Jump to content
Welcome to our new Citrix community!

Netscaler and Exchange fails with https://testconnectivity.microsoft.com/ on rpc http 403 and Not a privileged User


Roel Niesen

Recommended Posts

Hello,

 

My set up.

 

I created a content switch vserver that has 2 content switch policy.

1) HTTP.REQ.HOSTNAME.CONTAINS("webmail.domain.com"

2) HTTP.REQ.HOSTNAME.CONTAINS("autodiscover.domain.com")

both using the action ac_exchange_https that target load balancing LB_VS_Exchange

The load balancing service exchange_https is pointing to the right exchange server.

We have only 1 exchange server with all rolls.

When the content switch isn't hit, the default switch is to use the Citrix Gateway.

This is working.

 

We are using 13.21 27.59nc

 

When we go externally to https://webmail.domain.com we can login to the webmail.

Active sync is also working from mobile devices.

When we configure outlook 2016 we get a credential screen that isn't going away.

We see this in the ns.log

 

Sep 18 14:54:15 <local0.info> 10.29.30.200  09/18/2022:12:54:15 GMT NSRH01 0-PPE-0 : default AAA Message 8677 0 :  "HTTP method not recognized, dropping request, 16484"
Sep 18 14:54:15 <local0.info> 10.29.30.200  09/18/2022:12:54:15 GMT NSRH01 0-PPE-0 : default AAA Message 8678 0 :  "Request dropped for host |webmail.domain.com| and  path |/rpc/rpcproxy.dll?8ee55dbc-5079-409e-856d-f34d59dd1f16@domain.com:6001|"
Sep 18 14:54:15 <local0.info> 10.29.30.200  09/18/2022:12:54:15 GMT NSRH01 0-PPE-0 : default AAA Message 8679 0 :  "HTTP method not recognized, dropping request, 16484"
Sep 18 14:54:15 <local0.info> 10.29.30.200  09/18/2022:12:54:15 GMT NSRH01 0-PPE-0 : default AAA Message 8680 0 :  "Request dropped for host |webmail.domain.com| and  path |/rpc/rpcproxy.dll?8ee55dbc-5079-409e-856d-f34d59dd1f16@domain.com:6001|"
 

My knowledge of Netscaler is not enough to debug this.

I tried:

https://norz.at/?p=1047

https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

https://support.citrix.com/article/CTX292743/configuration-syncpropagation-and-gslb-metrics-exchange-might-fail-after-upgrade-to-130-64x121-61x

https://www.jgspiers.com/citrix-fixes-netscaler/

 

But we don't use AAA.

 

On another place we used ngnix for the content switch, and there we don't have any problems.

So it must be a setting in the Netscaler?

 

 

Anny help is welcome.

 

Thanks

 

Roel Niesen

 

 

 

 

 

 

Link to comment
Share on other sites

Not a privileged user is an indication of a deny authorization issue.

All Gateway user accounts are aaa user and aaa group (as opposed to system users/groups which are for admin rights). Whether you uare using the vpn vserver only or vpn + authentication vserver, these are still "aaa" accounts. And this reflects an authorization allow/deny decision.

 

Authorization rights are assigned per aaa user or aaa group using authorization policies. Or they are set by the "default authorization action" within session policies.

When configuring the VPN vserver in full vpn mode (or ICA Proxy mode), you usually have a global "deny" authorization and then use policies to enable rights for all users of the vpn vserver OR per AAA group and these policies usually determine which destination networks (ips and ports) users can or can't reach. They can also be based on URLs.

Failure to account for a resource a user needs to reach, can result in fallback to the default deny authorization.

 

You still might be having an issue with content switching too, but check your syslog audit events.

Usually, though if the issue is caused by no destination for traffic, CS will return a "service unavailable" message.

 

And confirm 1) the user's group membership, and the list of session and/or authorization policies applied to the AAA user or group and determine if there is anything else preventing that user request(s) from reaching a destination ip/port or a denied URL filter.

Start by confirming users belong to the groups you expect.

Review the list of session policies on the vpn vserver and the list of session and authorization policies assigned to applicable aaa users and groups, to see if content is missing.

 

It also looks that some of your requests may be HTTP and you are only processing HTTPS. But hard to confirm with information presented.

If your cs vserver is on https:443, then you may also have no way to pass http:403 traffic.

Link to comment
Share on other sites

Hello,

 

I'lm using ICA Proxy mode only.

 

In the main time I used an older version of Netscalerto 13.1.4.44nc.

I changed the containt switch from the citrix gatewya part to the traffic content switch.

 

Everything is working.

 

So one of the updates is causing the problem.

 

The content switch is redirection all traffic from webmail.domain.com and autodiscover.domain.com to the internal exchange server.

All other traffic is redirected to the Citrix Gateway.

 

This i working like expected, but not anymore after a upgrade.

 

I will figure out which upgrad has broken this.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...