• SSO breaks after upgrading to 11.1 Build 56.19.
• Backend Server sends 400 BAD request (or some other error code) in the response to NetScaler's POST request.
• Downgrading to older versions or upgrading to 12.0 fixes the issue.

Citrix has identified this as an issue with this version. We are working on identifying the cause of corruption

As a workaround, upgrading to NetScaler 11.1 build 57.11 or 12.0 Build 53.22 is recommended.

Problem Cause

SSO fails because NetScaler is corrupting the POST request while sending to the backend server. As soon as the backend server receives the corrupted POST, it responds with 400 BAD request.

Trace Snippet:

In the POST below we can see that POST request being constructed again inside the BODY and with incorrectly spelled characters.
Since this POST is not standard HTTP request server responds with 400 BAD request.

POST /url/url.jsp HTTP/1.1
Host: example.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://example.com/abc/xyz
POST /url/url.jsp HTTP/1.1
Host: example.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://example.com/abc/xyz
n;q=0.8
Accept-Encoding: identity
Content-TAccept-Encoding: identity
ype: application/x-www-form-urlencoded
Content-Length: 21
Cookie: JSESSIONID=5970E79722E4C79E44467517FA220BT7