Unable to login to Storefront externally via Netscaler Access Gateway 10

[Gavin Lockhart]

Hi,

I am unable to login to my Storefront server via my NS Access Gateway 10 via the web address in a browser. I keep getting the message "Cannot Complete your Request" on the webpage. It does connect to the storefront Server it just does not authenticate.

When I check the Storefront Logs I have the following:

 

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          16/12/2013 16:30:31
Event ID:      8
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxx.xxxx.xxxx.xxxx
Description:
None of the AG callback services responded
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">8</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-12-16T16:30:31.000000000Z" />
    <EventRecordID>1904</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>ievapp05.atrema.deloitte.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>None of the AG callback services responded</Data>
  </EventData>
</Event>
</Event>

 

 

And then

Log Name:      Citrix Delivery Services
Source:        Citrix Receiver for Web
Date:          16/12/2013 15:29:41
Event ID:      10
Task Category: (3001)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxx.xxxxx.xxxxx.xxxxxx
Description:
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://xxxxx/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Receiver for Web" />
    <EventID Qualifiers="0">10</EventID>
    <Level>2</Level>
    <Task>3001</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-12-16T15:29:41.000000000Z" />
    <EventRecordID>1838</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>ievapp05.atrema.deloitte.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://xxxxxx/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
</Data>
  </EventData>

 

 

 

Any help would be much appreciated.

 

Regards,

 

Gavin

[Kyle Woodbury]

1.      Make sure that you can log onto Storefront directly, avoiding the AGEE, without any issues.

a.      If you have issues internally check the Event Viewer to see what errors are being reported on the Storefront.

b.      If you are having issues internally try restarting the Credential Wallet service and setting the service to Automatic (Delayed Start). 

Note: .NET needs to start before the Credential Wallet service so if that is the issue then the delayed start will resolve it as it will let .NET start first.

c.       Also try to host file each Storefront server to have the LB fqdn point to its own ip address to eliminate any load balancing persistence issues.

2.      On the Storefront server under Gateways make sure that the Gateway URL is the exact FQDN that users are typing into the browser or entering into the receiver to access the AGEE.

Note: When it does the authentication the SF server is looking for the X-Citrix-Via header that matches the name and if it matches it will do the callback.

a.      Also make sure that the deployment mode is set to appliance, Set server as Access Gateway Enterprise Edition is selected.

Note: The X-Citrix-Via will take precedence and if it fails or does not exist it will fall back to the SNIP. The SNIP only comes into consideration if it is failing when accessing internally using the LB VIP if it is coming from the same SNIP that you have defined.

                                 i.            If they are using AGEE 9.3 then the SNIP needs to be correct as it does not send the X-Citrix-Via http header. This feature was introduced in Access Gateway 10.0.69.4.

 

b.      Make sure that the Logon type is set to the type of authentication that the AGEE is using. Example. If using two factor authentication, the logon type will have to be modified to Domain and Security Token. For LDAP authentication leave it at Domain Only.

3.      Make sure that the Enable Silent Authentication callback URL on the SF server resolves to the AGEE VIP if you put it in IE on the SF server without any certificate errors.

a.      Validate that the SSL certificate chain is properly configured on the AGEE and StoreFront trusts the SSL Certificate bound to the AGEE. If AG does not have intermediate SSL certificate chained to the bound SSL certificate, try adding any intermediate certificate to the StoreFront server's intermediate certificate store, under Local Computer account.

 

4.      On the Storefront server under the Store open Enable Remote Access. Make sure that it is set to No VPN tunnel and that the Gateway that you defined in step 2 is checked off.

5.      Under Configure Trusted Domains if there are any Trusted Domains defined make sure that they match exactly to the SSO domain in your AGEE session profile. Note that multiple domains can be listed here.

6.      On the AGEE Session profile make sure that the Single Sign-on to Web Applications is checked off.

 

[Gavin Lockhart1709153168]

1. No Issues logging into Storefront Internally

2. Same FQDN

3. No issues getting to the AG from the Storefront server - no cert errors - everything on the server looks fine from a certificate perspective - however I do believe the issue is related to the cert based on the error in event viewer. I have no certificate errors etc

Also the callback server it references within the error is the Storefront server and not the Netscaler - although the Netscaler is what's defined as the callback server within the Storefront Config. Can you explain why this would be?

