After Upgrade of your ADC Applaince you get “cannot complete your request”? If you updated to Citrix ADC version 13.0-64.35 in the course of CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247 (https://support.citrix.com/article/CTX281474), it is possible that despite a successful firmware update and correct configuration, the login is not forwarded to the storefront.
One of the versions that fixes CVE-2020-8245, CVE-2020-8246 or CVE-2020-824 is Citrix ADC and Citrix Gateway 13.0-64.35 or later. However, it is important to know that Citrix has made some adjustments with this version, which can also be found in the ReleaseNodes. The main reason is to further harden the application and to better protect the systems.
Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.
– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.
[ NSAUTH-7747 ]
Cannot complete your request
After the update it is possible that suddenly the login sent from the Citrix ADC Gateway to the Citrix Storefront does not work anymore. Single Signon therefore no longer works. The Citrix Storefront only returns : “Cannot Complete your Request”.
How to fix the Problem on Citrix ADC 13.0-64.35 (installed with 13.x)?
If you have installed your appliance with version 13.x, you can easily fix the problem. You have to create the following policies. you can do that with the following commands:
add VPN TrafficAction traf_act_SSO HTTP -SSO ON add VPN TrafficPolicy traf_pol_SSO true traf_act_SSO bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100 -gotoPriorityExpression END -type REQUEST
How to fix the Problem on Citrix ADC 13.0-64.35 (upgraded from 12.x)?
But if you did not install your appliance with ersion 13.x, but upgraded from 11.x or 12.x, you have to take a slightly different approach here. First check the policy type on your gateway. You cannot mix Classic with Advanced Policies.
This is a good example of such an upgrade path. Fortunately the flash files are available.
You can easily find out by typing the following command.
show VPN TrafficPolicy
If you see in the output that Classic Policies are in use, you cannot apply the Workarround as above.
In this case the following command will help you to solve the problem.
add VPN TrafficAction traf_act_SSO HTTP -SSO ON add VPN TrafficPolicy traf_pol_SSO ns_true traf_act_SSO bind VPN vServer *YOUR Gateway vServer* -policy traf_pol_SSO -priority 100
Now the login should work normally again and the SSO should work again.The error “Cannot complete your Request” should no longer occur. You can follow me on twitter or check out my other blog posts.