Authentication Issues with StoreFront & Netscaler

[Pearson VUE ATS]

We need to get this working as it's the first step in moving to the Netscaler/Storefront configuration and then we can complete our migration to XenApp 7.15 on Win16 (which is in progress).

 

Configuration:  Netscaler MPX 9700’s pointing to StoreFront 3.15 VM’s (Windows 2012), pointing to XenApp 6.5.

Issue:  Authentication failure when trying to login thru both Netscaler and Storefront.  Narrowed down via troubleshooting, seems the StoreFront is not passing traffic to domain for authentication.

What is logged in Event Logs on StoreFront Server:

Security Log:  

Event ID 4625            Unknown user name or bad password.

 

Citrix Delivery Services Log:       

An authentication attempt was made for user: testuser that resulted in: Failed (Windows Error Code: 1326)  Password expiry information was requested but none was returned.

 

StoreFront Splash error when accessing URL:  "Incorrect Username or Password"

DebugView log:  

• An authentication attempt was made for user: testuser resulting in: Failed (Windows Error: 1326)      
• Citrix.DeliveryServices.Explicit Warning: 0 :    
• Expiry information was requested, but none was returned  
• Citrix.DeliveryServices.Localisation Verbose: 0 :  
• ResXNamespacedResourceManager found value 'Incorrect user name or password' for key 'ExplicitCore:Failed'

 
    
Verified: 

• I can telnet the Domain Controller's/Active Directory from StoreFront over port 389, success.
• Loopback to onUsingHttp is set in StoreFront.
• None of these attempts are logged on the Domain Controller itself.

Any additional thoughts on how to troubleshoot this?

Thanks in advance.

[CarlStalhood]

In your Session Policy/Profile, is the Single Sign-on Domain configured on the Published Applications tab?

[Pearson VUE ATS]

Thank you for your reply.  We have multiple domains.  I've verified on the Netscaler's that I do not have Single-Sign on enabled.  I have also verified in the Manage Receiver for Web Sites configuration that I do not have Domain pass-through enabled.

 

The issue is if I bypass the NetScaler for troubleshooting, I end up with the same situation.  So it seems to be an issue on the StoreFront system.

 

 

[Daniel O Onyando]

Did we ever get a solution to this challenge, am experiencing the same.

[Pearson VUE ATS]

Hello.  Seems for me the issue was though at the authentication level in "Manage Authentication Methods" in Storefront, under the option for the Pass-through from NetScaler Gateway, under Configure Password Validation, I had not selected Delivery Controllers and do the 'configure' step to include Delivery Controllers.  Seems redundant, but I'm assuming these may be different systems in some environments.

 

Hope that helps.

[vadiraj joshi]

is thiere any update on the above issue

 

[Pearson VUE ATS]

Hello.  I understand a couple of you have run into the same issue.  Here is what I did to fix it.

 

Hello.  Seems for me the issue was though at the authentication level in "Manage Authentication Methods" in Storefront, under the option for the Pass-through from NetScaler Gateway, under Configure Password Validation, I had not selected Delivery Controllers and do the 'configure' step to include Delivery Controllers.  Seems redundant, but I'm assuming these may be different systems in some environments.

 

Hope that helps.

Thanks

[vadiraj joshi]

noop but this error is on user name and password page window, when my external users are coming via netscaler then tehy are facing this issue

 

[vadiraj joshi]

please check

[Pearson VUE ATS]

I suspect there is more than one reason for this, I know that I encountered a similar issue with my 6.5 environment.  I had a mismatch at the IIS level on the StoreFront system with the port being used, as I had 80 (default) instead of changing to 8080.  As this needs to match up to the loopback port set in StoreFront.  Once these matched, that was working.  Though I have the same problem with my XenApp 7.15 farm as it is using the same Storefront/NetScaler systems, but haven't solved it there. 

 

Maybe a place to start.

[vadiraj joshi]

Thanks appreciate your reply on the same..would like to tell you some information...when the new store is created it works fine  it gets opened. but once i configure trusted domain in authentication option  its starts giving error.

 

Although if i revert it back by removing the domain address from the trusted domain..then too it dosent work. it only work on the fresh store when i create.

 

[Pearson VUE ATS]

That is odd, what version of StoreFront are you using?  Are you setting single-sign on?  I didn't enable that since we have multiple domains.

[vadiraj joshi]

storefront 3.12.4000

 

yes sso is enabled.

[Pearson VUE ATS]

I'm using version 3.15.0.18019.  Perhaps something to do with the version?  Possible bug?  Does it work if you don't enable SSO?