Citrix ADC 13.0-64-35 “Cannot complete your request”

After Upgrade of your ADC Applaince you get “cannot complete your request”? If you updated to Citrix ADC version 13.0-64.35 in the course of CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247 (https://support.citrix.com/article/CTX281474), it is possible that despite a successful firmware update and correct configuration, the login is not forwarded to the storefront.

One of the versions that fixes CVE-2020-8245, CVE-2020-8246 or CVE-2020-824 is Citrix ADC and Citrix Gateway 13.0-64.35 or later. However, it is important to know that Citrix has made some adjustments with this version, which can also be found in the ReleaseNodes. The main reason is to further harden the application and to better protect the systems.

https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-64-35.html

Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.
[ NSAUTH-7747 ]

Cannot complete your request

After the update it is possible that suddenly the login sent from the Citrix ADC Gateway to the Citrix Storefront does not work anymore. Single Signon therefore no longer works. The Citrix Storefront only returns : “Cannot Complete your Request”.

How to fix the Problem on Citrix ADC 13.0-64.35 (installed with 13.x)?

If you have installed your appliance with version 13.x, you can easily fix the problem. You have to create the following policies. you can do that with the following commands:

add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO true traf_act_SSO

bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST

How to fix the Problem on Citrix ADC 13.0-64.35 (upgraded from 12.x)?

But if you did not install your appliance with ersion 13.x, but upgraded from 11.x or 12.x, you have to take a slightly different approach here. First check the policy type on your gateway. You cannot mix Classic with Advanced Policies.

This is a good example of such an upgrade path. Fortunately the flash files are available.

You can easily find out by typing the following command.

show VPN TrafficPolicy


If you see in the output that Classic Policies are in use, you cannot apply the Workarround as above.

In this case the following command will help you to solve the problem.

add VPN TrafficAction traf_act_SSO HTTP -SSO ON
add VPN TrafficPolicy traf_pol_SSO ns_true traf_act_SSO

bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 

Now the login should work normally again and the SSO should work again.The error “Cannot complete your Request” should no longer occur. You can follow me on twitter or check out my other blog posts.

26 thoughts on “Citrix ADC 13.0-64-35 “Cannot complete your request””

  1. Thanks for this!! I’ve been fighting this for a week.

    I tried the commands but the first one did not work. I added a space between HTTP and -SSO and the policy created.

    “add VPN TrafficAction traf_act_SSO HTTP -SSO ON”

    I bound the policy to Global. Worked like a charm!!!

      1. The Problem is, if you bind the Workarount to an SSL VPN Server, RDP SSO will probably break. The Fix ist only for Citrix Storefront and Web SSO. You don´t need to bind it to SSL VPN.

    1. Hi! I’ve upgraded from 13.0-61.48 ( previous from 12.x, etc etc ), but I don’t have traffic policy, so I tried to create
      the traffic policy:

      add VPN TrafficAction traf_act_SSO HTTP -SSO ON
      add VPN TrafficPolicy traf_pol_SSO true traf_act_SSO

      bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
      ( I need to use true and not ns_true because when I bind the traffic policy to a virtual server I receive an error. Using true let me to bind correctly the policy ).
      But I still have the same problem: cannot complete your request…
      This when I try to connect to netscaler portal using both Clientless Access or Virtual App and Desktop Access.
      I’ve three vserver. I need to create three different policy for every vserver?
      Thanks in advance. Fabio.

  2. Thank you very much, although there are 2 small errors in your instructions: (for cut and paste lovers)

    the first line is missing a space between “HTTP” and “-SSO”
    In the third line you refer to traf_pol but previously you had called the policy traf_pol_SSO so the correct commands are:

    add VPN TrafficAction traf_act_SSO HTTP -SSO ON
    add VPN TrafficPolicy traf_pol_SSO ns_true traf_act_SSO

    bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST

  3. Missing “_SSO” on line 4 @ policy traf_pol_SSO,
    Should be:
    bind VPN vServer Citrix_Hillsboro_Production -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST

  4. Thank you very much! Not easy to find, but exactly the solution we needed. This prevented our production update for several days. Citrix should make such announcements more clear.

  5. Hello,
    here some notes from the field…..
    you can easily set the traffic policy b4 updating the appliance. Don´t forget to “savec” and synch the config if you happen to have a cluster. Disconnected sessions reconnect immediately if you implement the policy on the command line. If you have a XenMobile vServer on your box above commands will work with them like a charm. Yes… 13.0.64.35 breaks XM vServer backend communication as well…
    Best regards and thank you very much for taking the time blogging and helping us guys out.

  6. Pete Le Maistre

    I got an error running line 4 with classic policies.

    ERROR: Invalid arguments for classic policy binding

    Removed “-gotopriorityExpression END” from the command to get it to bind correctly.

    Citrix Gateway is now working correctly.

  7. Thanks a lot for your description!
    I have the same problem and get the following error when entering the 3rd command:

    > bind VPN vServer _XD_10.29.5.52_443 -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
    ERROR: Invalid arguments for classic policy binding

    Do you have an additional tip for me?
    Thanks! Roland

  8. Frank Hedegaard

    Hi

    What would a more precise setting be, instead of TRUE ?
    In conjunction with NS OTP, we have 2 traffic polices bound to the same Gateway, both have TRUE as value, so only the first is processed….

Leave a Comment

Your email address will not be published. Required fields are marked *