Alerts     Sign In
[x]

Site Alert(s):

  • Server maintenance Saturday Nov 22, 2008, 12:00 PM - 3:00 PM. The Knowledge Center will be unavailable during this time.
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

Case Study: Access Denied When Authenticating to MetaFrame Secure Access Manager

Document ID: CTX106980   /   Created On: Jun 29, 2005   /   Updated On: Nov 21, 2007
Average Rating: not yet rated

Problem Definition

An “Access Denied” error message occurs in MetaFrame Secure Access Manager when some of the following takes place:

• You have upgraded Logon Agent 2.1 to Logon Agent 2.2 to provide the Advance Gateway client for email synchronization and the password contains non-alphanumeric characters.

• Your user account password that is about to expire is locked out and you log in from the Logon Agent.

• The Authservice fails to handle authentication requests from Logon Agent.

• There are possible problems with SecurityBroker.dll.

Environment

• MetaFrame Secure Access Manager 2.x on Windows 2000 or 2003 with .NET Framework 1.x

• Secure Gateway 2.x with Logon Agent 2.x

Troubleshooting Methodology

By you knowing a little about the authentication process and authentication points for MetaFrame Secure Access Manager you can begin to decide which discovery process to take for narrowing down your specific problem.

Logon Agent authentications - This authentication point is mainly used when MetaFrame Secure Access Manager is on an internal network behind an external interface as is a Secure Gateway server. Logon Agent is an actual IIS folder containing ASP pages that forwards the authentication credentials to the Authservice, a Web service running on the Access Center. The Web service does the authentication to the Access Center by wrapping the credentials in a call to CDS.dll which calls securitybroker.dll. If the user passes some authentication checks they are granted access to the Access Center.

Logon Agent can be installed on the same server as Secure Gateway or on a remote server. Communication between the client’s browser and the Secure Gateway server is required to be secured by SSL (https). Usually the path is https://secure.gateway.ctx/logonagent.

Version limitations:

• Ver 2.0 – This version does not support change of password, for password expiration in x days.

• Ver 2.1 – This version added support for change of password, for password expiration in x days, however no password change at next logon support.

• Ver 2.2 – This version added support for use of the Advance Gateway client mainly used for email synchronization. The Logon Agent and the Secure Ticket Authority (STA) were the only components that were upgraded in this release.

MetaFrame Secure Access Manager Access Center authentications - This authentication point is strictly in the MetaFrame Secure Access Manager Web servers and requests are handled via the CDS.dll then SecurityBroker.dll. The MetaFrame Secure Access Manager Web server hosts the Authservice Web service to handle Logon Agent authentication requests to the Access Center.

Version limitations:

• Ver 2.0 – Change password at next logon does not work in this version. Authservice is not able to notify the Logon Agent that a user password is about to expire.

• Ver 2.1 – All known issues were resolved for internal authentications.

• Ver 2.2 – Authservice is not able to handle htmlencode requests. There is a work around for this issue as explained in article CTX104788 – Error: Access Denied... with the Logon Agent and Password with the plus (+) character..

Furthermore to handle the above problem definitions:

1. See article CTX104788 – Error: Access Denied... with the Logon Agent and Password with the plus (+) character. which goes over the resolution to this problem scenario.

2. Check against the logon point this error is occurring and the limitations of each MetaFrame Secure Access Manager version, as listed above.

3. Review the IIS logs for the error code being returned by IIS, it should always be a 200. If it is anything other than that, track down what the “http status code” is in this location http://msdn.microsoft.com/ to proceed.

In a few cases, the citrix.authservice.dll needed to be replaced with a version containing the KeepAlive= false property of the http request to regain authentication stability on the user’s environment. The true cause of why this worked was not determined.

4. If problems exists with SecurityBroker.dll, there will be authentication problems for both types of logon points, Logon Agent and Access Center logons. Use Process Explorer from Sysinternals to check if SecurityBroker.dll is loaded when authentication is taking place. Check http://www.sysinternals.com/ for a description of this tool.

Resolution

Determine the access point where the failure is occurring and utilize the above information to narrow down the issue.

Additional Information

Get Process Explorer and DbgView from http://www.sysinternals.com

Relevant Knowledge Base articles:

• CTX106626 – MetaFrame Secure Access Manager Error: "Access Denied" with Logon Agent

• CTX103225 – How to run a Debug Trace on a Server Running Secure Access Manager for MetaFrame

• CTX104788 – Error: Access Denied... with the Logon Agent and Password with the plus (+) character.

• MS186063 - INFO: Translating Automation Errors for VB/VBA (Long)

• Http Status Codes – Click here to view


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Does it work with Citrix? Verify it - introducing the new Citrix Ready Community Verified
©1999-2008 Citrix Systems, Inc. All rights reserved.