0 :  Monitor DBSMonServiceBinding_api.c.nssvc.net:443_(tcp-default)(vpndbssvc_628722048) - State UP

 

Link to comment
Share on other sites

  • 4 weeks later...

Running into the exact same issue. Setup Adaptive Auth, setup a working nFactor flow to auth the users to LDAP and 2nd factor, works great. Can even put the users into a AAA group, but when we try to use that group with a SmartAccess Profile to tag the session we get "Cannot complete your request." We'll be working with a Citrix SME on Adaptive Auth tomorrow so hopefully we can get a resolution for both of us.

Link to comment
Share on other sites

So it turns out there's a command that Citrix needs to run to add the Azure Graph API capability used by tags to your tennant. We got that part sorted out and now the login doesn't fail and tags are getting passed to the Cloud Workspace, we can publish a URL app based on the tag using Secure Private Access and see that the rule is working and the tag is making it as far as Workspace, but it's not making it down to the VDA so something is not working between Workspace and the DaaS DDC's or between the DDC's and the VDA. Policy isn't being applied and when you look at the session in the Cloud Director it doesn't show any SmartAccess tags.

  • Like 1
Link to comment
Share on other sites

Alright, so there's a second flag that has to be set on your DaaS tenant to allow it to consume the Graph API tags to turn them into SmartAccess tags that can be used to filter policy. The Adaptive Auth SME was able to get the appropriate flag from the PM in charge of Adaptive Auth and apply it to ours (we had made him an admin on our tenant to set the other flag mentioned above) and now we are good. I strongly recommended to our SE that the automation routine that deploys the Netscaler appliances used for Adaptive Auth should be setting these two flags as 99% of customers using Adaptive Auth will probably be wanting to apply SmartAccess tags.

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...