Jump to content
Welcome to our new Citrix community!

Authentication / Authorization Issue after Upgrade to 13.0-91.13


Steffen Rak

Recommended Posts

After Update of our Citrix MPX 12.1-65.35 to latest 13.0-91.13 we have some strange Authorization Issues.
I briefly describe the different scenarios for the Portal Login...

 

1. Login with User, AD Passwort AND RSA One-Demand (SMS Token)

  • everything works as expected (RDP to different Windows Servers and SSO to Citrix Storefront works)

 
2. Login with User, AD Passwort AND RSA Hardware Token

  • Login is ok, but if I click on RDP Bookmark I get an "Error: Not a privileged User". in ns.log I see "AAA Client Handler: Found extended error code 589826". Also Citrix SSO to Storfront Website is not working

 

3. new Testportal, Login with User and AD Passwort

  • same as Scenario 2, RDP (Not a privileged User) and Citrix Storefront SSO no longer works

 
 In ns.log I can't find any suspicious information. In all three scenarios the user is authenticated and i see the correct group memberships for the authorization policies. I also changed the global default authorization policy set to ALLOW, but no effect. Guess this is not an RSA Issue. I can check the RSA Auth Monitor and for Scenario 1 and 2 the login process is identical. For the ADC the RSA Login Process (SMS or Hardware Token) is the same with a small difference. For SMS Token there is a additional Page after the initial AD User/Password and SMS PIN Page. So the question is, why is Authorization with RSA SMS Login is working, with simple AD Login not?

Any Ideas?

Link to comment
Share on other sites

Ok, after opening a ticket to citrix support we found the issue. The update process from 12.1-65.35 to 13.0-91.13 changed the session policy expressions. After removing "&& REQ.HTTP.HEADER Referer EXISTS" in the expression section of the session policy the issue is fixed. 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...