Jump to content
Welcome to our new Citrix community!

Citrix Gateway with 'Advanced Authentication Policies', 'Two Factor nFlow' and 'Store Front' ends in 'Cannot complete your request'.


HP Groh

Recommended Posts

Hi Guys!

On Citrix Netscaler 'Gateway' I try to switch from 'Classic Authentication Policies' to 'Advanced Authentication Policies'.

So I started configuring Multi-Factor (LDAP + RADIUS for OTP) via nFlow as described here...

https://www.citrix.com/blogs/2021/08/04/citrix-tips-moving-off-deprecated-citrix-adc-features-for-citrix-gateway

The problem is that after adding the 2nd factor (RADIUS), after successful authentication and while forwarding to StoreFront I get back 'Cannot complete your request'.

If only the first factor (LDAP) is configured it works well.

I figured out, that it is a SSO issue and I would have to check the 'Enable Single Sign On Credentials' checkbox in the loginschema of the 1st factor. With 'Enable Single Sign On Credentials' checked, SSO to StoreFront works withoud issue.

But to get this checkbox checked, I must use a ADC Advanced/Premium license, but I do only have a Citrix Gateway License for production use.

Is there a workaround to solve this issue and to get Two-Factor Auth working with 'Citrix Gateway License', 'Advanced Authentication Policies' and 'Store Front'?

Please let me know.

Best Regards,

HP

Link to comment
Share on other sites

  • 3 weeks later...
  • 5 months later...

Hello @Hemang Raval​ 

I just stumbled upon an issue that to me appears to be just the same as that of HP Groh.

Difference is that I have a Standard license in my Netscaler and trying to use Azure MFA (SAML) as the second factor with on-prem LDAP being first factor.

I cannot check the 'Enable Single Sign On Credentials' checkbox in the loginschema of the 1st factor and I keep getting the Cannot complete your request no matter what I try to do.

Is this bug still not fixed? We are on 13.1 build 49.13.

Regards

Mika

Link to comment
Share on other sites

Hello Hemang and thanks for responding!

I had not noticed that this builtin loginschema existed with SSO option enabled. That is certainly a nice addition for customers with Standard license.

But as you also pointed out, the DualAuth.xml will not work in scenarios such as the one I have. It would be great if you could also add a builtin loginschema with SSO enabled for SingleAuth.xml as well!

I would be very happy if you could get back with some input regarding this request.

Regards

Mika

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...