No active policy is found in Secondary authentication cascade Please contact your administrator.
Article ID: CTX235700
Updated On:
Description
With basic authentication on Citrix (NetScaler) Gateway or AAA, authentication fails for the client with the error: "No active policy is found in Secondary authentication cascade Please contact your administrator". In some firmware versions such as 10.5, the error seen may be: "Please contact your administrator", however, the entire error can be seen in the trace. The page is stuck at the URL "/cgi/login". The error will be seen after the first POST request which provides the credentials in dummy form to the NetScaler (as a NetScaler 200 OK response).
Resolution
The Citrix Gateway or AAA-TM Virtual Server, if configured for secondary authentication should have policies such that the expression matches for all users. If in case the expression does not match for the user the error is expected. In case we want to just avoid the error with no secondary policy for the user, the following solution can be used:
1. If in case basic authentication is to be used: Create a LDAP authentication policy as a secondary authentication for the users (expression should match for them). The "authentication" in the LDAP server will be OFF so that the users are unaware of this.
2. Alternatively, advanced authentication (via AAA-TM) with an authentication profile bound to the Citrix Gateway can be used. For the users who should not have a secondary policy - noAuth profile can be configured and the policy filtered to match an expression relevant to the user. For Citrix ADC Advanced or Premium edition appliances, nFactor logic using LDAP group extraction after the initial LDAP factor could be used to determine if the user should receive a second factor or not based on their AD group membership. Advanced authentication is the preferred approach as basic authentication policies have been deprecated in firmware 13.0 and are non-functional in firmware 13.1.
For the users for whom the secondary authentication is not configured/required, after successful LDAP primary authentication, it required secondary authentication, since it did not exist the error was seen.
1. If in case basic authentication is to be used: Create a LDAP authentication policy as a secondary authentication for the users (expression should match for them). The "authentication" in the LDAP server will be OFF so that the users are unaware of this.
2. Alternatively, advanced authentication (via AAA-TM) with an authentication profile bound to the Citrix Gateway can be used. For the users who should not have a secondary policy - noAuth profile can be configured and the policy filtered to match an expression relevant to the user. For Citrix ADC Advanced or Premium edition appliances, nFactor logic using LDAP group extraction after the initial LDAP factor could be used to determine if the user should receive a second factor or not based on their AD group membership. Advanced authentication is the preferred approach as basic authentication policies have been deprecated in firmware 13.0 and are non-functional in firmware 13.1.
Problem Cause
The Citrix Gateway, if configured for secondary authentication via basic authentication, should have policies such that the expression matches for all users. The basic authentication of Citrix ADC requires secondary authentication policies for all clients (internal and external) or should not be configured at all.For the users for whom the secondary authentication is not configured/required, after successful LDAP primary authentication, it required secondary authentication, since it did not exist the error was seen.
Issue/Introduction
With basic authentication on Citrix (NetScaler) Gateway or AAA, authentication fails for the client with the error: No active policy is found in Secondary authentication cascade Please contact your administrator.
Was this article helpful?
Yes
No
Powered by
