Bruce McDonald
-
Posts
44 -
Joined
-
Last visited
-
Days Won
1
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Bruce McDonald
-
-
5 minutes ago, Penta Penta said:
Hello,
I'm so happy as my issue is fixed now!
FYI, the problem was actually caused by a backend setup problem in my FAS deployment.
Once I fixed this, I could access my LB backend SF without any further issue and enumerate my published resources as expected.
Also single-sign-on to my published resources works too now, which was not exepcted at such an early stage.
the Netscaler/Storefront setup was never to blame there as it was done by the book, but I had to use Wireshark captures between Netscaler and storefront and also enable verbose logs in storefront to realize FAS setup was the actual issue.
Thank you bmcdona388 for your kind and patient help.
Have a great week-end in advance.
Not sure I helped that much, I’m glad it’s working for you. Good job on working it out.
-
6 hours ago, Penta Penta said:
I have tried by all possible means to get this to work but it's currently just NOT working - just as though there was a software or hardware limitation beyond my control. I have recreated the whole Netscaler from sratch.
No problem with LDAP/Radius auth policies at all however, and internally all's working exactly as expected. Always those damn 10 and 7 errors logged eventually!
Would there be a limitation with the use of SAML related to the license version of Netscaler used ? We have a Standard license only and I cannot think of anything else at this stage.
I am also running standard licence version in Netscaler so its not that. I suspect its something in your Netscaler thats causing you the grief.
If you followed this guide https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-NetScaler-Gateway.html then perhaps you may need to put a ticket in with Okta although I'm not sure they can help you much but its worth a try.
I would go back over your Netscaler setup.
-
1 hour ago, Penta Penta said:
Could you please tell me how and where you did this in the Okta admin portal ? as that's exactly what I'm trying to do. So far no luck with this.
Storefront still displays the same username in the error log..
sure, so in Okta > admin > directory > directory integrations > active directory > settings > import and provisioning > okta username format
Sorry for any confusion I don't think this is what you were after, its been a while since I looked at this. I have the above set to samaccountname but that probably doesn't really matter because thats just authenicating into okta.
I also have samaccountname set in my Citrix published app in okta. hope this helps
-
50 minutes ago, Penta Penta said:
Hello bmcdona388,
it seems there's indeed a mismatch between the credentials supplied to the Citrix Authentication service (sAMAccountName) and what Okta needs to complete successful AD integration authentication.
Which is why I'm getting that "CitrixAGBasic single sign-on failed" error log:
user: test (sAMAccountName)
domain: DOMAIN
What Okta needs for this is the UPN (test@domain.local), not the sAMAccountName (test).
When I test the delegated authentication from the Okta admin portal, I can only login when the UPN (test@domain.local) is used.
If I try to use the sAMAccountName instead (test), authentication is rejected.
If I could find a means for this to be passed onto the Citrix Authentication service, then the issue would be fixed I guess.
Can you change okta to login with samaccountname or is that not possible? That’s how I set mine environment up.
-
27 minutes ago, Penta Penta said:
Hello bmcdona388,
I actually had tried your solution yesterday and did it just now again. And I have the exact same setup as you !
After performing the changes in the Session Profile's published app tab (single sign-on domain) and adding the same value as a trusted domain in the storefront authentication settings, I still have the same errors popping up on my storefront event viewer. I have also verified the full cred validation delegation in the pass-through from Netscaler Gateway method is checked.
I can see information log with event id 1 is also shown with the following content, which is probably the result of the event id 7 error I guess
"An authentication attempt was made for user: DOMAIN\test with realm context <unknown> that resulted in: Failed (Windows Error code: -1073741715)"
Event id 7 error has now turned into:
"CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.
The credentials supplied were;
user: test
domain: DOMAIN"I'm clueless as this stage and would appreciate any further hint in the right direction from you or any other Citrix expert.
Thank you in advance.
Ok, so, have you set your Netscaler Gateway Session Profile single Sign-on domain as your USERDOMAIN? And have you also set, on storefront, under manage authentication methods > user name and password > configure trusted domains to your USERDOMAIN? Also, whilst still logged onto storefront make sure under configure delegated authentication that pass-through from netscaler gateway is ticked?
I just re-read you reply and its looks like you have the above set right?
Have you configured a call back URL?
Are you passing samaccount or UPN? If UPN, change to samaccount in Okta? (Change OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN)
-
3 hours ago, Penta Penta said:
Hello,
Would there be anyone kind enough to help with the required setup. I've veen fighthing with this for 2 days now and I'm just going round in circles there.
