dpalchu521 Posted October 10 Posted October 10 Seeing the same issue on two separate Netscaler / SF environments. Seemingly randomly users getting "Cannot complete request" after logging to to Netscaler with new DUO oauth MFA. This does not happen everytime and does not seem to be browser related. Sometimes clearing cache or using incognito browser works sometimes it does not. On the SF side I see the three infamous errors: Log Name: Citrix Delivery Services Source: Citrix Domain Services Date: Event ID: 1 Task Category: (1501) Level: Information Keywords: Classic User: N/A Computer: Description: An authentication attempt was made for user: username that resulted in: Failed (Windows Error Code: 1326) Log Name: Citrix Delivery Services Source: Citrix Authentication Service Date: Event ID: 7 Task Category: (1005) Level: Error Keywords: Classic User: N/A Computer: Description: CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: FirstName.LastName domain: Log Name: Citrix Delivery Services Source: Citrix Receiver for Web Date: Event ID: 10 Task Category: (3001) Level: Error Keywords: Classic User: N/A Computer: Description: A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. On the netscaler no apparent issues in aaad.debug. Netscaler ver is 14.1 29.63 and SF I tried both 2203 and 2402 with same result.
ThinkingVirtually Posted October 14 Posted October 14 Hey, I'm having the save issue. I found out looking a the running logs when the user login, it shows up as anonymous user. Which I noticed, it will let you login once and after that you get the “cannot complete request”. I have also followed the documentation from Duo. One thing that’s consistent is that Duo authorize the user every time. It’s when it hands it off back to the netscaler.
dpalchu521 Posted October 15 Author Posted October 15 (edited) With the help of another community member we have the issue resolved. To fix it: 1. In the login schema profile assigned to nfactor virtual server set user credential index to 15 and password credential index to 16 2. In the gateway vserver create a traffic policy. In the profile for the traffic policy set the following: SSO User expression AAA.User.Attribute(15) SSO Password expression AAA.User.Attribute(16) Edited October 15 by dpalchu521
dpalchu521 Posted October 15 Author Posted October 15 11 minutes ago, dpalchu521 said: With the help of another community member we have the issue resolved. To fix it: 1. In the login schema profile assigned to nfactor virtual server set user credential index to 15 and password credential index to 16 2. In the gateway vserver create a traffic policy. In the profile for the traffic policy set the following: SSO User expression AAA.User.Attribute(15) SSO Password expression AAA.User.Attribute(16)
ThinkingVirtually Posted October 15 Posted October 15 Thanks for the update. I’m starting to see a lot of people was having issues with this. I knew it had be extracting the attributes because we keep getting “anonymous” in the logs. I was assuming we need enter a Cert Endpoint to decrypt the token and view the Jwt. This actually works. Here is a link I found a few minutes ago https://community.cisco.com/t5/protecting-applications/steps-missing-duo-for-netscaler-web/td-p/5208587 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now