The remote server returned an error: (403) Forbidden.
Url: https://xxxxx/Citrix...ic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden

4. Is set up as suggested

5. No trusted domains set

6. Tried both ways no difference.

 

Any further help would be appreciated.

[Kyle Woodbury]

In the post above you stated that the SF and AGEE have the same fqdn? If this is the case this will not work because there are 2 separate callbacks that happen during SSO from the AGEE to Storefront. The SF first does a callback to the AGEE to obtain the domain credentials that the use logged in with. The SF then does a callback to its own Authentication service (https://storefront.domain.com/Citrix/Authentication/auth/v1/token/validate). If both of these fqdn are the same the Storefront will not be able to differentiate which callback goes where and both callbacks will either go the the AGEE or SF.

 

The 403 Error that you see is just a generic error that comes up every time the SSO fails telling us that the callback to the SF failed as forbidden because we did not have the AGEE callback to complete successfully. There should be another Event Log message right before that which gives us more specific details as to what caused the issue. 

[Gavin Lockhart1709153168]

No they do not have the same fqdn - they do not have the same name - what I said was that in the eventview error on the SF server it references the fqdn of itself the SF server and not the fqdn of the NSAG - I would have assumed it should reference the fqdn of the NSAG - that is what is configured on SF to be the callback server.

[Kyle Woodbury]

OK, there should be another event viewer log right before that. Can you please post the other Event Viewer error message as it is more specific to what the issue is.

[Gavin Lockhart1709153168]

Attached are the three errors on SF server

Where xxxxx is fqdn of CAG and yyyyy is SF

 

 

 

[Gavin Lockhart1709153168]

Where xxxxx is fqdn of CAG and yyyyy is SF

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          17/01/2014 11:25:27
Event ID:      3
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     yyyyyyyy
Description:
The AG Web Service at: https://xxxxx/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 17/01/2014 11:25:42
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at https://xxxxx/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-17T11:25:27.000000000Z" />
    <EventRecordID>2906</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>ievapp05.atrema.deloitte.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The AG Web Service at: https://xxxxx/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 17/01/2014 11:25:42
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at https://xxxxx/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
</Data>
  </EventData>
</Event>

 

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          17/01/2014 11:25:27
Event ID:      8
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      yyyyyy
Description:
None of the AG callback services responded
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">8</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-17T11:25:27.000000000Z" />
    <EventRecordID>2907</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>yyyyyyy</Computer>
    <Security />
  </System>
  <EventData>
    <Data>None of the AG callback services responded</Data>
  </EventData>
</Event>

 

[Gavin Lockhart1709153168]

Where xxxxx is fqdn of CAG and yyyyy is SF and zzzz is http

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          17/01/2014 11:25:27
Event ID:      3
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     yyyyyyyy
Description:
The AG Web Service at: zzzzs://xxxxx/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 17/01/2014 11:25:42
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at zzzzs://xxxxx/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Event Xml:
<Event xmlns="zzzz://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-17T11:25:27.000000000Z" />
    <EventRecordID>2906</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>yyyyy</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The AG Web Service at: zzzzs://xxxxx/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 17/01/2014 11:25:42
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at zzzzs://xxxxx/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
</Data>
  </EventData>
</Event>

 

Log Name:      Citrix Delivery Services
Source:        Citrix Authentication Service
Date:          17/01/2014 11:25:27
Event ID:      8
Task Category: (1005)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      yyyyyy
Description:
None of the AG callback services responded
Event Xml:
<Event xmlns="zzzz://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Authentication Service" />
    <EventID Qualifiers="0">8</EventID>
    <Level>2</Level>
    <Task>1005</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-17T11:25:27.000000000Z" />
    <EventRecordID>2907</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>yyyyyy</Computer>
    <Security />
  </System>
  <EventData>
    <Data>None of the AG callback services responded</Data>
  </EventData>
</Event>

