Mark Brilman
-
Posts
27 -
Joined
-
Last visited
-
Days Won
2
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Mark Brilman
-
-
Citrix's solution which worked for me. In our situation VPX-es on SDX were not discovered and could not be added manually.
ADM version 13.0.82.41
SSH to the ADM
shell
/mps/db_pgsql/bin/psql -U mpspostgres -p 5454 mpsdb
set schema 'Owner';
select ip_address,instance_mode,id from managed_device where ip_address like '<SDX IP Address>';the table should output Ip_address, instance_mode and id
delete from managed_device where ip_address='<SDX IP Address>';
delete from vm_device where id='Device_ID';
delete from ns where id='Device_ID';
\qNotes ::
- No need to reboot ADM
- No need to run this command on Secondary ADM if HA is presentAfter this I was able to re-discover the SDX and the VPX was added to the inventory again.
-
In Citrix ADC v13.0.67.39 (and maybe before) this fix will stop working. The reason is that "logonpoint/tmindex" will not be part of the request URLs in time. The way the RfWebUi theme is delivered is changed by Citrix and tmindex is not a part of the first http request anymore. Before tmindex will show up the Salesforce app will have died already (device not supported error).
I worked around it doing the following:
- created an extra AAA vServer with X1 theme bound to it.
- created an extra ADFS Load Balancing vServer that uses the AAA-X1 vServer for authentication.
- created a content switching policy that applies for useragent SalesForce && android && adfs.company.com URL that opens that new ADFS Load Balancing vServer.
What will happen is the Salesforce App will access ADFS. It get's redirected to the AAA-X1 vServer .However this time the logonpoint/tmindex is present in the first http request so the globally bound responder policy will kick in and redirect to the original AAA vserver with the ?android page.
This works like a charm however is not a permanent solution because X1 will dissapear in the next release. So I will consult Citrix why they changed the behavior of the RfWebUi theme.
-
No not yet
-
My simple nfactor flow fails after upgrade to 13.0.52.24 . It's just LDAP first with Radius Next. It always worked.
Since the upgrade to 13.0.52.24 it stopped working. When logging in I get the error : Loginschema does not permit current login request
In ns.log:
"ns_aaa_login_handler: Login request is not expected to be encrypted"
"Claims allowed in current loginschema are 1000"
"password sent in login request when schema does not define it, flags 1000"
"Could not match login claims for user <user@domain.nl> with configured schema"
"AAA Client Handler: Found extended error code 1245208, ReqType 16388 request /nf/auth/doAuthentication.do, cookie hdr "
Anybody else seeing the same with a possible solution?
-
Hi.
I have the following scenario. We have multiple web applications in different SSO domains. for instance appA.domainA.com and appB.domainB.com.
We have AAA running in domainA.com (aaa.domainA.com)
Our issue is this:
When performing a login to appA.domain.com we get redirected to aaa.domainA.com . We perform logon and cookies are injected for domainA.com. We open appB.domainB.com and because of the cookies in domainA.com we get a succesful SSO to AAA and get cookies for domainB. All is well, we have SSO for both domainA and domainB.
When opening appB.domainB.com first we get redirected to aaa.domainA.com. We perform logon and cookies are injected for domainB.com. When we then open appA.domainA.com no cookies are present for domainA so we don't have SSO on aaa.domainA.com. We need to login again to get the cookies for domainA.
My idea was to get AAA working on both aaa.domainA.com and aaa.domainB.com (2 ssl certs/SNI) and use content switch to select the correct load balancer based on sso domain. However I can't fine any cookie or any other way to get the content switch to recognize which authentication already succeeded and for which sso domain cookies are already present.
Is there a way how I can trick NetScaler into swithing authentication domains with one logon?
Thanks!
Mark
-
The rewrite policy for RfWebUI does not work anymore with the latest 13.x versions . Anybody already got a new one ? ;-p
-
Exact same issue on my side. Switching AAA theme's does not matter. Tweaking the user agent of the browser into the useragent the android app is using does not make a difference as well. Please let me know if you find something.
- 1
-
Hi,
I have a scenario in which the NetScaler fails an SSL connection to a backend server saying : Level=fatal(2), description=unknown CA in packet capture.
When I import the CA chain on the NetScaler. Link them together and bind the Root CA certificate to the service group the issue is gone.
When I unbind the Root CA certificate again I have this error back. The backend does not do client authentication.
