RICHARD INNES1709151451 Posted January 29, 2020 Share Posted January 29, 2020 I am configuring SSPR functionality for a customer using the latest ADC build of 13.0 (47.24). Everything was working using the registration schema that was created using system defined questions and alternate email. The customer then requested that they didn't want the questions and preferred to only have the email registration. I believe this was possible from version 12. build 51.x going by the information in Citrix docs. When I change over the authentication schema to AltEmailRegister.xml and then try to do the registration as a user, the initial authentication works and then I get a 'Cannot complete request' message after entering the e-mail address for the registration. The ns.log shows an error saying 'unable to contact external authentication server'. Does anyone have this working with only using the e-mail registration? Thanks Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted February 24, 2020 Author Share Posted February 24, 2020 Any ideas, does anyone have the e-mail registration working without the questions? I see the following in the log when this fails. This has been tested on a few different builds and always get the same issue. "default AAA LOGIN_FAILED 1374 0 : User joe.bloggs@365-domain.co.uk - Client_ip 192.168.119.188 - Failure_reason "Unable to contact external authentication server" - Browser Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Link to comment Share on other sites More sharing options...
Dominik Schikora1709154095 Posted April 24, 2020 Share Posted April 24, 2020 Hello richard.inn3s, did you find a solution for your Problem? I have the same Problem. Best regards Dominik Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted April 24, 2020 Author Share Posted April 24, 2020 Hi Dominik, I did not unfortunately. I eventually asked the customer to raise a support ticket with Citrix support and they couldn't provide a resolution either, at this point the customer has agreed to continue with both questions and e-mail validation. I am hoping this will be resolved in a later build and documented as I spent a few days trying to get this functioning properly. Thanks, Richard Link to comment Share on other sites More sharing options...
Javier Vazquez Posted June 2, 2020 Share Posted June 2, 2020 Hi, Have you set an user with rights in AD Parameter (Alternate Email) configured in LDAP Server? In addition, You need bind a Wildcard cert in CLI. This is necessary to encrypt parameter settings: bind vpn global -userDataEncryptionKey YourWildCardCert. Regards, Javier Link to comment Share on other sites More sharing options...
Gowrishankar Natesan Posted June 21, 2020 Share Posted June 21, 2020 On 6/2/2020 at 3:35 PM, Javier Vazquez said: Hi, Have you set an user with rights in AD Parameter (Alternate Email) configured in LDAP Server? In addition, You need bind a Wildcard cert in CLI. This is necessary to encrypt parameter settings: bind vpn global -userDataEncryptionKey YourWildCardCert. Regards, Javier Link to comment Share on other sites More sharing options...
Dominik Schikora1709154095 Posted June 22, 2020 Share Posted June 22, 2020 Hello Systemsu4, Yes, i did all you metioned. The alternative E-Mail in combination with KBA is working but not alone. I opened an case with Citrix and they are working on a solution. best regards Dominik Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted June 22, 2020 Author Share Posted June 22, 2020 Sounds like the same as I'm seeing Dominik, could never get it working with only the e-mail registration. Would be interested to hear what Citrix support say. Regards, Richard Link to comment Share on other sites More sharing options...
Javier Vazquez Posted June 22, 2020 Share Posted June 22, 2020 2 minutes ago, RICHARD INNES1709151451 said: Sounds like the same as I'm seeing Dominik, could never get it working with only the e-mail registration. Would be interested to hear what Citrix support say. Regards, Richard Yes, If you look at DA Attribute, you can see {"KBA":"ENCRYPTEDDATA......"} Change it this to {"AlterEmail":ENCRYPTEDDATA......."} and it runs.... I think this is a bug... Link to comment Share on other sites More sharing options...
Dominik Schikora1709154095 Posted June 22, 2020 Share Posted June 22, 2020 Hello Richard, the Status of the Case is: "Status: Code fix done, testing and validation in progress" so i am positiv for a fix in the near future. I will keep you posted. best regards Dominik Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted June 22, 2020 Author Share Posted June 22, 2020 2 hours ago, Javier Vazquez said: Yes, If you look at DA Attribute, you can see {"KBA":"ENCRYPTEDDATA......"} Change it this to {"AlterEmail":ENCRYPTEDDATA......."} and it runs.... I think this is a bug... Thanks, will try changing that in lab to see if it fixes. 2 hours ago, Dominik Schikora1709154095 said: Hello Richard, the Status of the Case is: "Status: Code fix done, testing and validation in progress" so i am positiv for a fix in the near future. I will keep you posted. best regards Dominik Thanks for that Dominik Regards, Richard Link to comment Share on other sites More sharing options...
Dominik Schikora1709154095 Posted July 1, 2020 Share Posted July 1, 2020 Hello, the Case status changed to "Status - Code fix done and deployed in 13.0, expect to have this fix in 13.0.63.x and above, will update on 12.1 version details once confirmed". best regards Dominik Link to comment Share on other sites More sharing options...
Simon Kaeppeli Posted July 24, 2020 Share Posted July 24, 2020 Hi Dominik, On 7/1/2020 at 7:44 AM, Dominik Schikora1709154095 said: Status - Code fix done and deployed in 13.0, expect to have this fix in 13.0.63.x and above, will The newest 13.0 build is far away from 63.x, did you mean or did they mean 12.0.63.x? I have a customer who wan't to implement the solution, but also just with e-mail. Or did you already got an update on your case? Thanks, Simon Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted August 11, 2020 Author Share Posted August 11, 2020 Release notes for latest version of 13.0. Looks promising, haven't had to chance to test yet Quote The issues that are addressed in Build 13.0-61.48. Authentication, authorization, and auditing The _AltEmailRegister.xml_ login schema used for alternate email ID registration does not work as intended. [ NSHELP-22912 ] Link to comment Share on other sites More sharing options...
RICHARD INNES1709151451 Posted August 11, 2020 Author Share Posted August 11, 2020 Release notes for latest version of 13.0. Looks promising, haven't had to chance to test yet Quote The issues that are addressed in Build 13.0-61.48. Authentication, authorization, and auditing The _AltEmailRegister.xml_ login schema used for alternate email ID registration does not work as intended. [ NSHELP-22912 ] Link to comment Share on other sites More sharing options...
nlffel439 Posted March 16, 2022 Share Posted March 16, 2022 I am stuck on the same problem Normal login with password and specify the answers works. Forgot password click on mail address and answer questions works, but then the same error as at the beginning of the post and the same error message in the log. Does anyone have a solution to this ? Version 13.0 84.11 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now