Patrick OBrien1709158713 Posted September 25, 2017 Share Posted September 25, 2017 So I have a NetScaler Access Gateway configured to two LDAP policies, one each for two domains. Logging in with an account that is in the first domain works without issue. Attempting to use an account from the domain tied to the second LDAP policy causes the "Cannot Complete Your Request" error to be displayed. It appears the NetScaler is able to authenticate against LDAP but somehow the domain name is not getting passed to StoreFront. The below error is appearing in the StoreFront server's log: CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: TestUser1 domain: The "other settings" portion of the LDAP policy are configured like: Server Logon Name Attribute: sAMAccountName Search Filter: <blank> Group Attribute: memberOf Sub Attribute Name: cn SSO Name Attribute: userPrincipalName Any ideas? Link to comment Share on other sites More sharing options...
CarlStalhood Posted September 25, 2017 Share Posted September 25, 2017 Session Policies are responsible to sending the domain name. See http://www.carlstalhood.com/netscaler-gateway-12-ldap-authentication/#domains Link to comment Share on other sites More sharing options...
Patrick OBrien1709158713 Posted September 26, 2017 Author Share Posted September 26, 2017 We are attempting to use the userPrinipalName method as described on your site, but it isn't working. The NetScaler is able to do the LDAP authentication but the StoreFront server isn't receiving the UPN from the SSO Name Attribute. I opened a support case with Citrix yesterday who initially claimed that this configuration was not supported. It wasn't until I referenced step 26 of ctx207162 that he acknowledged it should be working. Running a debug on the NetScaler shows that it is pulling the UPN. Still waiting for a response from Citrix. Link to comment Share on other sites More sharing options...
Imran Syed1709152750 Posted March 2, 2020 Share Posted March 2, 2020 Hi Pobrien617, I understand that this post is from a few years. Could you please share with us the resolution to the above issue? We are facing the exact issue... :( Cheers Link to comment Share on other sites More sharing options...
Patrick OBrien1709158713 Posted March 2, 2020 Author Share Posted March 2, 2020 For us, we set "Server Logon Name Attribute" to "UserPrincipalName" and set "SSO Name Attribute" to "msDS-PrincipalName". As far as I understand it, "msDS-PrincipalName" is not an editable AD attribute, but AD generates it has "<Domain>\<UserSAMAccount". Which means domain specific credentials get passed back to StoreFront. At least for us, this has worked great! Hope that helps! 1 Link to comment Share on other sites More sharing options...
Imran Syed1709152750 Posted March 3, 2020 Share Posted March 3, 2020 Thanks for your response. Appreciate it. For us the fix was to update the LDAP action and set "SSO Name Attribute" to sAMAccountName. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now