Roel van Baaren Posted June 26, 2017 Share Posted June 26, 2017 I've a configuration where I'm logging into Storefront through NetScaler. This works just fine when using LDAP authentication in NS, but when using SAML I get the following message in de "Citrix Delivery Services" eventlog: A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.9.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: http://127.0.0.1/Citrix/AAGStoreAuth/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) Link to comment Share on other sites More sharing options...
CarlStalhood Posted June 26, 2017 Share Posted June 26, 2017 Did you implement Federated Authentication Service? http://www.carlstalhood.com/citrix-federated-authentication-service-saml/ Link to comment Share on other sites More sharing options...
Roel van Baaren Posted June 26, 2017 Author Share Posted June 26, 2017 No I did not. I followed this use case: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/integrating-netscaler-with-microsoft-azure-active-directory.pdf I'll look into your article tomorrow. Link to comment Share on other sites More sharing options...
Roel van Baaren Posted June 27, 2017 Author Share Posted June 27, 2017 I don't think your article applies. I'm trying to implement Azure AD authentication. Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted June 30, 2017 Share Posted June 30, 2017 I don't think your article applies. I'm trying to implement Azure AD authentication. Did you get anywhere with this? I am having exactly the same problem. Link to comment Share on other sites More sharing options...
Roel van Baaren Posted June 30, 2017 Author Share Posted June 30, 2017 I've found the solution here: http://stealthpuppy.com/netscaler-azure-ad-conditional-access/ To fix that, remove the Single Sign-on Domain from the Session Policies bound to the virtual server Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted July 3, 2017 Share Posted July 3, 2017 I've found the solution here: http://stealthpuppy.com/netscaler-azure-ad-conditional-access/ Hi, Thanks, yes i found that afterwards. Did you get a problem where the session opens but doesn't log you in? Mine sits on the login screen. Link to comment Share on other sites More sharing options...
Roel van Baaren Posted July 3, 2017 Author Share Posted July 3, 2017 No, my session logs in just fine. Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted July 3, 2017 Share Posted July 3, 2017 Odd, ok Thanks. Link to comment Share on other sites More sharing options...
Roel van Baaren Posted July 3, 2017 Author Share Posted July 3, 2017 Does your local userPrincipalName match your external (Azure AD?) userPrincipalName? Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted July 3, 2017 Share Posted July 3, 2017 Does your local userPrincipalName match your external (Azure AD?) userPrincipalName? Yes, it's all synced as we also use Office 365. Did you make any changes to your Storefront other than enable smartcard login for delegated validation? Link to comment Share on other sites More sharing options...
Roel van Baaren Posted July 3, 2017 Author Share Posted July 3, 2017 Just to make sure, your loginname for Office365 matches the UPN you see when you execute this command in a command-prompt? whoami -upn Your local UPN and Office365 login doesn't necessarily have to match when syncing. Your local UPN could me john@contoso.local and your Office365 login could be john@contoso.com Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted July 3, 2017 Share Posted July 3, 2017 Just to make sure, your loginname for Office365 matches the UPN you see when you execute this command in a command-prompt? whoami -upn Your local UPN and Office365 login doesn't necessarily have to match when syncing. Your local UPN could me john@contoso.local and your Office365 login could be john@contoso.com I think FAS might be causing the problem. I assume you implemented that for the SAML authentication to the storefront? It seems to be where it's all failing. My UPN matches all the way through. Link to comment Share on other sites More sharing options...
Roel van Baaren Posted July 3, 2017 Author Share Posted July 3, 2017 Netscaler does the SAML authentication for me. Link to comment Share on other sites More sharing options...
IT Support1709152897 Posted July 3, 2017 Share Posted July 3, 2017 Netscaler does the SAML authentication for me. Interesting, as i didn't want to put in FAS anyway. It's going to be something stupid. Thanks for your help. Link to comment Share on other sites More sharing options...
Julian Mooren1709156280 Posted January 10, 2020 Share Posted January 10, 2020 I run into the same issue during a Citrix FAS implementation. Make sure you use a separate Callback Gateway. Because of the SAML Redirect to ADFS/AzureAD the callback proccess from StoreFront will not be successful. Citrix FAS is not working without a configured Callback URL. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now