I'm trying to log into Netscaler using Okta and SAML 2.0.
I have followed the Okta procedure.
I have followed the NetScaler/Storefront/FAS setup procedure step by step, word by word and I'm still even unable to enumerate the apps through NetScaler.
I'm not even looking for SAML single sign-on at this stage (using FAS), needless to say.
Every time I log in, I always get the meaningless "cannot complete request" error message and my storefront server shows error logs 10 and 7.
I have changed the setup in all the different ways I could think of, but no luck still.
I have disabled SSO in my session profiles' published apps, have the callback url and the Netscaler full delegated authentication enabled among other.
I'm helpless at this stage.
Here is the content of the error message (event id I'm getting for even 7, Citrix Authentication Service
CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.
The credentials supplied were;
user: test@domain.local
domain: (it's blank)Thanks in advance for your assistance.
It certainly takes a bit to get your head around how to set this up. Since I posted on this forum I have ditched OneLogin and now I’m using Okta in the business I work for. I’m now running Citrix 7.15 ltsr cu4 with Netscaler Vpx 12 and fas.
The way way I got my setup to work was doing this, hope this helps.
Change domain used in the Netscaler Session Policy / Session Profile to "MYCORP" and do the same on Storefront under Manage Authentication Methods / Trusted domains . You must use "USERDOMAIN" not the "USERDNSDOMAIN" like we usually use. You can see what these values are by going to a command prompt and typing "SET U" For our example above we have a USERDNSDOMAIN of MYCORP.COM and a USERDOMAIN of MYCORP. Leave the .com or .local or whatever off. Secondly, in Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway. After these two steps are done, applications will enumerate upon logon from OKTA via Netscaler SAML.
-
10 hours ago, Thomas Dooley1709157758 said:
We tried a few fixes but had to roll back in the end unfortunately....didn't get a chance to raise it to Citrix support either.
Hi tom163, did you try running the vda cleanup utility to completely remove the upgraded vda and upm and then reinstall vda fresh? I logged a case with Citrix support and this was their recommendation and it has worked on 7.15 ltsr cu4. Thanks
-
11 hours ago, John Meier1709161208 said:
We have that problem, too (windows server 2012r2 - 7.15). Some users don't see any programs. After some search i found a forum thread (link below).
Please try the following (hopfully it helps):
- Logoff (user)
-
Delete (all) the files below the folder
-
\\server.domain.tld\folder\<USERNAME>\profile\UPM_Profile\AppData\Local\Microsoft\Windows\Caches\
- generally 6 Files (*.db)
-
\\server.domain.tld\folder\<USERNAME>\profile\UPM_Profile\AppData\Local\Microsoft\Windows\Caches\
-
Logon (user)
-
wait at least 30 sec.
- Files are created new
- User still sees now icons (don't worry)
-
wait at least 30 sec.
- Logoff
- Logon
- icons should be there again
Credits: https://discussions.citrix.com/topic/391754-windows-2016-start-menu-blank-icons-with-715-cu1/
Thanks for your reply. I have had some success with this issue since I first posted. Citrix Support got back to me and told me to run the vda cleanup utility on the affected servers as it would appear they have not upgraded properly. So I did this, reinstalled vda 7.15 ltsr cu4 and it has worked. One thing to note, after the reinstall of vda the server reboots and the desktop didn’t launch correctly until I logged on directly and ran gpupdate /force. Thanks
-
On 8/19/2019 at 9:44 PM, Thomas Dooley1709157758 said:
Hey g0nz0uk,
Did you get this fixed at all? we are seeing the same going from 7.15 (release version) to 7.15 CU4 at the moment.....
Thanks
I am having the same issue with 7.15 ltsr CU4 which I just upgraded to from 7.11 yesterday. Is there a fix for the Start menu desktop background not showing any pinned apps? Anyone? thanks
-
Hi All,
I upgraded my Citrix environment yesterday from 7.11 to 7.15 ltsr CU4. I also upgrade Netscaler from VPX 11 to 12. I have around 9-10 desktops in the environment and now around 3-4 of them are not showing any apps pinned to the background when some users launch a desktop from storefront. They get this,
Strangely, it does load the tiles (apps) on other occasions. It seems to be intermittent (and very annoying). So, I have 4 machine catalogs/delivery groups and this issue is only happening on one of the MC/DGs, the other 3 are reporting no issues. All the servers run the same OS, Windows Server 2012. UPM is enabled and has also being upgraded to the latest 7.15 ltsr. I have logged a ticket with Citrix but have had no reply yet hence why I am posting on this forum.
