I have configured nFactor authentication, so the user logs on with Username/password and selects a domain from a dropdown list. A groups check is done and they are prompted for 2nd factor if they are a member of a certain group. This mostly work in that they are prompted correctly, however after 2nd factor they get the error " cannot complete your request", with storefront saying "CitrixAGBasic single sign-on failed because the credentials failed verification with reason "Failedmissingdomain". It also shows the credentials supplied, which show the username, but the domain is blank.  The domains on the dropdown list are added as trusted domains in storefront, the single sign-on domain in the session policy is unset. Has anyone seen this before?

@Bryan Ellis1709160379 Going only by your description it sounds like you are overwriting the domain value in your second factor, since there is no domain it is left as blank and gets sent over to Storefront that way.

 

I suggest you check the schemas on that second factor for any domain values, or if the authentication response in the second factor is sending a domain value for the user.

 

The aaa debugs will likely be useful here (shell cat /tmp/aaad.debug) so that you can determine if the domain value is coming from the second factor's response.

 

We can check further if you share more on the configuration, the schemas and the nfactor flow for starters. 

Edited September 16, 2024Sep 16 by Jonnathan Rojas Murillo

Hello @Bryan Ellis1709160379

 

maybe you can also use the UPN for storefront login. Then the domain-name is a part of the username and storefront use it successful. 

In addition to @Jonnathan Rojas Murillo you can also save your domain-value (in the LDAP-Server config) to a Attribute (1-16) in the first factor. If you need it later (2,3,.. factor) you can use this value to build your username like 'attribute(1) + "\" + samAccountName'. There is als a build function for this. You can use it with AAA.USER.DOMAIN if you don`t overwrite it with the following factors.

Or you can use the domain-value directly with AAA.LOGIN.DOMAIN to build our username with 'AAA.LOGIN.DOMAIN + "\" + samAccountName'. 

 

Regards,
Michael

am facing similar problem 

After  configuring nfactor on citrix gateway ( ldap first factor + radius second factor)

Storefront shows cant complete request error , event veiwer has the following error logs:

Event 10 :Ag basic login failed 403 forbidden

Event 7: sign-on failed because the credentials failed verification with reason: failed

 the credential supplied:

   username : xxxx

  domain:xxx.xxx

 

Please note that Single sign-on creds option is ticked under AD schema profile.