Cannot complete your request error when accessing StoreFront via GSLB domain

[Jesus Martin]

Hi everyone,

 

We are in progress right now of making our Citrix environment an Active Active setup using Netscaler GSLB between our 2 Sites/Datacenters. I configured Netscalers in each site which also load balanced our StoreFront Servers. Authentication Pass-Through was also configured from each Netscaler to StoreFront and tested without problems. SSL Certs were installed in all StoreFront Servers, tested via browser and no error.

 

My issue is when I access our GSLB domain “https://citrix.mydomain.com” which load balances our traffic between our 2 Sites/Datacenters. I can successfully login to Netscaler Unified Gateway but seems like pass-through going to StoreFront is not working properly, see below Event Log from StoreFront:

 

 

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.9.0.0, Culture=neutral, PublicKeyToken=null

Authenticate encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

 

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: http://127.0.0.1/Citrix/MTG-AppStore1Auth/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

 

I did tried below fixes from the forum but didn’t work. Hope someone can help me figure this out.

 

1.       Checked the NetScaler LDAP policy/server Single Sign-on Attribute field It should be blank as per this site: https://www.mycugc.org/p/fo/et/thread=1104

2.       Changed Loopback Option in StoreFront to “OnUsingHTTP”. Site:

http://docs.citrix.com/en-us/storefront/3-11/plan.html

 

Thanks..

 

 

 

 

[CarlStalhood]

Do you use SmartAccess? If not, you can remove the Callback URL from your StoreFront > Gateway configuration.

[Jesus Martin]

Thanks Carl! It works now.

[Salman Mahmood]

I had the same issue, and I didn't configure Callback URL. The way I resolved it was by editing web.config under inetpub > wwwroot > Citrix > StoreFrontWeb.

 

In web.config I commented below line:

<add method="CitrixAGBasic" />

 

Here is the snippet:

<citrix.deliveryservices>

    <webReceiver>

      <serverSettings>

        <authentication tokenLifeTime="08:00:00" locationURL="Authentication/GetAuthMethods">

          <authMethods>

            <clear />

            <add method="ExplicitForms" />

            <!--<add method="CitrixAGBasic" />-->

          </authMethods>

        </authentication>

[Elmer Vargas1709161663]

Hi Carl, I have the same issue but in my case I am using smartaccess, any recommendation?

[Elmer Vargas1709161663]

On 6/16/2017 at 11:46 PM, Carl Stalhood1709151912 said:

Do you use SmartAccess? If not, you can remove the Callback URL from your StoreFront > Gateway configuration.

 

Hi Carl, I have the same issue but in my case I am using smartaccess, any recommendation?