cannot complete your request citrix что делать
Citrix StoreFront “Cannot complete your request”
Encountered an error on Citrix StoreFront 3.0 today regarding authentication.
All users received the well known error “Cannot complete your request” upon login.
Event Log on StoreFront-server showed errors with ID 10:
“A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()”
and ID 2:
“Access is denied. Contact your system administrator.
System.ServiceModel.EndpointNotFoundException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
There was no endpoint listening at net.pipe://localhost/Citrix/Authentication/Win32 that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.”
Turns out the service called “Citrix Default Domain Services” had actually stopped. Next time I will definitely check the running services before starting troubleshooting on IIS and Citrix Netscaler.
Published by torivar
2 Replies to “Citrix StoreFront “Cannot complete your request””
Thank you, labored a lot before I found this post. Installation had configured the Citrix Default Domain Services as Automatic Delay so service was never started, changed it to automatic and started the service on the Store Front server and it works.
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Terence Luk
Tackling the daily challenges of technology. one project at a time.
Pages
Monday, April 21, 2014
Launching Citrix XenDesktop 7.x StoreFront Receiver Web website throws the error: “Cannot complete your request.”
Problem
You attempt to access the Citrix XenDesktop 7.x StoreFront Receiver Web website directly but receive the following error:
Cannot complete your request
Log On
Solution
One of the reasons why you would receive this error is if you have a mismatch between your Citrix StoreFront’s Base URL and the URL you are accessing the website with your browser:
Note that the Base URL configured in the StoreFront is http://zencont01srv/ while the browser URL used to access the website was http://zenstore01.srv. To correct the problem, change the base URL to match the URL you are using to access the website in the browser.
4 comments:
nice blog dear friend
wishes for long time blogging
I’m new to citrix
please can u upload posts about citrix cloud platform & cloud portal/bridge
Thanks a lot. Although I know that incorrect base url can cause this issue, but at the time of my issue, I did not check carefully. After reading your post, I decided to recheck my base url and found that two characters are swapped and changing this fixed my issue.
Nice one. Thanks Mate for the useful blog.
I would also like you all to know that this issue can also come up when SQL database connection has exceeded its limits.
Issue: “Cannot Complete Your Request” Error after Citrix ADC 13.0 b64.35 Upgrade
Issue and Background
Yesterday, Citrix released a security bulletin outlining several “Low” and “Medium” risk vulnerabilities as covered in CTX281474 and outlines the firmware versions available for download which mitigate those vulnerabilities.
Included in the Citrix ADC 13.0 build 64.35 release are additional security enhancements to SSO to block by default weaker authentication methods for SSO. The supporting documentation located here, outlines basic authentication, digest authentication, and NTLM without the Negotiate NTLM2 key or negotiate sign as the affected “weaker” methods impacted, whilst other methods such as SAML, Kerberos, OAuth and form-based authentication are supposedly unaffected. As of September 18th, 2020 at least, those documented statements may not be entirely accurate.
Testing reveals that SSO functionality is broken when attempting to access Citrix StoreFront through Citrix Gateway and an error of “Cannot complete your request” appears when using SAML. The Citrix Gateway configuration tested against is purely SAML so this came as a surprise, albeit it is possibly an interaction issue with IIS. Citrix has noted this behaviour in CTX281592 and points back to the Citrix Docs on the subject of SSO enhancements. This doc does cover how to override the default security measures in the new firmware build using traffic policies bound to the Citrix Gateway vServer.
It is possible that this security enhancement may make its way into other builds such as 12.x so this guidance may become valid for more than 13.0 in the future.
In this article, we’ll walk through how to quickly fix the issue and restore a Citrix Gateway to service.
Resolution
Step 1
SSH into the ADC appliance and enter into shell mode.
The syslog message generated we are looking for is “SSO FAIL forwarding to client because of weak SSO user user@email.com”. To quicken this process grep through the cleartext ns.log with:
If this does not produce any hits, the logs might have been rotated in which you can use the zgrep command
The output shows the filename : line_number : content of the line.
We have 3 matches from my failed attempts so to investigate further, we’ll follow line number 72, 2054 and 2074 of the file ns.log.11. The cat command will be used or alternatively the zcat for gzip compressed logs. Vi can also be used as an alternative.
(type q to quit after investigating)
Step 2
Now that we have confirmation SSO is the cause of this issue, type exit to enter the ADC command line interface. A new vpn policy will need to be attached so let’s find out the name of the currently added vpn vservers.
Step 3
A new traffic action and policy will need to be added. Copy and paste the following 3 commands changing with the vserver name found in the command above.
Step 4
At this point, re-test authentication to Citrix Gateway and confirm SSO passthrough works. Be sure to save your config!
