Jump to content

Recommended Posts

Posted

Seeing the same issue on two separate Netscaler / SF environments. Seemingly randomly users getting "Cannot complete request" after logging to to Netscaler with new DUO oauth MFA. This does not happen everytime and does not seem to be browser related. Sometimes clearing cache or using incognito browser works sometimes it does not. 

On the SF side I see the three infamous errors:

Log Name: Citrix Delivery Services
Source: Citrix Domain Services
Date:
Event ID: 1
Task Category: (1501)
Level: Information
Keywords: Classic
User: N/A
Computer: 
Description:

An authentication attempt was made for user: username that resulted in: Failed (Windows Error Code: 1326)

Log Name: Citrix Delivery Services
Source: Citrix Authentication Service
Date: 
Event ID: 7
Task Category: (1005)
Level: Error
Keywords: Classic
User: N/A
Computer: 
Description:
CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: FirstName.LastName
domain:


Log Name: Citrix Delivery Services
Source: Citrix Receiver for Web
Date: 
Event ID: 10
Task Category: (3001)
Level: Error
Keywords: Classic
User: N/A
Computer: 
Description:
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.

 

 

On the netscaler no apparent issues in aaad.debug. 

 

Netscaler ver is 14.1 29.63 and SF I tried both 2203 and 2402 with same result.

 

Posted

Hey,

I'm having the save issue. I found out looking a the running logs when the user login, it shows up as anonymous user. Which I noticed, it will let you login once and after that you get the “cannot complete request”.

I have also followed the documentation from Duo. 
 

One thing that’s consistent is that Duo authorize the user every time. It’s when it hands it off back to the netscaler. 

Posted (edited)

With the help of another community member we have the issue resolved. To fix it:

 

1. In the login schema profile assigned to nfactor virtual server set user credential index to 15 and password credential index to 16

 

ls.jpg

 

 

2. In the gateway vserver create a traffic policy. In the profile for the traffic policy set the following:

SSO User expression AAA.User.Attribute(15)

SSO Password expression AAA.User.Attribute(16)

Edited by dpalchu521
Posted
11 minutes ago, dpalchu521 said:

With the help of another community member we have the issue resolved. To fix it:

 

1. In the login schema profile assigned to nfactor virtual server set user credential index to 15 and password credential index to 16

 

ls.jpg

 

 

2. In the gateway vserver create a traffic policy. In the profile for the traffic policy set the following:

SSO User expression AAA.User.Attribute(15)

SSO Password expression AAA.User.Attribute(16)

 

pr.jpg

Posted

Thanks for the update. I’m starting to see a lot of people was having issues with this. 

I knew it had be extracting the attributes because we keep getting “anonymous” in the logs. I was assuming we need enter a Cert Endpoint to decrypt the token and view the Jwt.  This actually works. 
 

 

Here is a link I found a few minutes ago

https://community.cisco.com/t5/protecting-applications/steps-missing-duo-for-netscaler-web/td-p/5208587

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...