Jump to content
Welcome to our new Citrix community!

Azure SAML thru Citrix Netscaler Citrix ADC failing with error on Storefront

resyrt erwtret

Recommended Posts

Im getting the following error on my Storefront:


The error message on storefront is:

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null

Authenticate encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()


System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.


ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)


So all the auth flow is working....up until the Storefront denies it. Im pretty sure all my Storefront settings are OK and configured correctly. There is no FAS. 


My only maybe uncommon is that I have two virtual gateways: One is https://fqdn and the other is https://fqdn:9443 ; This way with a NAT I can use the same public IP (this is for testing before implementing in client).  But it should work...

Link to comment
Share on other sites

BUT, as always, you are correct @Carl Stalhood , now I am getting a additional message


CitrixAGBasic single sign-on failed because the supplied domain:   in invalid. This has two main causes, either;


The single sign-on domain specified in the Citrix Gateway console is invalid




If the domains are being restricted in the StoreFront console, then the domain:  is not present in the list of Trusted Domains.



Notice one thing: There is a blank when it is talking about a domain. Its not censored or anything. 

Link to comment
Share on other sites

Make sure Gateway Session Policy does not have SSON Domain configured.


Your SAML Assertions should provide the user's UPN. StoreFront should accept in the UPN suffix in its list of Trusted Domains. I usually set StoreFront to accept all domains.


Then Windows needs to find a local Active Directory user with the same UPN.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...