I have never bound a Root CA certificate to a Service Group. What am I actually doing? Why is the NetScaler failing the connection when the Root CA certificate is not bound to the Service Group?
-
Hi,
Sure. I have a vCenter with a distributed switch. So I had to trick the import a little. What I did:
- Log in directly to a ESX host (so not in vCenter but directly on the host)
- Create a bogus standard vSwitch and port group (it just has to be present, doesn't have to function)
- Import the XenMobile OVA to your ESX host and configure the bogus port group to it in the networking section.
- Make sure the VM doesn't start after succesful import
- Wait for the import to complete
- Log in to vCenter and configure the XenMobile VM with the correct portgroup in the Distributed Switch
Thats's it. If you don't use Distributed Switches in VMware you can ofcourse connect your standard port group during import.
have fun
- 1
-
Importing the OVA directly on vSphere works
-
Same issue on vCenter 6.7
-
Same issue on new 7.18 deployment with SQL 2017. Assiging PVS server computer account db_owner permission fixed it.
-
Same question here. Is it possible in the latest versions to prefill without changing the .js files?
I implement a lot of Office365 with NetScaler as ADFS proxy. people are always complaining about having to fill in their e-mail twice (one time microsoft/one time NetScaler AAA)
-
Is there a update to the GO button (and the ability to add personal bookmarks) ? I'm trying to get rid of it in version 12.0.53.22, but so far am unable to.
-
The NetScaler themes in 12.0 look to be buggy. I implemented a Office365/ADFS combo. When adding an account in Word (or another office app) normally a resized window opened and the NetScaler presents a login page (screenshot 1) . When upgrading to NetScaler 12.0 I get a lot of scripting error and a blank page, unable to add an Office365 account (other screenshots).
I now have 1 node 11.1, 1 node 12.0 - failing back to 11.1 and it immediately starts working again. Failing over to 12.0 and it's broken again. Clearing out caching groups doesn't solve. Maybe I'm overlooking something. It happens with all the themes.
-
Hi Luc,
I'm curious about your config. I'm running into 2 errors.
1) Radius is expecting a challenge before it sends the SMS. I'm struggling a little how to configure this.
2) I noticed (but it can be a one time error) that Login Schema's break traffic policies. I noticed that authenticating with OWA SSO stopped working and also the traffic policy that destroys the session cookie.
Kind regards,
Mark
-
Hi,
I'm having a hard time troubleshooting PVS. The issue is from the XenDesktop setup wizard, or the PVS streaming VM wizard I cannot contact my hypervisor. The exact error:
Cannot connect to the hypervisor at https://vcenter.mydomain.local:8443/sdk : Failed to connect to the remote server (unable to locate server [ The request fdailed with HTTP status 404. not found ] )
- My vCenter is up & running with a trusted certificate. I verified with IE on the PVS server.
- In XenDesktop I added my vCenter connection with ESX resources. All test pass both on connection & storage
- I've setup my VM template on shared storage, accesible by both VMs
- I added vCenter in PVS. The connection is succesful.
- I added this key both on http and https (and rebooted pvs server)
HKLM\Software\Citrix\ProvisioningServices\PlatformESX | ServerConnectionString http://{0}:8443/sdk
Rebooted several time. I'm a little lost at the moment. I also don't see any logging in programdata\citrix\provisioning services\log
I'm a little lost what causes this issue. Hope somebody can help me.
Kind regards,
Mark
-
Hi Luc,
Thanks! And good to hear it can work with nFactor. Did you modify the login-2-passwd.xml file or just used the default one?
How did you configure your advanced authentication policies? Did you create 2, but only bound the LDAP policy with Radius as next factor?
Is it possible you share this part of your config?
Thanks in advance!
Kind regards,
Mark
-
Hi,
I'm playing aroung with nFactor. I have a customer that uses SMS codes as second factor.
What I'm trying to acchieve with nFactor is the username/password is set on the first page, then radius is queried and the SMS arrives on the phone. The second page only contains the box for SMS.
Is this possible with nFactor? And does anybody have some guidance what I should do. Normally I customize the .js files, however in this case that results in radius saying incorrect tokencode, enter tokencode which is not really nice. And it's unsupported customization. I would like to do it with supported nFactor :-) if possible.
Hope somebody has played around with it already.
Kind regards,
Mark
Please select one of the following login page
in Core ADC use cases
Posted
Has this bug resurfaced again? I have several NetScalers hanging again and disabling the HSTS checkbox solves the issue. Version 13.0.85.19 (latest 13)