SAML logons fail on replicated Storefront Server
Article ID: CTX205196
Updated On:
Description
SAML enabled logons via Storefront configured and working on one SF3.0 server. When trying to setup a second one and after joining it to the server group we get "cannot log on using smart card". If we uninstall SF from that server and reinstall and configure it manually (do not add it to the server group) it works fine.
Verbose logs on Storefront and in the log for the store shows the following error twice when trying to log in to the replicated server. ProtocolTransitionClientProxy.PTServiceChannelWithRetries (b__0) The following WCF fault occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
Resolution
On the replicated server in which SAML is not working look for the following group (Computer Management -> Local Users and Groups -> Groups):: CitrixStoreFrontPTServiceUsers group.
Add the following group as a member : IIS APPPool\Citrix Delivery Services Resources.
The fix will be ready on Blade (Storefront 3.5)
Problem Cause
There is a Windows group name mismatch between what is in the in the Protocol Transition feature package and what the group is actually called, CitrixPTServiceUsers vs CitrixStoreFrontPTServiceUsers. The name mismatch is likely to be the cause of the accounts not replicating.This is a bug documented in BUG0615101
Was this article helpful?
Yes
No
Powered by
