SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront
Single Sign-On from Access Gateway to StoreFront not working in CVPN mode
There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!
It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!
After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!
So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…
The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…
The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).
But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.
This picture just shows the login to the NetScaler ADC Access Gateway vServer:
You enter your credentials and then you’ll see that the NetScaler is trying to open a cvpn connection to StoreFront by the looking at the URL (contains /cvpn/ and then in this case we do have Obscure on for the URL):
But this is as far you may get…. then after a while you’ll see this message:
Cannot complete your request. Could not log off from Access Gateway. Please close your browser to log off.
And of course you’ll start looking at whether you had the right SNIP configured at the StoreFront gateway settings, and whether you can contact the callback URL from your StoreFront server…
You then also try the old ICA proxy session profiles and find out that they work like a charm! You get your credentials passed through to StoreFront and wonder what you’re doing wrong! And this is where we got stuck after a while…..
Then the Citrix support came up with an idea, the IP-address that we had on the StoreFront server was an IP-address that according to RFC 1918 is to be considered to be a PUBLIC IP. For more info read about it here;
http://en.wikipedia.org/wiki/Private_network
I at first didn’t believe them but then they asked me to configure Split Tunnel to On in our CVPN Session Profile:
We did and tried to log in again.. and YES!!! IT WAS WORKING!!! This is unbelievable!!! Thanks a lot Citrix!! (but I must admit that it took them pretty long time to find this as well..)
So the reason behind this design is that it’s a security measure. Citrix don’t want to unwillingly post user credentials to a PUBLIC site. So the problem is that we in this case used “real IPv4” addresses that are considered to be public!!
So how do you solve it without adding the Split Tunnel setting to On?
The best workaround is to put the StoreFront server(s) in a service group behind a Load Balancing vServer that is using a PRIVATE IP in front of it with a private IP and then point AGEE to that VIP!!
Or you could of course change your internal IP-plan… But I guess that won’t happen! 😉
More info can also be found here in a good Citrix article that actually highlights this issue and the solution but of course it’s rare for people to know about it I guess though we had this issue for quite some time in this specific environment!
I hope that this at least helps someone out there with Single Sign On issues to StoreFront from Access Gateway.
Cheers!
//Richard
Leave a Reply
The IT Melting Pot! 
good post, saved my issue! been searching for some time about this matter. Did you get any promises about a solution without changing IP schemes via loadbalancing service group as suggested this blog?
Hi,
Great that the blog post helped someone! 😉
Well the info that we received is that this is a “by design” functionality, so I don’t think that this will change. But perhaps if more customers sends enhancement requests to Citrix to change this then it may be something that they could look at I guess. My wish you be that you as a customer would have the option to configure this through a global settings or so. But for now we have to do the workaround.
Cheers!
//Richard
Thanks a Lot. I have been stuck for a while on this issue…
Guess I will have to change my IP address plan someday