Cannot Complete Your Request Error only occurs to certain users connecting from ADC with Azure MFA over to Storefront
Article ID: CTX289511
Updated On:
Description
Certain users are receiving Cannot Complete Your Request Error when accessing site via ADC url and after entering their Azure MFA credentials and user is redirected to Storefront's URL, then the error is observed.
On the Storefront Server we see the following Event:
Log Name: Citrix Delivery Services Source: Citrix Domain Services Date: Event ID: 1 Task Category: (1501) Level: Information Keywords: Classic User: N/A Computer: Description: An authentication attempt was made for user: username@domain.com with realm context that resulted in: Failed (Windows Error code: -1073741715) CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: username@domain.com domain:
Log Name: Citrix Delivery Services Source: Citrix Authentication Service Date: Event ID: 7 Task Category: (1005) Level: Error Keywords: Classic User: N/A Computer: Description: CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: username@domain.com domain:
Log Name: Citrix Delivery Services Source: Citrix Receiver for Web Date: Event ID: 10 Task Category: (3001) Level: Error Keywords: Classic User: N/A Computer: Description: A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: http://127.0.0.1/Citrix/StoreAuth/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
When reviewing the Storefront Verbose logs we could see the following:
Authentication Attempt for user: username@domain.com .... Attempting Kerberos authentication with a UPN, and client realm: <null> ... Kerberos authentication: Failed. Authentication Status: C000006D Sub-status: 0000 [The attempted logon is invalid. This is either due to a bad username or authentication information.] ... Authentication Result was: Failed
Resolution
Users impacted by this problem needed to be granted "Windows Authorization Access Group" permission
How to Add an Execution or Computer Account to the Windows Authorization Access Group
So in such scenarios its recommended to add Storefront computer account also.
How to Add an Execution or Computer Account to the Windows Authorization Access Group
- Open Active Directory Users and Computers (ADUC), and browse to the Builtin container. Double-click on the Windows Authorization Access Group.
- Click on the Members tab.
- Click Add
- Add the users
So in such scenarios its recommended to add Storefront computer account also.
Problem Cause
AD related problem
Was this article helpful?
Yes
No
Powered by