Error: “Cannot Complete Your Request” When Connecting to StoreFront
Where to Start Troubleshooting
In order to identify what steps need to be followed when troubleshooting the error, you will have to identify where the issue is occurring by performing the following 3 tests:
Do you get the error when connecting directly to the StoreFront server? If yes, start troubleshooting from step 1.
Perform this test by adding the StoreFront base URL and the StoreFront server local IP address to the Hosts file of the internal machine you will be testing with. For more information about editing the Hosts file refer to the following article – How to use a Hosts file to test a site that uses host headers on an Intranet.
Do you get the error connecting through a load balancer? If yes, start troubleshooting from step 13.
From the testing machine open the command prompt and ping the StoreFront base URL FQDN. The FQDN should resolve to the IP address of your load balancer. If it does not then verify your DNS settings or the Hosts file on the local machine.
Do you get the error only when connecting through your NetScaler Gateway? If yes, start troubleshooting from step 19.
From the testing machine open the command prompt and ping the NetScaler Gateway FQDN. The FQDN should resolve to the IP address of your NetScaler Gateway. If it does not then verify your DNS settings or the Hosts file on the local machine.
Troubleshooting Steps
Troubleshooting the Storefront Server Connection
Note: StoreFront 3.x has the loopback feature, for configuration guidance refer to Citrix Blog – What’s New in StoreFront 3.0.
Make sure that the certificate on the StoreFront server is not expired.
Make sure the “Certificate Issued To” name matches the StoreFront base URL.The certificate should also contain a private key. If using a SAN certificate, make sure the StoreFront Base URL is listed under the subject alternative names. Wildcard certificates are also supported.
View the Certification Path tab on the certificate and confirm that all the Intermediate and Root certificates are properly installed in order to complete an SSL Handshake. For more information regarding certificates see article – Server Certificates.
Troubleshooting the Load Balancer
Troubleshooting NetScaler Gateway
Open the StoreFront MMC > NetScaler Gateway > Select the Gateway you configured > Change General Settings > NetScaler Gateway URL and confirm external users are using the same URL for external access on the browser and Citrix Receiver.
On the StoreFront server open the Command Prompt > Ping NetScaler Gateway FQDN and confirm it resolves to the correct gateway IP address.
On the StoreFront server open a browser and navigate to the NetScaler Gateway URL to confirm there are no certificate errors. For more information refer to article CTX128539 – How to Link an Intermediate Certificate to the Server Certificate on NetScaler/NetScaler Gateway.
Open the StoreFront MMC and go to NetScaler Gateway > select the gateway you are configuring > Change General Settings > Subnet IP address and remove it. The subnet IP address is only needed if you are using a NetScaler 9.x firmware or under certain use cases concerning GSLB as mentioned here. Specifying the VIP of a NetScaler Gateway (not SNIP) may be required if the StoreFront implementation supports multiple NetScaler Gateways with the same URL (such as the same URL being used internally and externally, but resolving to different NetScaler Gateways) along with unique callback URLs. That being said, only certain use cases and the use of NetScaler 9.x firmware necessitate populating the Subnet IP address field which should otherwise be left blank.
On the same Change General Settings window from step 22, confirm the Logon Type is set to Domain if using LDAP authentication on the NetScaler Gateway. For more information to Citrix Documentation – Configure NetScaler Gateway connection settings.
On the same Change General Settings window from step 22, confirm the Callback URL FQDN listed resolves to the NetScaler Gateway VIP by using the ping command on the Command Prompt from the StoreFront server. Once you verify it resolves to the correct gateway IP address, open a browser on the StoreFront server and navigate to it and confirm there are no certificate errors.
On the NetScaler Gateway VIP go to Authentication > LDAP Policy > Edit Server and confirm the following settings:
For more information refer to – User authentication.
Go to the Session Policy bound to the NetScaler Gateway VIP > Edit Profile > Client Experience > Single Sign-on to Web Applications and confirm that it is checked. Then go to the Published Applications tab > Single Sign-on Domain and confirm the correct domain is specified.
Note: For domain users in a multi-domain environment, add the SSO Name Attribute field as UserPrincipalName under LDAP Policy configuration and uncheck the Single Sign-on Domain for the authentication on the session profile.
Check the NetScaler Gateway VIP > SSL Parameters > TLSv1 and confirm that it is enabled. StoreFront 3.0.1 or prior does not support TLS 1.1 and TLS 1.2. Make sure the Callback VIP has TLS 1.0 enabled.
On the NetScaler Gateway VIP verify the “No Rewrite Clientless” policy on the NetScaler Gateway VIP is configured to use the expression TRUE.
On the NetScaler go to Security > Application Firewall and confirm the feature is disabled. If it is enabled bypass the policies during testing. If successful re-enable the Application Firewall in learning mode,so it can Learn and Allow the necessary StoreFront traffic. For more information refer to article CTX117003 – How to Configure Learning Parameters on the Application Firewall.
