Jump to content
Welcome to our new Citrix community!

Upgraded from 12.1 to 13.1 (and subsequently 14.1 as a test) Login issues post authentication


James Gant

Recommended Posts

So we have upgraded from 12.1 due to the latest raft of vulnerabilities, the update went smoothly however at 13.1-49-15 we hit 2 issues

 

1: After a user Authenticates and passes MFA challenge we immediately get on the web page a 'Cannot complete your request error

 

2 On the Workspace app the old app store does not work so we have to remove it and add it back again, this works for the first login but as soon as you sign out or time out you get 'Your apps are not available at this time and a refresh fails.  Then you must remove the store and add it back again.

 

Just in case this was a 13.1 specific bug I went up to 14.1-8.50  and hit the exact same issues again

 

Additional info - We use Azure MFA via NPS for 2 factor

Edited by James Gant
Link to comment
Share on other sites

Good Morning Carl

 

The man, the legend no less. As a side note your work has helped me a lot over the years so a personal hearty thanks from me.

 

I can't see any nFactor configuration set up at all.

 

This Netscaler was originally setup way back in the days of 10.1 and the only changes I can see that have been made since then were the addition of RADIUS and by extension NPS for MFA.

The MFA part does seem to be working as logging in fresh to the app works and I can see all the updates in the DC's NPS logs but I get same results from a Webpage launch and that has the 'Cannot complete your request' error.  I will add logging in internally which bypasses the MFA with a whitelist on NPS is fine on webpage and receiver.

 

I am using the rfwebui theme as I saw the older ones can cause some issues.

Link to comment
Share on other sites

5 hours ago, Carl Stalhood1709151912 said:

Are you configured for nFactor (Authentication Profile) instead of Basic policies on the Gateway?

So, Update.

 

I removed all the Session Profiles and Policies and redid them from scratch (using your documentation no less) and now the web version signs in no problem and can launch applications through the workspace app but the workspace app itself If you try and use it independently still has the issue of after signing in once, you sign out and then you can't get back in without removing the Account and adding it back so we are halfway there!.

 

Link to comment
Share on other sites

2 hours ago, Carl Stalhood1709151912 said:

Try this - https://support.citrix.com/article/CTX554245/ios-cwa-add-url-failed-error-could-not-verify-server-address

 

In Session Policy/Profile > Client Experience tab, set Idle Time-out and Session Time-out to 720 minutes.

Thanks for the update Carl, output looks correct re the link above

> show policy patset ns_vpn_client_useragents
        Default Patset: ns_vpn_client_useragents
        Description: ???
        Dynamic: NO

1)      Bound Pattern:  AGEE    Index:  1       Charset:        ASCII
2)      Bound Pattern:  CitrixReceiver  Index:  2       Charset:        ASCII
3)      Bound Pattern:  AGMacClient     Index:  3       Charset:        ASCII
4)      Bound Pattern:  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0    Index:  4       Charset:        ASCII
5)      Bound Pattern:  Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0      Index:  5       Charset:        ASCII
 Done
 

 

I have made the other timeout changes you suggested as well.

Link to comment
Share on other sites

Capture.thumb.JPG.271fc3685c070b49b8f02d8e7df64f7f.JPG

No joy, rebooted the machine and still getting that when I launch Workspace.  I included the Config checker results from the workspace app.  It seems like Workspace just loses all the connection config to the App store, I mean you always had to reauthenticate but now I don't even get prompted to enter a username and password, it simply cannot see the store at all to even initiate the authentication.

postreboot.txt

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...