Error: "Cannot complete your request" when login to the Netscaler with SAML

[netorcurs]

hi, 

can someone give me a hint, i can't find an error in my saml configuration, when i log in i find the following in the storefront eventlog:

eventerrors: 3, 8 & 10

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Error when requesting with HTTP-Status 404: Not Found.

Thanks!

[Jeff Riechers]

Look under the Applications and services Logs under Citrix Delivery Service.  This usually is because you don't have delegation to NetScaler setup, or XML service not set to trust.

[netorcurs]

XML is trusted.

Eventlog - Error 10

 

Eine CitrixAGBasic-Anmeldeanforderung ist fehlgeschlagen.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.23.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   bei Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   bei Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
Url: https://127.0.0.1/Citrix/StoreSAMLAuth/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   bei System.Net.HttpWebRequest.GetResponse()
   bei Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   bei Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   bei Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

[Jeff Riechers]

Make sure you have loopback using http enabled.  As you are using the loopback there that IP won't match your https cert.

[netorcurs]

13 minutes ago, Jeff Riechers said:

Make sure you have loopback using http enabled.  As you are using the loopback there that IP won't match your https cert.

Can you explain to me what you mean exactly?
i find it strange that i don't get a 2 factor query, shouldn't that already appear before this error message?

[Jeff Riechers]

When you have the NetScaler set to use SAML, the external federated provider does all the MFA and then returns with the data to the Storefront URL.  

[Shruti Vijay Dhamale]

As per my understanding you have ICA proxy setup, with NetScaler Gateway set to perform SAML authentication. In this scenario , user would authenticate at the IDP , and then submit assertion to NetScaler Gateway. Either IDP has to return the credential which you can submit to storefront using traffic policy or on the store the option delegate authentication to NetScaler gateway is enabled. https://docs.citrix.com/en-us/storefront/3-12/configure-authentication-and-delegation/configure-authentication-service.html  

[netorcurs]

It was a problem with our dns, redirected it to a wrong store ...

Thanks for the help folks!