Bryan Ellis1709160379 Posted September 16 Posted September 16 I have configured nFactor authentication, so the user logs on with Username/password and selects a domain from a dropdown list. A groups check is done and they are prompted for 2nd factor if they are a member of a certain group. This mostly work in that they are prompted correctly, however after 2nd factor they get the error " cannot complete your request", with storefront saying "CitrixAGBasic single sign-on failed because the credentials failed verification with reason "Failedmissingdomain". It also shows the credentials supplied, which show the username, but the domain is blank. The domains on the dropdown list are added as trusted domains in storefront, the single sign-on domain in the session policy is unset. Has anyone seen this before?
Jonnathan Rojas Murillo Posted September 16 Posted September 16 (edited) @Bryan Ellis1709160379 Going only by your description it sounds like you are overwriting the domain value in your second factor, since there is no domain it is left as blank and gets sent over to Storefront that way. I suggest you check the schemas on that second factor for any domain values, or if the authentication response in the second factor is sending a domain value for the user. The aaa debugs will likely be useful here (shell cat /tmp/aaad.debug) so that you can determine if the domain value is coming from the second factor's response. We can check further if you share more on the configuration, the schemas and the nfactor flow for starters. Edited September 16 by Jonnathan Rojas Murillo
Michael Adam Posted September 17 Posted September 17 Hello @Bryan Ellis1709160379 maybe you can also use the UPN for storefront login. Then the domain-name is a part of the username and storefront use it successful. In addition to @Jonnathan Rojas Murillo you can also save your domain-value (in the LDAP-Server config) to a Attribute (1-16) in the first factor. If you need it later (2,3,.. factor) you can use this value to build your username like 'attribute(1) + "\" + samAccountName'. There is als a build function for this. You can use it with AAA.USER.DOMAIN if you don`t overwrite it with the following factors. Or you can use the domain-value directly with AAA.LOGIN.DOMAIN to build our username with 'AAA.LOGIN.DOMAIN + "\" + samAccountName'. Regards, Michael
Amin Herbawi Posted September 18 Posted September 18 am facing similar problem After configuring nfactor on citrix gateway ( ldap first factor + radius second factor) Storefront shows cant complete request error , event veiwer has the following error logs: Event 10 :Ag basic login failed 403 forbidden Event 7: sign-on failed because the credentials failed verification with reason: failed the credential supplied: username : xxxx domain:xxx.xxx Please note that Single sign-on creds option is ticked under AD schema profile.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now