Jump to content
Welcome to our new Citrix community!

Azure AD as SAML IdP and Citrix ADC as SAML SP failing to SSON to Storefront in multi-domain environment

Bhavin Patel1709151904

Recommended Posts

SSON from netscaler to StoreFront failing.

Do I need an account for user in both domain for this SSON to work in multi domain environment? 

What happens after UPN information is passed from netscaler to storefront server? Is storefront going to validate anything against domain A (user domain) or domain B (resource domain) 


Current Setup:
Two domains
Domain A (User Domain, users account are in this domain) 
Domain B (Resource domain, SF/DDC servers are in this domain)
Both domain have Forest Level Transitive trust.

Name Suffix Routing enabled on Domain A

Added Test user account and Storefront account to Domain A and Domain B Windows Authorization AD group


Netscaler Setup:

GW Server---AAA vServer ---GW server----Azure-SAML-auth-Policy---AzureIDP--NextFactor is LDAP (LDAP server Logon name attribute to use UPN/ authentication is disabled)


Upon logon to Citrix portal (Service provider), I am redirected to Azure AD (IDP),

after successful logon, IDP issues token and sends it to Citrix Gateway.
Everything work until here but it fails to SSON from NS to SF,  



A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: mfatest@test.com


Configure Azure AD as SAML IdP and Citrix ADC as SAML SP





Link to comment
Share on other sites

Do you have the federation setup on the storefront site?


Any LDAP errors on the domain controllers?

Can the users in the same domain as the storefront servers get in?
Yes, I created test account in both domains and it worked using the credential of account from user domain (domain A) but no apps were available so I had to provision apps to account from resource domain  (domain B)


What happens after UPN information is passed from netscaler to storefront server? 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...