Jump to content
Welcome to our new Citrix community!

StoreFront auth failing after successful login to NS Gateway


Keith Giles1709159890

Recommended Posts

Greetings all,

 

Working with NS 12.1 build 65.25, and running into what appears to be an issue with the NS passing credentials to SF.

 

We are in an MFA deployment (LDAP + RADIUS).

 

There are no problems logging into the gateway itself, the failures occur when things move to SF. Via the web, it says 'cannot complete your request' and in Receiver/WS it says 'incorrect name or passcode'.

 

I found the following logs for SF: 

The remote server returned an error: (403) Forbidden.
Url: https://127.0.0.1/Citrix/generalstorename/CitrixAGBasic/Authenticate


CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The odd thing is that the issue only occurs for folks in our OTP AD group. I have a decision block in my auth policy to present those in the OTP group with a different schema so they can manually type in a security code. All other users (using push notification auth), can get in just fine.

 

Did some digging online and tried the following, which resulted in no change:

 

  • Removed callback URL
  • Changed to credential index back and forth between Primary and Secondary
  • Ensured SSO was checked under Client Experience, correct domain configured
  • Verified SF has username/pw auth, domain pass-thru, and pass-thru from CTX GW all enabled
  • Bound OTP AD group to session policy 

 

I'm at a loss of what to try next or what to look for.

 

If anyone can help, it would be most greatly appreciated!

 

Link to comment
Share on other sites

On 1/12/2023 at 10:14 AM, Carl Stalhood1709151912 said:

Do you have a Traffic Policy to send the correct password field to StoreFront? Or is the AD password Login Schema configured be used as the SSON credentials?

Hey Carl, thanks.

 

I was able to get it working in Receiver for Web by enabling SSO credentials on the AD login schema. However, it's still not working through the Workspace app, even though they both use the same login schema. Any ideas why it would work for web and not Workspace?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...