Jump to content
Welcome to our new Citrix community!

How to single sign on to Storefront with O365 credentials and OAuth

Cindy Leong

Recommended Posts

I am using ADC 13.1 and Citrix Virtual Apps and Desktops/StoreFront 2203. 
A Unified Gateway is configured.
Basic authentication using LDAP to the Gateway is working fine.
The aim is to get single sign on to StoreFront working using O365 credentials.
I have an authentication policy that uses OIDC to authenticate, then uses the email address field to look up the user in AD with LDAP to extract the groups.
I can login to the Gateway and see the Gateway configured bookmarks but there are no published apps showing.

The Citrix Delivery Services event viewer on Storefront server gives the following error 
Log Name:      Citrix Delivery Services
Source:        Citrix Receiver for Web
Date:          27/09/2022 4:11:47 PM
Event ID:      10
Task Category: (3001)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

From aaad.debug I can see the authentication and group extraction is working.
Am I going about this the right way?
What am I missing to get this set up working?
Do I need Citrix Federated Authentication Service?


Link to comment
Share on other sites

I was also seeing these in the same  Citrix Delivery Services  event log on the Storefront server


"None of the AG callback services responded"



"The AG Web Service at: https://xxx/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 30/09/2022 5:27:28 AM
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the Citrix Gateway authentication service at https://portal-dev.qss.qld.gov.au/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The request was aborted: Could not create SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)"

as well as

"An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed."


I re- enabled TLS 1.0 and these errors went away but still no Apps being displayed.


I tried changing from Receiver for Web Sites > Advanced > Loopback = On to OnUsingHttp and no change in issue.

Link to comment
Share on other sites

  • 2 months later...



did you get this working?

What's your ultimate aim here? to use Azure MFA / Conditional access? why do you need O365 accounts rather than AD?

The way I'd do this is either...


1) Set up an NPS Server and use Azure NPS Extensions, then configure NetScaler to use RADIUS to talk to the NPS Server and use that way

2) Use SAML to talk to Azure AD, then FAS to configure SSO to the VDA, but this has issues if using Microsoft 365 Apps  - PRT may not be set correctly.


I prefer option 1 as there are less moving parts, but it has it's own downside (e.g. cannot change password on the NetScaler if it expires, etc)




Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...