Jump to content
Welcome to our new Citrix community!

Forbidden logging into Storefront througth NetScaler using SAML


Recommended Posts

I've a configuration where I'm logging into Storefront through NetScaler. This works just fine when using LDAP authentication in NS, but when using SAML I get the following message in de "Citrix Delivery Services" eventlog:

 

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.9.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()
 
System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
 

 

Link to comment
Share on other sites

Just to make sure, your loginname for Office365 matches the UPN you see when you execute this command in a command-prompt? whoami -upn

 

Your local UPN and Office365 login doesn't necessarily have to match when syncing. Your local UPN could me john@contoso.local and your Office365 login could be john@contoso.com

Link to comment
Share on other sites

Just to make sure, your loginname for Office365 matches the UPN you see when you execute this command in a command-prompt? whoami -upn

 

Your local UPN and Office365 login doesn't necessarily have to match when syncing. Your local UPN could me john@contoso.local and your Office365 login could be john@contoso.com

I think FAS might be causing the problem. I assume you implemented that for the SAML authentication to the storefront? It seems to be where it's all failing.

My UPN matches all the way through.

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...