After Upgrade of your ADC Applaince you get “cannot complete your request”? If you updated to Citrix ADC version 13.0-64.35 in the course of CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247 (https://support.citrix.com/article/CTX281474), it is possible that despite a successful firmware update and correct configuration, the login is not forwarded to the storefront.
One of the versions that fixes CVE-2020-8245, CVE-2020-8246 or CVE-2020-824 is Citrix ADC and Citrix Gateway 13.0-64.35 or later. However, it is important to know that Citrix has made some adjustments with this version, which can also be found in the ReleaseNodes. The main reason is to further harden the application and to better protect the systems.
https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-64-35.html
Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.
[ NSAUTH-7747 ]
Cannot complete your request
After the update it is possible that suddenly the login sent from the Citrix ADC Gateway to the Citrix Storefront does not work anymore. Single Signon therefore no longer works. The Citrix Storefront only returns : “Cannot Complete your Request”.
How to fix the Problem on Citrix ADC 13.0-64.35 (installed with 13.x)?
If you have installed your appliance with version 13.x, you can easily fix the problem. You have to create the following policies. you can do that with the following commands:
add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO true traf_act_SSO
bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUESTHow to fix the Problem on Citrix ADC 13.0-64.35 (upgraded from 12.x)?
But if you did not install your appliance with ersion 13.x, but upgraded from 11.x or 12.x, you have to take a slightly different approach here. First check the policy type on your gateway. You cannot mix Classic with Advanced Policies.
This is a good example of such an upgrade path. Fortunately the flash files are available.
You can easily find out by typing the following command.
show VPN TrafficPolicy
If you see in the output that Classic Policies are in use, you cannot apply the Workarround as above.
In this case the following command will help you to solve the problem.
add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO ns_true traf_act_SSO
bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 Now the login should work normally again and the SSO should work again.The error “Cannot complete your Request” should no longer occur. You can follow me on twitter or check out my other blog posts.
Thanks for this!! I’ve been fighting this for a week.
I tried the commands but the first one did not work. I added a space between HTTP and -SSO and the policy created.
“add VPN TrafficAction traf_act_SSO HTTP -SSO ON”
I bound the policy to Global. Worked like a charm!!!
I think by binding it to global you have negated the fix for the vulnerability, it should be bound to your vservers.
The Problem is, if you bind the Workarount to an SSL VPN Server, RDP SSO will probably break. The Fix ist only for Citrix Storefront and Web SSO. You don´t need to bind it to SSL VPN.
Hi! I’ve upgraded from 13.0-61.48 ( previous from 12.x, etc etc ), but I don’t have traffic policy, so I tried to create
the traffic policy:
add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO true traf_act_SSO
bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
( I need to use true and not ns_true because when I bind the traffic policy to a virtual server I receive an error. Using true let me to bind correctly the policy ).
But I still have the same problem: cannot complete your request…
This when I try to connect to netscaler portal using both Clientless Access or Virtual App and Desktop Access.
I’ve three vserver. I need to create three different policy for every vserver?
Thanks in advance. Fabio.
Hey Fabio,
You only have to bind the policy to the 3 vservers. You don‘t have to create three different policies
Thank you very much, although there are 2 small errors in your instructions: (for cut and paste lovers)
the first line is missing a space between “HTTP” and “-SSO”
In the third line you refer to traf_pol but previously you had called the policy traf_pol_SSO so the correct commands are:
add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO ns_true traf_act_SSO
bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
Thank you. Syntax is corrected. Time and no copy and Paste = 🙁
Thanks! Worked well and thanks to STAN for correcting the syntax (i.e. space between “HTTP -SSO”)
Thanks, already corrected
Thank you so much for this.
Thank you very much! I spent a lot of time to find a problem in my StoreFront, but it was ok! 😊
Thank you very much! Not easy to find, but exactly the solution we needed. This prevented our production update for several days. Citrix should make such announcements more clear.
Great! Thx
Thanks for this. Could not find this anywhere on Citrix site!
Hello,
here some notes from the field…..
you can easily set the traffic policy b4 updating the appliance. Don´t forget to “savec” and synch the config if you happen to have a cluster. Disconnected sessions reconnect immediately if you implement the policy on the command line. If you have a XenMobile vServer on your box above commands will work with them like a charm. Yes… 13.0.64.35 breaks XM vServer backend communication as well…
Best regards and thank you very much for taking the time blogging and helping us guys out.
Thank you Martin. Thanks for sharing your experience.
I got an error running line 4 with classic policies.
ERROR: Invalid arguments for classic policy binding
Removed “-gotopriorityExpression END” from the command to get it to bind correctly.
Citrix Gateway is now working correctly.
Already was updated in the Post. Think there was a problem with the cache of my website.
Thanks for your reply
Thanks a lot for your description!
I have the same problem and get the following error when entering the 3rd command:
> bind VPN vServer _XD_10.29.5.52_443 -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
ERROR: Invalid arguments for classic policy binding
Do you have an additional tip for me?
Thanks! Roland
Hi Roland,
you have to remove “-gotoPriorityExpression END -type REQUEST” from the Bind command.
Saved my bacon, thanks!
Hi
What would a more precise setting be, instead of TRUE ?
In conjunction with NS OTP, we have 2 traffic polices bound to the same Gateway, both have TRUE as value, so only the first is processed….
Hi Frank, what is the goal or usecase for your policies?
Feel free to send me an email to help you
I upgraded my netscalers from 58.32 to 64.35. Now my (dns) name server effective state is down. I downgraded and it came back up. We have multiple netscalers and the problem only exits on the netscalers that run acces gateways.
It’s very consistent and I can;t seem to get them up.
Hello, Thank you for the solution, it works
unfortunately, this solution breaks our VPN connection through a unified gateway, so I might have to wait for citrix for a fix on this .