I found this forum which seems similar to mine but it doesn't appear to have done anything https://discussions.citrix.com/topic/398127-start-menu-shows-blank-icons-on-vda-715-ltsr-cu2-with-upm-enabled/ I tried adding the registry key to clear the cache. I am at a bit of a loss really because its only happening on 40% of my desktops.
I am also running Citrix FAS as I have SAML turned on in Netscaler which is integrated into Okta.
If anyone has come across this issue I would appreciate any ideas you have on a fix. In the meantime I'm hoping for a reply from Citrix Support. Thank you.
-
-
Hi All,
My environment is Citrix XA/XD 7.11 with SF 3.8, Netscaler VPX 11, UPM 5.5, VDA 7.11. My Citrix environment uses SAML authentication with Citrix FAS (integrated into Okta, Okta is the IdP). The recent integration into Okta and turning SAML auth on with FAS is new to my environment. Whats happening now is, and its intermittent, users are logging onto Citrix desktops and their sessions are not logging off properly. They are listed as disconnected in Studio and I cannot kill them in Studio or even by trying to log the sessions off directly on the Windows 2012 server. They are hung. I've attached some screen shots. I had this same problem with 7.9 so I upgraded to 7.11 including upgrading the VDA versions and UPM. The same problem persists. I've seen a fair few forums on citrix ghost sessions, this seems to be my problem with fixes being 1) reboot the VDA servers (thats all I've been doing) or 2) upgrade Citrix (done that too, do I need to upgrade again, will this fix my issue?). Just wondering if someone else in the community has anything else for me try (like an actual fix would be nice). Thank you for you time.
.thumb.png.1e5b0fb7da4adcc712b07e0739a7b892.png)
-
So, I downloaded the SF 3.8 version, I ran the exe in my lab, it installed with no issues, it retained my settings and now this works http://blog.sachathomet.ch/2017/01/03/storefront-allowreloginwithoutbrowserclose/ however it has only fixed 50% of my problem. I still cannot logon to my Citrix app through Okta if the Okta tab is left open in chrome once I log out of Citrix, I have to close my browser down and reopen it.
I had to reboot my VDA server which is still on 7.9 and now I can launch apps and desktops.
So it looks like this works for me. Does anyone see any major floors in my plan? My new SF upgraded environment would look this,
netscaler vpx 11
Xenapp/VDA 7.9
Storefront 3.8 (upgraded from 3.6)
-
2 minutes ago, Frank Schifferstein said:
Hi
"Is this possible, can I upgrade/install to SF 3.8 but keep my Xenapp environment at v 7.9? Do I need to update/upgrade all my VDA servers or can they stay at 7.9? "Storefront is available as a separate download too (https://www.citrix.com/downloads/storefront/) and you can update that piece of software only. Just be aware that version 7.9 of your environment is out of support a long time. Well, the store configuration is stored on the web.config (C:\inetpub\wwwroot\Citrix\Store) file, but not sure if this is sufficient (and if you can copy that into another StroreFront version) to save that .. would try in a testing lab.
Thanks for your reply Frank, I will try it in my lab first and see how I go.
-
Hi All,
Judging by this post https://discussions.citrix.com/topic/384990-upgrading-storefront-36-to-38/ I cannot simply upgrade Storefront from 3.6 to 3.8, I would have to uninstall 3.6 first, then install 3.8, is that correct? What about all the settings in 3.6, can these be restored easily?
Is this possible, can I upgrade/install to SF 3.8 but keep my Xenapp environment at v 7.9? Do I need to update/upgrade all my VDA servers or can they stay at 7.9? I am running netscaler vpx 11 too. All I want to do is upgrade SF from 3.6 to 3.8 and nothing else. Its so I can implement this to get around an issue where I have Citrix setup on Okta to SAML SSO and when a user closes their browser tab or logs out of Citrix they cannot get back in unless they shut their browser down.
http://blog.sachathomet.ch/2017/01/03/storefront-allowreloginwithoutbrowserclose/
Thank you.
-
20 hours ago, Sam Jacobs said:
I believe this might be what you're looking for:
Sam, you are on the money with this reply however it doesn't work on Storefront 3.6, it only works on 3.8 and newer, Thanks for you help.
http://blog.sachathomet.ch/2017/01/03/storefront-allowreloginwithoutbrowserclose/
-
48 minutes ago, Jim Grimm1709160134 said:
The following blog has a walkthrough example that includes the following for the logout URL: https://blogs.serioustek.net/post/2016/11/10/netscaler-saml-okta
ive tried the different logout URL and same error, same issue occuring.
https://mycomanyname.okt.com/cgi/signout and same issue.
