Connections to Web Interface through ICA Proxy on Access Gateway Enterprise Edition appliance fail with the following web server error, if client certificate authentication is used on the appliance and is set to "Mandatory" and the Web Interface server is not set up for SSO with Smart Card or Client Certificate.

“401 - Unauthorized: Access is denied due to invalid credentials.”

This is an expected behavior. When client certificate authentication is set to "Mandatory" in the SSL Parameters of the VPN virtual server, the appliance prompts the connecting client for the list of client certificates in the personal store.

The following are three workarounds for this issue:

• Set up Single Sign-on to Web Interface with Smart Card authentication using CTX124603 - How to Configure Smart Card Single Sign-On with Access Gateway Enterprise Edition.

• Set Client Certificate authentication to Optional in the SSL Parameters of the VPN virtual server:

  

• Configure another Access Gateway server by using the following procedure:

  1. Add another Access Gateway virtual server with the same IP address, certificate, and port as 444.

  2. Configure Web Interface to send the callback request to this virtual server on port 444.

  3. Ensure to configure Client Authentication as "Optional" in the virtual server.

  4. Do not bind any policies to this virtual server, because it is only for the HTTPS callback. This avoids the Web Interface from being prompted for a client certificate during callback.

  5. In the Web Interface server under Authentication Settings section, change the URL to https://AGVIP:444/CitrixAuthService/AuthService.asmx.
     Note: Refer to Configuring a Web Interface Site for LAN Users Using HTTPS.

Problem Cause

When client certificate authentication is set to Mandatory in the SSL Parameters of the VPN virtual server, the appliance prompts the connecting client for the list of client certificates in the personal store.

Client Certificates set to Mandatory in the SSL Parameters in the VPN virtual server:

When connecting to the Web Interface server through SSL VPN, if authentication is set for Gateway Direct, the Web Interface server performs Web Interface callback to VPN virtual server to ensure that the requesting user has been granted the access. When the Access Gateway Enterprise Edition appliance is configured in a single-arm deployment, the Web Interface server can only perform callback to one VPN virtual server and subsequently gets prompted to present a client certificate. Because the WI-callback is not interactive, it cannot present a client certificate and authentication using Web Interface callback fails with the Web Interface server returning the generic HTTP 401 error.

In this example, Client Certificate Authentication is enabled and set to Mandatory. An authentication server and policy are configured for the Subject:CN. A second authentication server and policy are set up for LDAP authentication. The SSO credential is set for primary authentication policy in the Client Experience tab of the Session Profile.

Primary Authentication Policy

Secondary Authentication Policy

Single Sign-on is enabled in the Client Experience tab and Credential Index is set to PRIMARY, as shown in the following screen shot:

CTX124603 - How to Configure Smart Card Single Sign-On with Access Gateway Enterprise Edition