Hi,
I have got a CAG 5 (5.0.1) with AAC on 2008R2 with Web Interface 5.4. When I authenticate it gives me the following error:
Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
In the event log I get :
Log Name: Application
Source: Citrix Web Interface
Date: 15/02/2011 14:38:26
Event ID: 18001
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FQDN
Description:
Site path: C:\inetpub\wwwroot\Citrix\XenAppAAC.
A communication error occurred while attempting to contact the Access Gateway authentication service at https://FQDN/CitrixAuthService/AuthService.asmx. Check that the authentication service is running. The message reported by the underlying platform was: The underlying connection was closed: An unexpected error occurred on a send.. [Unique Log ID: 196209d2]
For specific information about this message, see the Web Interface documentation at http://support.citrix.com/proddocs/topic/web-interface-impington/wi-log-messages-event-ids-hardwick.html.
Event Xml:
A communication error occurred while attempting to contact the Access Gateway authentication service at https://FQDN/CitrixAuthService/AuthService.asmx. Check that the authentication service is running. The message reported by the underlying platform was: The underlying connection was closed: An unexpected error occurred on a send.. [Unique Log ID: 196209d2]
For specific information about this message, see the Web Interface documentation at http://support.citrix.com/proddocs/topic/web-interface-impington/wi-log-messages-event-ids-hardwick.html.
I have single sign on enable and have checked all the certifactes and root CA's
I have seen a few threads on this but none seem to have a resolution or do not match what I see.
Anyone got any ideas?
*Thanks*
CAG 5, WI 5.4- 401 - Unauthorized: Access is denied due to invalid credentials
Started by Brett Walmsley , 15 February 2011 - 03:35 PM
Members
-
-
#1
-
- 3 posts
Posted 15 February 2011 - 03:35 PM
Citrix Employees
-
-
#2
-
-
- 1,624 posts
Posted 15 February 2011 - 08:17 PM
Hi Brett,
Is your AG using 1 or 2 NIC's?
If using 2, can you try editing your hosts file so that the AG FQDN points to the NIC that has the "Internal" role?
James
Members
-
-
#4
-
- 2 posts
Posted 25 February 2011 - 11:12 PM
I have the same issue running WI 5.4 and CAG 5.0.1. I have CAG with 2 interfaces. The Web Interface points to the internal network of CAG by using host files and modifying internal DNS server. The CAG has host entries to point to the internal IP addresses of Web Interface and XenApp servers. Any other suggestions greatly appreciated.
Members
-
-
#5
-
- 1 posts
Posted 26 February 2011 - 01:16 AM
Hi,
Did you check the FQDN in your XenappWebseite\ Webinterface Access Method , which FQDN do you use? should be the FQDN of the AC Server, not the CAG FQDN.
http://ACServername.domain.com/CitrixAuthService/AuthService.asmx
or
https://ACServername.domain.com/CitrixAuthService/AuthService.asmx
Beat
Members
-
-
#6
-
- 2 posts
Posted 26 February 2011 - 04:41 AM
So here is what I have configured
Access Gateway: External Name jdhcag.hartlaw.com Eth0 (IP 207.191.16.141) which gets NAT to a DMZ network, Internal Eth1 (IP 192.168.16.241) which is connected to internal network behind firewall.
Host files on Access Gateway (remote.hartlaw.com, X.X.16.6, remote2.hartlaw2.local, X.X.16.11, remote.hartlaw2.local, X.X.16.10)
On Hosts (WI, XenApp) inside firewall, jdhcag.hartlaw.com resolves to 192.168.16.241, not the external IP.
On Web Interface, I created site (https://remote.hartlaw.com/Citrix/CAG) to authoriize against https://jdhcag.hartlaw.com/CitrixAuthService/AuthService.asmx per Citrix video on installation.
Secure access is set to Gateway direct with Address (FQDN) set to jdhcag.hartlaw.com and STAs set to http://remote2.hartlaw2.local/scripts/ctxsta.dll and http://remote.hartlaw2.local/scripts/ctxsta.dll
On the Gateway the Logon Point is set to Basic using https://remote.hartlaw.com/Citrix/CAG, LDAP Authentication which works, and Single sign-on is checked.