Other Scenarios
If you only get the error when accessing the server for first time after an idle time or running an antivirus scan then disable the File Change Notification feature on the IIS server where StoreFront is running.
Find app bitness from appPool advance settings.
64 bit: To enable this hotfix, you must add the following DWORD value of 1 at the following registry key:
32 bit: If you are running a 32-bit process on an x64-based system, add the following DWORD value of 1 at the following registry key:
For more information refer to the following blogs:
Is there an error in the Event Viewer for “An unexpected error occurred storing the credentials” (Event ID 8) or “An error occurred during authentication” (Event ID 3)?
If so, run the following PowerShell command:
cd ‘C:Program FilesCitrixReceiver StoreFrontScripts’
$certlist = @(Get-DSCertificate)[0] | where
And then restart the Citrix Credential Wallet Service.
If any timeout settings have been modified manually through the web.config file located under C:inetpubwwwrootCitrixAuthenticationweb.config then make sure the SessionState timeout field is set to the default value of 5.
If using Microsoft NLB as a load balancer; it has been reported that using Microsoft “NLB” type load balancing with unicast mode might trigger this issue. Switching to multicast mode helps resolve this issue.
When a single FQDN configuration is used then refer to the following Citrix Documentation to verify if any step is skipped or misconfigured – Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally. You can potentially get the cannot complete request error.
If you were configuring Optimal Gateway for launching applications, make sure the configuration on the web.config file has a proper closing HTML tag. For more information regarding Optimal Gateway configuration then refer to Citrix Documentation – Configure optimal NetScaler Gateway routing for a store.
If you experience the error after publishing a new application or customizing an application’s icon, check the event viewer on the StoreFront server and look for the following errors:
Event 1 = There was an error during a resources List request. System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (500) Internal Server Error.
Event 7 = Unhandled exception thrown for route “DazzleResources/List” System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
The workaround is to go to Studio > Delivery Groups > Applications > view the properties of the application recently added > Delivery > Application Icon > Change and choose from any of the Citrix default icons.
If you received this error during implementation of ADFS, Azure and FAS then consider the following – SAML authentication does not use a password and only uses the user name. Also, SAML authentication only informs users when authentication succeeds. If SAML authentication fails, users are not notified. Since a failure response is not sent, SAML has to be either the last policy in the cascade or the only policy.
So when you configure SAML authentication along with LDAP authentication on NetScaler, use the following guidelines – if SAML is the primary authentication type, then disable authentication in the LDAP policy and configure it for group extraction. Now, bind the LDAP policy as the secondary authentication type.
If this error occurs after an upgrade, then go to IIS > Default Site > StorenameWeb > Default Files > delete default.html and recreate default.html file manually.
Disable self-recycling for the following application pools:
Citrix delivery services authentication
Citrix delivery services resources
Citrix receiver for web
Verify if all the required network is reachable from NetScaler Gateway. Routing table should also look complete.
Examine the logs on NetScaler Gateway to verify if it is blocking any cookies, in case expression for cookie header is used in the session policy.
If the issue occurs specially after an HA failover of NetScaler Gateway, then verify the time on both the nodes. The time on nodes should be in sync. Examine the ntpd process and sync the time if the nodes are not in sync.
Citrix ADC 13.0-64-35 “Cannot complete your request”
After Upgrade of your ADC Applaince you get “cannot complete your request”? If you updated to Citrix ADC version 13.0-64.35 in the course of CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247 (https://support.citrix.com/article/CTX281474), it is possible that despite a successful firmware update and correct configuration, the login is not forwarded to the storefront.
One of the versions that fixes CVE-2020-8245, CVE-2020-8246 or CVE-2020-824 is Citrix ADC and Citrix Gateway 13.0-64.35 or later. However, it is important to know that Citrix has made some adjustments with this version, which can also be found in the ReleaseNodes. The main reason is to further harden the application and to better protect the systems.
Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.
– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.
[ NSAUTH-7747 ]
Cannot complete your request
After the update it is possible that suddenly the login sent from the Citrix ADC Gateway to the Citrix Storefront does not work anymore. Single Signon therefore no longer works. The Citrix Storefront only returns : “Cannot Complete your Request”.
How to fix the Problem on Citrix ADC 13.0-64.35 (installed with 13.x)?
If you have installed your appliance with version 13.x, you can easily fix the problem. You have to create the following policies. you can do that with the following commands:
How to fix the Problem on Citrix ADC 13.0-64.35 (upgraded from 12.x)?
But if you did not install your appliance with ersion 13.x, but upgraded from 11.x or 12.x, you have to take a slightly different approach here. First check the policy type on your gateway. You cannot mix Classic with Advanced Policies.
This is a good example of such an upgrade path. Fortunately the flash files are available.
You can easily find out by typing the following command.
If you see in the output that Classic Policies are in use, you cannot apply the Workarround as above.
In this case the following command will help you to solve the problem.