The following error is displayed due to authentication misconfiguration on Citrix Gateway:
Cannot Complete Your Request

Complete the following steps to troubleshoot this issue:

1. Test LDAP reachability and validate end-to-end LDAP authentication to verify the cause of the issue. For more information refer to Citrix Documentation -
   Support for validating end-to-end LDAP authentication .
2. Open the StoreFront MMC and go to Manage Citrix Gateway > select the gateway you are configuring > Authentication Settings, confirm the Logon Type is set to Domain if using LDAP authentication on the Citrix Gateway. For more information refer to Citrix Documentation - Configure NetScaler Gateway connection settings .
3. On the Citrix Gateway VIP go to Authentication > LDAP Policy > Edit Server and confirm the following settings:
   1. Server Logon Name Attribute: sAMAccountName
   2. Group Attribute: MemberOf
   3. Sub Attribute Name: CN
   4. Security Type: SSL
   5. Keep SSO Name attribute: blank (sometimes having some attributes set as SSO name attribute cause SSO failure if not a multi domain environment)

      For more information refer to Citrix Documentation - User authentication and CTX114999 - Troubleshooting Authentication Issues Through NetScaler or NetScaler Gateway

4. Go to the Session Policy bound to the Citrix Gateway VIP > Edit Profile > Client Experience > Single Sign-on to Web Applications and confirm that it is checked. Then go to the Published Applications tab > Single Sign-on Domain and confirm the correct domain is specified.
   Note: For domain users in a multi-domain environment, add the SSO Name Attribute field as UserPrincipalName under LDAP Policy configuration and uncheck the Single Sign-on Domain for the authentication on the session profile.
5. If you received this error during implementation of ADFS, Azure and FAS then consider the following - SAML authentication does not use a password and only uses the user name. Also, SAML authentication only informs users when authentication succeeds. If SAML authentication fails, users are not notified. Since a failure response is not sent, SAML has to be either the last policy in the cascade or the only policy. So when you configure SAML authentication along with LDAP authentication on NetScaler, use the following guidelines - if SAML is the primary authentication type, then disable authentication in the LDAP policy and configure it for group extraction. Now, bind the LDAP policy as the secondary authentication type.

Problem Cause