I read earlier that it may be caused by inability to validate certificates. I verified that I could access the jdhcag.hartlaw.com via XenApp and WI without any certificate errors.
Citrix Employees
-
-
#7
-
-
- 1,624 posts
Posted 28 February 2011 - 11:35 PM
When you see the issue, can you please check the Eventviewer? WebInterface should provide a reason in here if the callback fails.
One other thing to check is that on your AG in your Authentication profile, make sure you have a single sign-on domain specified.
Members
-
-
#8
-
- 3 posts
Posted 02 March 2011 - 08:22 AM
Hi,
Thre is no information in the event viewer relating to Web Interface.
Brett
Members
-
-
#9
-
- 1,306 posts
Posted 28 April 2011 - 10:23 AM
Brett
when you're NATting your connection through the firewall to the CAG, are you using 443 or have you modified the port to something else, like 444? if you have, you need to modify the authentication service URL within Web Interface to use the same port, e.g.
https://<FQDN:444/CitrixAuthService/AuthService.asmx
Regards
Ken Z
Citrix Employees
-
-
#10
-
-
- 8 posts
Posted 16 September 2011 - 12:16 PM
Hi,
I had the same issue before with II7.
When I had WI call back to AuthService with SSL.
In that case, I simply forgot to create an SSL binding on IIS.
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Better to try without SSL first to make everything simple.
Kaoru
Members
-
-
#11
-
- 62 posts
Posted 19 September 2011 - 12:18 PM
Try installing your SSL certificate on your web interface servers. That fixed the same error for me.
Citrix Employees
-
-
#12
-
-
- 1,006 posts
Posted 21 September 2011 - 11:09 AM
@Martin,
To be clear here it is the Issuer of the SSL Certificate bound to the Access Gateway VIP for the AuthService that the Web Interface needs to trust. The SSL Certificate chain needs to be trusted so Intermediate and Root CAs need to be in the WI Local computer Certificate Stores.
Regards,
Andrew
Members
-
-
#13
-
- 43 posts
Posted 28 September 2011 - 08:00 AM
Currently experiencing the exact same issue here:
CAG 5.0.3 / WI 5.4
WI Site is setup as Gateway Direct
Auth Service URL is set to https://PubFQDN/CitrixAuthService/AuthService.asmx
Secure Access: Gateway Direct PubFQDN / 443 Enable session reliability
STA: http://FarmServerFQDN/scripts/ctxsta.dll
CAG only has a single NIC, the WI server has the PubFQDN added to the local hosts file with the internal ip address so that it resolves properly, I have also added the certificates.
The server is a vanilla 2008 R2 SP1 server setup for the specific purpose of trying to resolve this issue, any thoughts are appreciated.
In addition to this i created an additional logon point which utilizes a direct access WI with pass through enabled, this works correctly and displays all the applications, however none can be started as we get the error 'no XenApp Server exists ...' and again with nothing in the server logs.
This is becoming a very tiring issue.
Members
-
-
#14
-
- 1 posts
Posted 28 September 2011 - 10:03 AM
We had the issue too. It turned out that for some reason on the return journey from the WI to the AGEE it uses the IP when the certificate is associated with a hostname. I found out that by adding the IP to Hostname resolution in the WI's hosts file (C:\Windows\System32\drivers\etc) it worked
Members
-
-
#15
-
- 1 posts
Posted 05 January 2012 - 04:08 PM
Hi
We had same issue but problem was resolved using following steps
CAG 5.0 Created self signed certificate (Test purpose)
imported self signed certificate to web interface 5.4
installed certificate on the desktop machine from where we are testing.
Web Interface 5.4 Authentication Method setting was changed from IP address to FQDN of the CAG 5.0.3
https://FQDN/CitrixAuthService/AuthService.asmx
Members
-
-
#16
-
- 2 posts
Posted 10 December 2013 - 02:57 PM
Thanks Clarksons Systems. The host file modification was just what I needed.