 

 

Log Name:      Citrix Delivery Services
Source:        Citrix Receiver for Web
Date:          17/01/2014 11:25:27
Event ID:      10
Task Category: (3001)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      yyyyyyy
Description:
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: zzzzs://yyyyyyyy/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

Event Xml:
<Event xmlns="zzzz://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Receiver for Web" />
    <EventID Qualifiers="0">10</EventID>
    <Level>2</Level>
    <Task>3001</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-17T11:25:27.000000000Z" />
    <EventRecordID>2908</EventRecordID>
    <Channel>Citrix Delivery Services</Channel>
    <Computer>yyyyyyy</Computer>
    <Security />
  </System>
  <EventData>
    <Data>A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: zzzzs://yyyyyyy/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
</Data>
  </EventData>
</Event>

 

[CarlStalhood]

"Could not establish trust relationship for the SSL/TLS secure channel."

 

In other words, the StoreFront server doesn't trust the certificate on the NetScaler Gateway vServer or the FQDN does not match the certificate name.

 

On the StoreFront server, open a browser and point it to zzzzs://xxxxx/CitrixAuthService/AuthService.asmx. If there are certificate errors then you'll need to fix them. Make sure xxxxx actually resolve to a NetScaler Gateway VIP. Make sure the certificate on xxxxx matches xxxxx DNS name. And make sure the root and intermediate certificates are installed on the StoreFront server.

[Kyle Woodbury]

We usually see this when the certificates on the Netscaler are not linked together correctly or when the Root and Intermediate certs on the Storefront server are not there or are not in the correct directory.

 

On the Netscaler go under SSL and make sure that the certificate that you are using for the AGEE is linked correctly to the intermediate and the intermediate is correctly linked to the root certificate.

 

On the Storefront server open the MMC and add the LOCAL COMPUTER certificate store. Make sure that you do not select the User store as this will not work to establish the SSL handshake for the callback. Make sure that you see the correct root cert under the Trusted Root Certificate Store. Also check to see if the Intermediate cert is in the Intermediate store and put it in there if it is not there already.

[Patrick Daloiso1709153198]

hello, i have the same problem at my test-lab. getting error 10, 8 and 3.

 

access from the internal net works but when i try it from outside i get "Cannot Complete your Request".

 

now i updatet the storefront to 2.1 but i still get:

 

First ERROR: (Event ID 3)

 

The AG Web Service at: https://intern FQDN of NS(VirtualServerIP)/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 22.01.2014 11:25:47
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at https://internal FQDN of NS/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
 

 

 

Second ERROR: (Event ID: 8)

 

None of the AG callback services responded

 

 

 

Third ERROR (Event ID 10)

 

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://public FQDN of NS(VirtualServerIP)/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
 

 

 

I need your help after 2 Days of totally frustration :-(

[CarlStalhood]

Patrick, looks like your certificate is not trusted either. Did you try the troubleshooting steps shown above?

[Patrick Daloiso1709153198]

hi, it was an certificat error, the name of the website did not match to the fqdn of my netscaler

 

i edited the local host file on my sf-server to solf the problem.

 

Thx for driving me in the right direction !

[Patrick Daloiso1709153198]

now i have the problem that i can not login with the receiver for windows 7

if i try to login there pop up a window which tells me that i should connect a smartcardreader (this is not one of my authentication methods i configured in the sf-server) and if i close this window nothing happens.

i can click on next and then i get the message "select an account to continue" ....

 

login with a browser works.

 

any ideas?

[Kyle Woodbury]

Is this on multiple clients or just 1 client machine? I am wondering if this is just 1 corrupt client or something strange going on at the server level.

[Patrick Daloiso1709153198]

hi, no that's not only one client it's a general problem.

[Patrick Daloiso1709153198]

okay here a few pictures

 

1. i open the receiver type in my server FQDN and can authenticate myself

 

2. after typing in my credentials the smartcard window pops up

 

3. now i can say cancel or next, when i hit next the "please select account" warning comes up

[Ben Mitchell]

I've got the same issue and can recreate the following scenario except for my SSL certificate chain is properly configured:

 

    3. Make sure that the Enable Silent Authentication callback URL on the SF server resolves to the AGEE VIP if you put it in IE on the SF server.

