When accessing Web Interface through a VPN tunnel with Access Gateway Enterprise, users receive the following error:
"401 – Unauthorized"

To resolve this issue, change the Web Interface URL address to HTTP instead of HTTPS.

Problem Cause

This issue appears if Web Interface is being accessed using an HTTPS URL address.

Single Sign On works at the HTTP layer but an SSL connection is end to end, that is; there is encrypted SSL tunnel between the client and destination server (proxy in this case) and thus Access Gateway cannot even decrypt the HTTP traffic passing through the tunnel.

The only way to make it work is to break the SSL tunnel at the Access Gateway (the client opens the SSL connection to Access Gateway Enterprise Edition and then it opens the connection to the proxy/server). This happens using clientless access and ICA proxy mode.

After successfully authenticating to the Access Gateway vServer, the client receives the following 401 error:

The following behavior is observed in a network trace taken on the Access Gateway:

HTTP traffic originating from Access Gateway Enterprise Edition (italicized)
HTTP traffic originating from Web Interface (bolded)

1. GET /Citrix/XenApp2/auth/login.aspx HTTP/1.1

2. HTTP/1.1 302 Found
   Location: /Citrix/XenApp2/auth/agesso.aspx

3. First agesso.aspx request
   GET /Citrix/XenApp2/auth/agesso.aspx HTTP/1.1

4. 401 Unauthorized:
   HTTP/1.1 401 Unauthorized
   WWW-Authenticate: CitrixAGBasic password_required="yes";logout_url="agelogout.aspx?ticket=6BE64204FAB45F1150E390A9931C72E2"

5. The communication stops and the Access Gateway does not re-request agesso.aspx.

When SSO works correctly the following behavior is observed (notice the second GET /agesso.aspx request in packet 5 containing the Authorization header)

1. GET /Citrix/XenApp4/auth/login.aspx HTTP/1.1

2. HTTP/1.1 302 Found
   Location: /Citrix/XenApp4/auth/agesso.aspx

3. First agesso.aspx request
   GET /Citrix/XenApp4/auth/agesso.aspx HTTP/1.1

4. 401 Unauthorized:
   HTTP/1.1 401 Unauthorized
   WWW-Authenticate: CitrixAGBasic password_required="yes";logout_url="agelogout.aspx?ticket=DC3ACCB0DFE4ACE7BB100B79D9F78128"

5. Second agesso.aspx request containing Authorization header:
   GET /Citrix/XenApp4/auth/agesso.aspx HTTP/1.1
   Authorization: CitrixAGBasic username="XXXXX"; domain="XXXXX"; password="XXXX"; AGESessionId="MDRiZWY4ZWFkYmNlZTQwY2Q0ZWMyZjQ3MGZhN2JiMWY="

6. Callback from Web Interface to the Access Gateway vServer:
   POST /CitrixAuthService/AuthService.asmx HTTP/1.1

7. Access Gateway’s response:
   HTTP/1.1 100 Continue

8. XML data content sent from Web Interface to the Access Gateway vServer
   <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformation xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><sessionId>04bef8eadbcee40cd4ec2f470fa7bb1f</sessionId><username>XXXX</username><domain>XXXX</domain></GetAccessInformation></soap:Body></soap:Envelope>

9. Access Gateway returns success response:
   HTTP/1.1 200 OK
   <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAccessInformationResponse xmlns="http://citrix.com/SecureAccessManager/AuthenticationService/V3.0"><GetAccessInformationResult><StatusCode>0</StatusCode><StatusString>Success</StatusString><ClientAddress>10.90.148.66</ClientAddress><FarmName>Remote1Test-Simon24May</FarmName><FarmId>10.90.196.49</FarmId><MpsAccessMode>Direct</MpsAccessMode><SmartAccessConditions><string>SessPol-Remote1Test-Simon24May</string><string>SETVPNPARAMS_POL</string></SmartAccessConditions></GetAccessInformationResult></GetAccessInformationResponse>