Common Resolutions to “Cannot Complete Your Request” Error when connecting through Citrix Gateway

Common Resolutions to “Cannot Complete Your Request” Error when connecting through Citrix Gateway

book

Article ID: CTX286601

calendar_today

Updated On:

Description

Symptoms or Error

The “Cannot Complete Your Request” error is displayed when connecting through Citrix Gateway.
However, this is an error could occur when connecting to StoreFront Server directly or through Load Balancer based on different deployment scenarios. To narrow down through which connection you get the issue, please refer to Steps to narrow down the issue section to perform the tests. 
You may see this error when 
  • Submitting user credentials to connect to store
  • Launching a published app or desktop

Objective

This article provides troubleshooting steps when connecting through Citrix Gateway.

Steps to troubleshoot when connecting through Citrix Gateway has error

1. Verify Citrix Gateway URL is correctly configured on the Storefront server.

  • On Citrix StoreFront management console > Manage Citrix Gateways > check Citrix Gateway URL is correct. 
  • Confirm external users are using the same URL for external store access.
     

2. Verify if there are the same STA Servers on Citrix Gateway Virtual Server as well as on the StoreFront Servers. 

  • On StoreFront Server, open Citrix StoreFront management console > Manage Citrix Gateways > Secure Ticket Authority, verify the Secure Ticket Authority URLs
  • On Citrix Gateway > Virtual Servers > Configure STA Server, verify the URL of the STA server is exactly the same as StoreFront Server
Detailed steps to verify above information on StoreFront refer to Manage Secure Ticket Authorities and on Gateway refer to To bind a STA to the virtual server .

3. Verify Callback URL is accurately configured on all StoreFront servers.

  • Open the Citrix StoreFront management console > Manage Citrix Gateways > Authentication Settings > Callback URL
  • Ensure that Callback URL is configured accurately defined.
Note: Callback URL is only needed if SmartAccess CVAD policies or password-less authentication methods (Smart Cards, SAML, and so on) are used. Or you should leave it as blank.

4. Verify DNS settings are correctly configured for Citrix Gateway, StoreFront and STA Server.

  • On the StoreFront server, open command prompt,
  • Ping Citrix Gateway FQDN, verify it resolves to the correct Citrix Gateway IP 
  • Ping FQDN of STA server, verify it is resolvable
  • Ping Callback URL FQDN, if configured, verify it resolves to the Citrix Gateway VIP. 
  • If single FQDN configuration is being used, verify configuration is complete and accurate. 

5. Verify authentication settings are correctly configured of Citrix Gateway. 

  • On Citrix StoreFront management console > Manage Citrix Gateways, verify Logon Type is set as Domain if you are using LDAP authentication.
  • On Citrix Gateway, test LDAP reachability.
  • On Citrix Gateway VIP > Authentication > LDAP Policy, confirm the configuration is correct. 
  • On Citrix Gateway, go to the Session Policy bound to the Citrix Gateway VIP, verify Single Sign-on related settings are correctly specified. 
  • If you received this error during implementation of ADFS, Azure and FAS, please refer to Configuring SAML Two-Factor Authentication

6. Verify Citrix Gateway Clientless Access policy is configured correctly.

  • On configuration utility > Configuration tab > Citrix Gateway > Policies Clientless Access, verify Expression is set as TRUE

7. Verify if the issue occurs with Application Firewall enabled. 

  • On the Citrix ADC, go to System > Settings > Configure Advanced Features, verify Citrix Web App Firewall is ticked.
  • If it is enabled, bypass the policies by modifying the policy expression to exclude traffic intended for Citrix Gateway. Then test again.
  • If test succeeds, re-enable the Application Firewall in learning mode by checking the checkbox for “Learn” for the security check where block is enabled. So that it can Learn and Allow the necessary StoreFront traffic. 
For more information refer to 

8. If you were configuring Optimal Gateway for launching applications by editing web.config file, make sure the configuration in the web.config file has a proper closing HTML tag. 
For more information regarding Optimal Gateway configuration refer to Citrix Documentation - Configure optimal HDX routing for a store .

9. Verify if Routing settings is complete if it is configured on Citrix Gateway and we are able to reach all configured Storefront servers, STA servers and DNS servers (or any other involved component)
For more information on Routing configuration, refer to Configuring Routing on Citrix Gateway

10. Verify for the presence of customized theme under VPN Parameters or VPN Virtual Server. 

  • In Citrix Gateway configuration utility > Configuration tab > Citrix Gateway > Portal Themes
  • Verify if there is Login Page specific customization on the Customized portal Theme 
  • Remove the Page specific customization from the Customized portal Theme or test by using Default Theme.
Note: Defining the username and password field clashes with the login schemas which are also used to define the layout of the fields on the page.
For more information, refer to Customizing the User Portal

11. Examine the ns.log on Citrix Gateway to verify if it is blocking any cookies, in case expression for cookie header is used in the session policy. To verify the ns.log, 

  • grep with the cookie name that’s mentioned in the expression or 
  • look for errors 
12. Verify if the time is synced if the issue occurs specially after an HA failover of Citrix Gateway. The time on both nodes should be in sync. Examine the ntpd process and sync the time if the nodes are not in sync. 
For more information on clock synchronization refer to Citrix Docs Clock synchronization .

13. For StoreFront version older than 3.6 only, verify if Subnet IP address is set.

  • Open the Citrix StoreFront management console > Manage Citrix Gateways
  • Select the gateway you are configuring > Change General Settings > Subnet IP address and remove it. 
Note: The subnet IP address is only needed if you are using a NetScaler 9.x firmware or under certain use cases concerning GSLB as mentioned here , or it should be left blank.
For more information, refer to CTX235996 - Error: "Cannot Complete Your Request" Due to Incorrect SNIP Usage on NetScaler Gateway

Steps to narrow down the issue

Please identify through which connection the issue is occurring by performing the following tests:

1. Test the connection to your Citrix Gateway. 

  • On a test machine, open command prompt.
  • Ping the Citrix Gateway FQDN. The FQDN should resolve to the IP address of your Citrix Gateway.
  • If no, please refer to this article; if yes, continue with step 2 or step 3.

2. Test if you get the error when connecting directly to the StoreFront server. 

  • On an internal machine, open %SystemRoot%\system32\drivers\etc\hosts file.
  • Add the FQDN shown in the StoreFront Base URL and the StoreFront server local IP address to the hosts file, and save. For example: Storefront.example.lab 10.10.10.10
  • Connect to the store using StoreFront Base URL from Citrix Workspace app, submit user credentials or launch published app/desktop, verify if the error “Cannot complete your request” is reproduced.
  •  If not able to reproduce, continue with step 3. If able to reproduce, please refer to CTX207162 - Common Resolutions to “Cannot Complete Your Request” Error

3. Test connection to the load balancer.

Additional Information

CTX207162 - Common Resolutions to “Cannot Complete Your Request” Error
CTX286594 - Common Resolutions to “Cannot Complete Your Request” Error when connecting through Load Balancer
Powered by Wolken Software