 

My problem is that I can't get to the AGEE VIP from my SF server or any server that sits in my internal network. If I go to a server in my DMZ, which is where my AGEE VIP is, I can get to the URL without issue. I assume this is a routing issue or something similar with my NetScaler.

 

UPDATE 6/3/14: I was able to resolve my issue by enabling 'MAC based forwarding' on my NetScaler under System > Settings > Configure modes. The option wasn't checked off, but once enabled and saved I was immediately able to connect to the AGEE VIP from my SF servers.

[Sergey Kozlov]

Hi,

I am unable to login to my Storefront server via my NS Access Gateway 10 via the web address in a browser. I keep getting the message "Cannot Complete your Request" on the webpage. It does connect to the storefront Server it just does not authenticate.

When I check the Storefront Logs I have the following:

 

Log Name:      Citrix Delivery Services

Source:        Citrix Authentication Service

Date:          16/12/2013 16:30:31

Event ID:      8

Task Category: (1005)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      xxxx.xxxx.xxxx.xxxx

Description:

None of the AG callback services responded

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Citrix Authentication Service" />

    <EventID Qualifiers="0">8</EventID>

    <Level>2</Level>

    <Task>1005</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2013-12-16T16:30:31.000000000Z" />

    <EventRecordID>1904</EventRecordID>

    <Channel>Citrix Delivery Services</Channel>

    <Computer>ievapp05.atrema.deloitte.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data>None of the AG callback services responded</Data>

  </EventData>

</Event>

</Event>

 

 

And then

Log Name:      Citrix Delivery Services

Source:        Citrix Receiver for Web

Date:          16/12/2013 15:29:41

Event ID:      10

Task Category: (3001)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      xxxxx.xxxxx.xxxxx.xxxxxx

Description:

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null

AuthenticateInternal encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)

   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: https://xxxxx/Citrix/Authentication/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Citrix Receiver for Web" />

    <EventID Qualifiers="0">10</EventID>

    <Level>2</Level>

    <Task>3001</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2013-12-16T15:29:41.000000000Z" />

    <EventRecordID>1838</EventRecordID>

    <Channel>Citrix Delivery Services</Channel>

    <Computer>ievapp05.atrema.deloitte.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data>A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null

AuthenticateInternal encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)

   at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: https://xxxxxx/Citrix/Authentication/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

</Data>

  </EventData>

 

 

 

Any help would be much appreciated.

 

Regards,

 

Gavin

Hi Gavin.

In my case i solve this problem after removing "Trusted domains" in Authentication -> Path-through from Netscaler Gateway -> Configure Trusted Domains.

[Espen Skille Berger]

If KB2919355 is installed, enable local policy "SSL Cipher Suite Order" on your DDC.

 

regards,
Espen

[Dave van den Berge]

I sort of got the same problem altho my Event ID3 is a little bit different... Also i got the same event 7 and 10.

Tripplechecked all settings and checked all above here... can some1 give me a push in the right direction?

 

The AG Web Service at: http://netscalerinternalip/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 8/22/2014 12:27:22 PM
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.5.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the NetScaler Gateway authentication service at http://netscalerinternalip/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The request failed with the error message:
--
<head><body> This object may be found <a HREF="https://externalfqdn/CitrixAuthService/AuthService.asmx">here</a> </body>
--.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
 

[CarlStalhood]

In StoreFront, go to NetScaler Gateway node. You'll see the Gateway object. Edit General Settings. Change the callback URL to a valid FQDN that matches the certificate on the Gateway vServer. If you need the FQDN to resolve an to internal IP, edit the HOSTS file on your StoreFront server.

[Dave van den Berge]

Thanks, that worked. For testing pursose i use a portmap to it wich wasnt filled in.

[Sergio Emanuel Cieri]

y cant login...when i put the user and password the prompt come back to blank and i cant enter with windows credentials