Jump to content


Photo

Netscaler 10.5 and WebInferface

Started by jsalian9 , 12 August 2017 - 08:59 PM
2 replies to this topic

Best Answer Rhonda Rowland , 12 August 2017 - 11:34 PM

To troubleshoot, you'll need to provide more information - its helpful to be able to confirm the WI config settings and the gateway session policy and authentication policy details.

 

If you are loadbalancing WI, confirm your LB method and persistence.  Also, are you load balancing WI from same box as Gateway (might matter in certain configuration scenarios).

 

Things you would want to verify in the config:

 

On the NS Gateway, include your actual session policy details. And check the following:

  • Is the NetScaler properly configured with DNS and able to resolve and reach the WI address (FQDN), and is your WI on HTTPS or HTTP (as HTTPS would be strongly recommended)
  • Is your LDAP policy (or other authentication policy) working properly. You can sometimes test by using it for system authentication or you can confirm authentication by viewing the aaad.debug output:  from shell:  cat /tmp/aaad.debug
  • Does your session policy include: the correct WI address, SSON domain, and allow authorization settings (on the security tab for that last one).
  • Is the "enable passthrough to web apps" setting (or similar wording) enabled on the client experience tab?
  • Does the Gateway have the correct list of STA's (individual XML brokers with correct protocol/port for the XA/XD environment)
  • Does your Gateway have a valid certificate signed by the Domain CA or other trusted internal or public CA?  Note self-signed certs generated by the NetScaler almost never work for testing VPN/ICA Proxy functions.

On the WebInterface:

  • Is the website properly configured for Remote Access with Gateway, with the correct Gateway FQDN and callback address if required?
  • Does the Web Interface have the correct Farm/Site integration with the correct list of XML Brokers?
  • Does the Web Interface have the correct list of STA's as well?
  • Are you using separate WI sites for external access vs internal?  Or are you trying to do both on one?  If so, more considerations come into play.

Logs you can look at to troubleshoot:

  • On the NetScaler Gateway, view the aaad.debug (shell; cd /tmp; cat aaad.debug) to verify the NetScaler authentication process is or isn't working.  
  • Also on the NetScaler, view syslog to see if any other events occur during the connection attempt:  (shell; cd /var/log; tail -f /var/log/ns.log -v CMD_EXECUTED)  (this will keep the output of syslog as a live output but will exclude your configuration commands via the GUI or CLI; other filters are possible)
  • On the Web Interface, view the event viewer and check both the Application and System log for events from Web Interface; if the gateway is authenticating successfully but the logon is failing at Web Interface due to a WI or XML issue, you might see issues here.  I don't recall if there is a WI specific log in the event viewer, but check for one.
  • On the XA/XD controller(s) acting as your XML broker, view their event viewer as well.  WI depends on the XML service to complete user authentication, so an XML or controller issue will affect WI.

jsalian9 Members

Jimmy Salian
  • 46 posts

Posted 12 August 2017 - 08:59 PM

Hello,

I have configured Netscaler 10.5 and WebInferface, I get login page and after user authentication I get error 401 invalid credentials.
I can access CAG URL from web interface without any errros and get logon page.

snip is able to communicate to webinferface on 80
Web interface is able to communicate to CAG fqdn

Test from CAG fqdn fails post user login, error 401 credential invalid

Event log 18001 logged on webinterface.

Any other checks? Web interface is on windows 2008r2.

Session policy contains domain name tried netbios and fqdn
Session policy is http://web interface/citrix/xenapp

Any suggestions?

Rhonda Rowland Members

Rhonda Rowland
  • 259 posts

Posted 12 August 2017 - 11:34 PM

To troubleshoot, you'll need to provide more information - its helpful to be able to confirm the WI config settings and the gateway session policy and authentication policy details.

 

If you are loadbalancing WI, confirm your LB method and persistence.  Also, are you load balancing WI from same box as Gateway (might matter in certain configuration scenarios).

 

Things you would want to verify in the config:

 

On the NS Gateway, include your actual session policy details. And check the following:

  • Is the NetScaler properly configured with DNS and able to resolve and reach the WI address (FQDN), and is your WI on HTTPS or HTTP (as HTTPS would be strongly recommended)
  • Is your LDAP policy (or other authentication policy) working properly. You can sometimes test by using it for system authentication or you can confirm authentication by viewing the aaad.debug output:  from shell:  cat /tmp/aaad.debug
  • Does your session policy include: the correct WI address, SSON domain, and allow authorization settings (on the security tab for that last one).
  • Is the "enable passthrough to web apps" setting (or similar wording) enabled on the client experience tab?
  • Does the Gateway have the correct list of STA's (individual XML brokers with correct protocol/port for the XA/XD environment)
  • Does your Gateway have a valid certificate signed by the Domain CA or other trusted internal or public CA?  Note self-signed certs generated by the NetScaler almost never work for testing VPN/ICA Proxy functions.

On the WebInterface:

  • Is the website properly configured for Remote Access with Gateway, with the correct Gateway FQDN and callback address if required?
  • Does the Web Interface have the correct Farm/Site integration with the correct list of XML Brokers?
  • Does the Web Interface have the correct list of STA's as well?
  • Are you using separate WI sites for external access vs internal?  Or are you trying to do both on one?  If so, more considerations come into play.

Logs you can look at to troubleshoot:

  • On the NetScaler Gateway, view the aaad.debug (shell; cd /tmp; cat aaad.debug) to verify the NetScaler authentication process is or isn't working.  
  • Also on the NetScaler, view syslog to see if any other events occur during the connection attempt:  (shell; cd /var/log; tail -f /var/log/ns.log -v CMD_EXECUTED)  (this will keep the output of syslog as a live output but will exclude your configuration commands via the GUI or CLI; other filters are possible)
  • On the Web Interface, view the event viewer and check both the Application and System log for events from Web Interface; if the gateway is authenticating successfully but the logon is failing at Web Interface due to a WI or XML issue, you might see issues here.  I don't recall if there is a WI specific log in the event viewer, but check for one.
  • On the XA/XD controller(s) acting as your XML broker, view their event viewer as well.  WI depends on the XML service to complete user authentication, so an XML or controller issue will affect WI.

Best Answer Helpful Answer

jsalian9 Members

Jimmy Salian
  • 46 posts

Posted 14 August 2017 - 09:48 AM

Hi Rhonda,

 

Thanks for the detail info, I have managed to fix the issue and i had to change WI IP address to FQDN in the Netscaler that resolved the 401 Http error.

 

Regards.