Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
F: +44 (0)8456 446 899 / +44 (0)1223 359459
E: enquiries@precedence.co.uk
NetScaler-SSOBreak

Jump To: Support > KB > Citrix > NetScaler > SSOBreak

Cannot complete your request with Gateway after upgrading to 13.0-64.35. Also, SSL VPN does not work properly

N.B. The StoreFront problem only applies to 13.0-64.35 as the release notes state the following (SSL VPN users, please continue reading):

StoreFront SSO configuration is impacted (disabled) only for 13.0 build 64.35 The configuration will not be impacted in the future 13.0 builds.

The Could not complete your request error can also be caused by the same problem that leads to Internal Server Error 43531. If you are not running 13.0 build 64.35 (and why would you now that there are newer versions?), check to see whether that is the cause.

From ADC version 13.0-64.35 and above some single sign on (SSO) type are disabled globally. When SSO fails, you will see a Cannot complete your request error from StoreFront after successfully authenticating to NetScaler. Internal requests that go directly to StoreFront will continue to work successfully. A clue to the problem is hidden in the release notes for 64.35:

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/enable-sso-for-auth-pol.html

N.B. there are many other ways to break SSO leading to the same symptoms (such as STAs not matching between the Gateway configuration in Storefront and the Gateway virtual server on NetScaler or invalid callback address specified for the Gateway in StoreFront). This article specifically relates to a system that was working on an earlier Netscaler release that failed immediately after upgrading to 13.0-64.35.

The fix is to define a VPN policy that enables SSO that you apply specifically to your Gateway virtual servers. From the NetScaler CLI (on the primary if a HA pair), run the following to define a policy called vpn_tf_pol:

add vpn trafficaction vpn_tf_act http  -SSO ON
add vpn trafficpolicy vpn_tf_pol true vpn_tf_act

Then for each of your Gateway virtual servers apply the policy. Replace VSERVER_NAME with the name of the vServer:

bind vpn vserver VSERVER_NAME -policy vpn_tf_pol -priority 65345

Remember to save your configuration:

save ns config

As mentioned above, if you upgrade to a later ADC version, as recommended to keep on top of security advisories (e.g. 13.0-71.44), you can remove this setting.

SSL VPN

The above traffic policy is for HTTP only and this has an impact on SSL VPN users. The connection will be made, but you will not be able to connect to any services except for HTTP and HTTPS (e.g. RDP will not work). N.B. This is still true for all new 13.0 releases

To workaround this, run the following to define and apply a policy called vpn_tcp_pol:

add vpn trafficaction vpn_tcp_act tcp  -SSO ON
add vpn trafficpolicy vpn_tcp_pol true vpn_tcp_act

Then for each of your Gateway virtual servers apply the policy. Replace VSERVER_NAME with the name of the vServer:

bind vpn vserver VSERVER_NAME -policy vpn_tcp_pol -priority 65344

References

© Copyright Precedence Technologies 1999-2021
Page last modified on August 04, 2021, at 10:24 AM by sborrill