Logon to SSL VPN virtual server fails through NetScaler Gateway.

The user is re-prompted for credentials after logon attempt.

To resolve the issue add Intranet applications on the NetScaler and Gateway needs to be accessed using FQDN without any certificate error/warning.

When using split tunnel, Intranet applications on the NetScaler Gateway virtual server must be defined. NetScaler Gateway uses Intranet Applications to determine what traffic should go through the VPN tunnel.

Troubleshooting Mehodology

1. Logged on to NetScaler through SSH and ran shell, cat /tmp/aaad.debug. Observed the output. You should receive an "accept to kernel for: username" message. LDAP authentication is good.

2. Receiver logs show that the certificate is not trusted and IP is used instead of the hostname.

   

3. Added a host entry for a FQDN that matches the certificate however still failed to connect successfully through VPN.

4. Added Intranet applications on the NetScaler which resolved the issue.