Netscaler passthrough (SSO) to Storefront does not authenticate multiple domain users

[Gregory Moore]

Hi everyone:

 

running into an authentication issue with multiple domains and Storefront 3.12.

 

If a user logs in with their North America account, they can get to their Citrix resources in storefront without issue. However, if a user has multiple domains and he/she tries to access the environment with anything OTHER than the NA account, they get an error as below from Citrix Authentication on the storefront server:

 

 

Here is what the event log says on the storefront server:

o   Citrix Receiver for Web error:

§  A CitrixAGBasic Login request has failed.

§  Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null

§  Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)  at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

§  System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

§  The remote server returned an error: (403) Forbidden.

§  Url: https://storefront-b.domain.com/Citrix/INT_STORE_NAAuth/CitrixAGBasic/Authenticate

§  ExceptionStatus: ProtocolError

§  ResponseStatus: Forbidden

§  at System.Net.HttpWebRequest.GetResponse()

§  at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

§  at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

o    Citrix Authentication Service error:

§  CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

§  The credentials supplied were; user: GMOORE1SEC

§  domain: multi.domain.com - removed the real domain name for security reasons here.

 

 

From the storefront page, the user gets "Cannot Complete your Request" due to the error

 

On the Netscaler, the users authenticate just fine. Thee are two policies, one for each domain, and the NA policy is first. The non-NA account passes through that policy and hits the domain policy it is a member of and the netscaler passes creds.

 

On  the storefront server, I have the authentication method set to ANY DOMAINS so that there is no restriction.

 

Anyone have any ideas or know of a way to resolve this? I'm thinking maybe there's a configuration I need to make int he config file for the store.

 

Please advise and thank you.

 

 

 

[Gregory Moore]

All, after working with my Load Balancing team, we were able to figure this out for OUR ENVIRONMENT.

 

What I ended up having to do what the following:

 

On the storefront server - for authentication I went ahead and added the necessary domains that were in the environment. At the configure store settings window, I unchecked Require token consistency box. Make sure you apply the settings, make the smae changes on any other stores  and then propogate to your other servers if you have mor than one storefront server.

 

On the Netscaler appliance, the fillowing settings were made:

* At the LDAP server setting for the second domain, under server settings change the sAMAccountName entry under the SSO name attribute to userPrincipalName

* On the virtual gateway server, edit the session policies by going into the Published Applications tab of the session profile and UNCHECK the Single Sign-on Domain.

* Save the configuration and test

 

Once this was applied, I could sign in with any domain\user that has authorization.

 

Remember, your environment may be different than what this solution solves.

[Simon Muumlller]

On 3/18/2019 at 11:02 PM, Gregory Moore said:

On the Netscaler appliance, the fillowing settings were made:

* At the LDAP server setting for the second domain, under server settings change the sAMAccountName entry under the SSO name attribute to userPrincipalName

* On the virtual gateway server, edit the session policies by going into the Published Applications tab of the session profile and UNCHECK the Single Sign-on Domain.

* Save the configuration and test

 

Once this was applied, I could sign in with any domain\user that has authorization.

 

Remember, your environment may be different than what this solution solves.

 

Thanks for sharing! That made it work after Upgrade from 1912 LTSR CU5 to 2203 CU0.