In the comments under this post it mentions the signout URL is this format
https://fqdn.authvserver.com/cgi/tmlogout
I am trying to workout how to get that into the netscaler fqdn is the netscaler?
authvserver is this my netscaler gateway?
-
29 minutes ago, Sam Jacobs said:
I believe this might be what you're looking for:
thanks again but same problem. I added the line into the script.js file, restarted Citrix storefront server (on test environment of course) and same issue, same error about the cannot log on using smart card
-
22 minutes ago, Sam Jacobs said:
Have you tried the following URL?
https://<NetScaler FQDN>/cgi/logout ?
Thanks for your suggestion but no dice I'm afraid. I get the same issue, I have to close the browser down completely to log back on.
-
Thanks for the link Jim. FAS is setup and working. Everything is working. I tested this quite extensively on a test Citrix environment before going live. Its this darn logout URL which, I might add, logs the user out but then the only way to log back in is to completely close the browser down, open it, and log back into okta/citrix.
-
Hello,
I have just gone live with an IAM platform Okta and integrated Citrix which uses SAML SSO. Everything works as expected except, when a user logs into the Okta portal, clicks Citrix which SAML SSO's to storefront 3.6, this opens the connection in a new tab and then when the user either closes the tab or logs out of storefront they cannot access Citrix through Okta again unless they completely shut their browser down and re-sign into Okta. The logout URL that is part of the SAML policy is not logging the session off properly. I logged a ticket with Okta and they said it was a Citrix Netscaler issue. Has anyone seen this issue before? All I need is a logout URL that actually logs out... The logout URL I set on the netscaler is off Okta's Citrix/SAML setup guide. Its not a massive problem but now its live I am getting a number of requests from people saying they cannot log back in, they have to fully close their browser down and open it to get back in and its annoying.
This is the logout URL https://mycompanyname.okta.com
Thank you.
-
On 11/29/2018 at 1:45 PM, Bruce McDonald said:
Hi Tom,
Fantastic write up. I had the exact same issue as you except I am using a different external SSO as my SAML IdP which is Onelogin. The same or similar concepts apply though. In short, I had been banging my head against the wall for the best part of a day trying to get this configuration to work. As I mentioned we use Onelogin in our business and we want this to be our IdP and Netscaler to be the SAML SP. I configured Onelogin to use SAML auth, I configured (or tinkered and played with until it worked) Netscaler VPX 11 with SAML policies, bound this to my GW VIP and every time I tried to connect through Onelogin to SSO through the Netscaler into Storefront (3.6) it presented the error "cannot complete your request".
After following many guides, I found this one and it worked perfectly. I had the exact same errors on my storefront server Event ID 7 and 10. Event ID 7 said this "CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity."
I followed your tip on changing the USERDNSDOMAIN to USERDOMAIN and VOILA, it worked. I can now SSO into Storefront no problems. But, I will need to setup FAS because I too am getting prompted for credentials when launching an app on SF. Thats my next job. Tom, I cannot thank you enough for this write up, its been a massive help. thanks.
I just wanted to report back by saying, I got FAS up and running follow this guide https://www.carlstalhood.com/citrix-federated-authentication-service-saml/ and first time I connected to Onelogin > Citrix Netscaler app > it took me straight through to SF, I opened an app and a desktop and it logged me straight on. No prompts for usernames and passwords. Its worked a treat.
-
5 hours ago, Christopher Grider said:
**** UPDATE ****
By changing the OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN.. We are now seeing apps enumerated...
Thanks Again for the help on this!
-
5 hours ago, Christopher Grider said:
**** UPDATE ****
By changing the OKTA config to pass the SAMACCOUNT back to Netscaler Instead of UPN.. We are now seeing apps enumerated...
Thanks Again for the help on this!
Hi there, good job on getting it to work. I too am passing the samaccountname from OneLogin. I suspect when I get fas up and running that I may need to change this to upn
.png.706aa07431872d338f467f2bb5ffe926.png)
Citrix VDA sessions hung in disconnected state on Server 2012
in Profile Management - General
Posted
Thanks for the link but this is not my problem unfortunately. Your link to the Citrix articles says this "Sessions can be reset or exited correctly by manually resetting them, or by terminating remnant user processes in Terminal Services Administration, the Management Console, or Access Suite Console" but with Citrix ghost sessions, which is what I was experiencing, there is no way that I have found to terminate the hung sessions, only a reboot of the server terminates them.
Anyway, my problem is now resolved, I upgrade to 7.15 LTSR CU4 and the problem has disappeared.