WorkspaceApp with ADC & FAS & SAML2 AzureMFA

[Sergiu-Konrad Kork]

Hi,

 

Having an issue with Worspace App discovery.

 

Background:

Added AzureMFA using SAML2 (nFactor, but only a single auth policy) and FAS over Netscaler (13.1).

Everything works just fine over WEB.

Also, everything works just fine over WorkspaceApp when using the "Activate receiver" approach from the web based logon (dld the file, load it in WorkspaceApp).

 

However, no attempt to manually configure the store in WorkspaceApp was successfull.

 

After putting in the company address, it get redirected to AzureMFA. The auth is done, and successful.

Next, i get a prompt stating "incorrect domain" on the WorkspaceApp.

On the storefront, i get this error:

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          24.08.2023 13:12:49
Event ID:      6
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <xxxxxxxxxxxxxxx>
Description:
CitrixAGBasic single sign-on failed because the supplied domain:  is invalid. This has two main causes, either;

The single sign-on domain specified in the Citrix Gateway console is invalid.

or

If the domains are being restricted in the StoreFront console, then the domain:  is not present in the list of Trusted Domains.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">6</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2023-08-24T11:12:49.551674400Z" />
    <EventRecordID>18673</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>xxxxxxxxxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>CitrixAGBasic single sign-on failed because the supplied domain:  is invalid. This has two main causes, either;

The single sign-on domain specified in the Citrix Gateway console is invalid.

or

If the domains are being restricted in the StoreFront console, then the domain:  is not present in the list of Trusted Domains.</Data>
  </EventData>
</Event>

 

Now the store in Storefront has no domain restrictions. Trusted domains is set to the default "any".

The session policy in Netscaler has nothing listed as the SSO domain, it is empty. (i tried, for the sake of it, to put in the SSO domain in the session profile - bu this resulted in a workspaceApp promt "the required password is missing" and on storefront the error "CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity.")

 

 

Any ideas ? ?

[Frank Tao]

I have experienced the similar issue. Turns out the problem was because we had multiple stores in Storefront, and the particular store (FAS auth enabled) used by the Gateway had 'Advertise Store' setting configured as 'Hide Store', and another store (FAS NOT enabled) had the setting configured as 'Advertise Store'. That means the Citrix Workspace App was trying to authenticate to the wrong store.

Hope this helps someone in the future.