After configuring a remote portal with StoreFront servers load balanced with NetScaler, a user authenticates and they get the error "Cannot complete your request".

From the event Viewer logs of the StoreFront (SF) server:

"An error occurred while using SSL configuration for endpoint 0.0.0.443. The error status code is contained within the returned data "
 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

The certificate hash shown did not match the one binding to the SSL port 443 in IIS (correct cert hash starts with 89BA19BD4...)

 

Delete the legacy certificate causing errors via CLI command

Netsh http delete sslcert ipport=0.0.0.0:443

Note: The legacy certificate was associated with another set of StoreFront servers (3 SF servers)  instead of the new certificate created for this new set of 2 SF servers.

 

Validation

When issuing the CLI command:

"netsh http show sslcert" - we now see that the certificate is gone

When testing logging on to the NetScaler, we were able to SSON to SF server using the 2 factor authentication in place and keeping the setting "Enable Loopback Communication" set to  ON (Under SF - Edit Receiver for Web Site - Advanced Settings)

---

Problem Cause

A legacy certificate hash was being cached and used by the new StoreFront servers.

Also, there could be multiple reasons behind "cannot complete request" error message,

• Callback failure on SF server.
• Remote access not enabled.
• Domain name not configured properly.
• Domain name not trusted.

Getting "Cannot complete request" when logging on via Netscaler using dual factor authentication and SSON to StoreFront Server 3.14 Event Viewer logs event id 15021 source: HttpEvent; logname :system; level Error

CTX207162 - Common Resolutions to “Cannot Complete Your Request” Error