StoreFront SAML Troubleshooting Guide
Article ID: CTX220682
Updated On:
Description
During the installation and configuration of the SAML functionality introduced with StoreFront 3.9, there are various items to be aware of when performing a successful configuration. Although there are other issues you might encounter, this document will try to provide direction to help resolve some basic issues you might encounter.
Symptom 1
Verify Integration with Federated Authentication Service -
For this feature to function properly, you need to deploy the Federation Authentication Service (FAS). After completing the initial configuration, it is a good idea to confirm that the configuration is correct.
To confirm the configuration is correct:
For this feature to function properly, you need to deploy the Federation Authentication Service (FAS). After completing the initial configuration, it is a good idea to confirm that the configuration is correct.
To confirm the configuration is correct:
- Make sure the StoreFront store is configured for User Name and Password authentication
- Launch a browser and login to the StoreFront Receiver for Web Site.
Once you have logged in, go the FAS server, open the Event Viewer, expand Windows Logs and select Application.
Review the event log and look for Event ID 105. You should see an event similar to:
[S105] Server [REMOTE\SITE2-XD1$] issued identity assertion [upn: administrator@remote.lab, role default, Security Context: []].
Review the event log and look for Event ID 105. You should see an event similar to:
[S105] Server [REMOTE\SITE2-XD1$] issued identity assertion [upn: administrator@remote.lab, role default, Security Context: []].
You should see other related events. Make sure none of them have any errors.
Solution
- Confirm you enabled the Federated Authentication Service-plug-in on the StoreFront Server.
- Enable XML Trust on the delivery controller
- Configured the FAS Group Policy
Additional Resources
For information on how to perform these configurations click HERE.
Symptom 2
Configuring StoreFront SAML using metadata support:
To configure StoreFront SAML authentication using metadata, the StoreFront server needs to be able to contact the ADFS service configured on the Domain Controller. This service location is not necessarily the FQDN of the server. To find the name of the ADFS service:
Open the AD FS console, Select Service and Click on Edit Federation Service
To configure StoreFront SAML authentication using metadata, the StoreFront server needs to be able to contact the ADFS service configured on the Domain Controller. This service location is not necessarily the FQDN of the server. To find the name of the ADFS service:
Open the AD FS console, Select Service and Click on Edit Federation Service
Solution
The correct Federation Service Name is shown here
Symptom 3
What URL do I need to use to contact the Federation Metadata and what if the command fails?
When running the PowerShell command: Update-STFSamlIdPFromMetadata -AuthenticationService $auth -Url "https://<adfs-dns-host-entry>/FederationMetadata/2007-06/FederationMetadata.xml"
on the StoreFront server, the URL needs to be accessible.
When running the PowerShell command: Update-STFSamlIdPFromMetadata -AuthenticationService $auth -Url "https://<adfs-dns-host-entry>/FederationMetadata/2007-06/FederationMetadata.xml"
on the StoreFront server, the URL needs to be accessible.
Error
If the command fails:
- Verify DNS. Remember that the ADFS Service Name might not be in DNS. You can add to DNS or the local hosts file on the StoreFront server.
- Verify the certificate trust. The connection to the site is done using SSL and if the certificate chain is not installed correctly the command will fail.
Solution
How to check the URL?
- Try to ping the ADFS service name and make sure it resolves to the correct IP.
- Open a browser and enter the federation metadata URL. The XML page should be displayed without any certificate errors.
Federation Data URL: https://adfs_service_name/FederationMetadata/2007-06/FederationMetadata.xml
Missing root certificate
Missing root certificate
With correct certificate chain installed
Where do I find the federation Metadata file location?
Open the AD FS management console, expand Service and Select Endpoints. Scroll the list to the Metadata section
Symptom 4
You are able to login and view the apps, but receive error Cannot Start App when trying to launch? -
In addition to login into StoreFront, you need to be able to launch apps. One issue you might encounter is being able to authenticate to StoreFront but receive an error when trying to launch apps.
In addition to login into StoreFront, you need to be able to launch apps. One issue you might encounter is being able to authenticate to StoreFront but receive an error when trying to launch apps.
Solution 1
Open the Event Viewer on the StoreFront server, expand Applications and Services and select Citrix Delivery Services
Error: Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. The user principal name could not be found.
Error: Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. The user principal name could not be found.
Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. The user principal name could not be found.
Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.Diagnostics.FasException, Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider, Version=3.9.0.0, Culture=neutral, PublicKeyToken=null
The user principal name could not be found.
at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)
Problem Cause
To launch an application, the User properties in AD must contain the User Principal Name (UPN).
Example: administrator@domain.com
Example: administrator@domain.com
Resolution
Add UPN to user account
Solution 2
Error: The Citrix servers do not trust the server. This message was reported from the XML Service at address http://xxx.xxx.xxx.xxxx/scripts/wpnbr.dll [NFuseProtocol.TRequestDisconnectUserSessions].
Description:
The Citrix servers do not trust the server. This message was reported from the XML Service at address http://192.168.20.20/scripts/wpnbr.dll [NFuseProtocol.TRequestDisconnectUserSessions].
<EventData>
<Data>The Citrix servers do not trust the server. This message was reported from the XML Service at address http://192.168.20.20/scripts/wpnbr.dll [NFuseProtocol.TRequestDisconnectUserSessions]. </Data>
</EventData>
</Event>
The Citrix servers do not trust the server. This message was reported from the XML Service at address http://192.168.20.20/scripts/wpnbr.dll [NFuseProtocol.TRequestDisconnectUserSessions].
<EventData>
<Data>The Citrix servers do not trust the server. This message was reported from the XML Service at address http://192.168.20.20/scripts/wpnbr.dll [NFuseProtocol.TRequestDisconnectUserSessions]. </Data>
</EventData>
</Event>
Problem Cause
The XML Trust must be enabled on the Delivery Controller to trust the XML requests from the StoreFront server.
Resolution
Run the following PowerShell command on the Delivery Controller to enable XML Trust
Add-PSSnapin Citrix.Broker.Admin.V2
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Add-PSSnapin Citrix.Broker.Admin.V2
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Was this article helpful?
Yes
No
Powered by
