Jump to content
Welcome to our new Citrix community!

Citrix ADC and Azure SAML to Storefront


Ilea Mueller

Recommended Posts

I have setup Citrix and ADC with just a simple LDAP Policy => everyting works. 

Now I want to do Azure SAML for MFA and followed this link
https://www.deyda.net/index.php/en/2022/08/18/saml-authentication-between-citrix-microsoft-with-azure-mfa/?unapproved=719&moderation-hash=5c01bb8af950388b2322c76362aa8598#comment-719

now when I try to log in through web I get
 

Quote

"cannot complete your request"

and on the delivery controller whiche is also Storefront server and FAS I get in the Logs:

Quote

 

An authentication attempt was made for the user 'o365@xxxx.xx' with the context '<unknown>' and the result: Failed (Windows error code: -1073741715) "FASLogonDataProvider".

CitrixAGBasic-Single Sign-On failed because the login credentials could not be verified due to the following reason: Failed.

The provided login credentials were: User: o365@xxxx.x Domain:

 

Quote

 

A CitrixAGBasic login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.23.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. URL: https://127.0.0.1/Citrix/workplaceAuth/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable1 acceptedResponseTypes, IDictionary2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

The delegation on storefront is set to citrix gateway. 

On ADC Session Policy is empty for singel sign on. -> tryed also with doman. 

Link to comment
Share on other sites

I think my Problem ist with how the username is handlet. On azure AD Enterprise Application ist set to UPN.
the SAML Authentification process works with o365@domain.tld
But Netscaler dont seem to pass it through correctly to Storefront.
When I login in directly to Storefront server https://storefront.domain.tld with username input o365@domain.tld I can log in without problems.

But in the Security Log I see the login as follow:

Quote

Applicant:
Security-ID: intranet-domain\o365
Account name: o365
Account domain: intranet-domain
Logon ID: 0x419D342



my domain is intranet.domain.tld but the prewin2000 name is like intranet-domain

When I log in with the Citrix Gateway https://gateway.domain.tld
I get the folling in the security Log
 

Quote

Failed to log in to an account.

Applicant:
Security ID: Network Service
Account Name: storefront-srv$
Account Domain: INTRANET-MOPAC
Logon ID: 0x3E4

Logon Type: 3

Account that failed to log in:
Security ID: NULL SID
Account Name:
Account Domain:

Error Information:
Failure Reason: Unknown username or invalid password.
Status: 0xC000006D
Substatus:: 0xC0000064

Process Information:
Caller Process ID: 0x2ca8
Caller Process Name: C:\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe

Network Information:
Workstation Name: storefront-srv
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: CtxDS
Authentication Package: Kerberos
Transited Services: -
Package Name (only NTLM): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The applicant fields indicate the account on the local system that requested the login. This is usually a service like the Server service, or a local process such as "Winlogon.exe" or "Services.exe".

The logon type field indicates the specific type of logon. The most common types are 2 (interactive) and 3 (network).

The process information fields indicate the process and account for which the login was requested.

The network fields indicate the source of a remote logon request. The workstation name is not always available and in some cases may be left blank.

The authentication information fields contain detailed information about this specific logon request.
- The transited services indicate which intermediary services were involved in the logon request.
- The package name indicates the sub-protocol used in the NTLM protocols.
- The key length indicates the length of the session key generated. If no session key was requested, this value is 0.

 

Link to comment
Share on other sites

I think my Problem ist with how the username is handlet. On azure AD Enterprise Application ist set to UPN.
the SAML Authentification process works with o365@domain.tld
But Netscaler dont seem to pass it through correctly to Storefront.
When I login in directly to Storefront server https://storefront.domain.tld with username input o365domain.tld I can log in without problems.

But in the Security Log I see the login as follow:

Quote

Applicant:
Security-ID: intranet-domain\o365
Account name: o365
Account domain: intranet-domain
Logon ID: 0x419D342



my domain is intranet.domain.tld but the prewin2000 name is like intranet-domain

When I log in with the Citrix Gateway https://gateway.domain.tld
I get the folling in the security Log
 

Quote

Failed to log in to an account.

Applicant:
Security ID: Network Service
Account Name: storefront-srv$
Account Domain: INTRANET-MOPAC
Logon ID: 0x3E4

Logon Type: 3

Account that failed to log in:
Security ID: NULL SID
Account Name:
Account Domain:

Error Information:
Failure Reason: Unknown username or invalid password.
Status: 0xC000006D
Substatus:: 0xC0000064

Process Information:
Caller Process ID: 0x2ca8
Caller Process Name: C:\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe

Network Information:
Workstation Name: storefront-srv
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: CtxDS
Authentication Package: Kerberos
Transited Services: -
Package Name (only NTLM): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The applicant fields indicate the account on the local system that requested the login. This is usually a service like the Server service, or a local process such as "Winlogon.exe" or "Services.exe".

The logon type field indicates the specific type of logon. The most common types are 2 (interactive) and 3 (network).

The process information fields indicate the process and account for which the login was requested.

The network fields indicate the source of a remote logon request. The workstation name is not always available and in some cases may be left blank.

The authentication information fields contain detailed information about this specific logon request.
- The transited services indicate which intermediary services were involved in the logon request.
- The package name indicates the sub-protocol used in the NTLM protocols.
- The key length indicates the length of the session key generated. If no session key was requested, this value is 0.

Got it working with this one:
https://support.citrix.com/article/CTX289511/cannot-complete-your-request-error-only-occurs-to-certain-users-connecting-from-adc-with-azure-mfa-over-to-storefront

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...