Error: "401 - Unauthorized: Access is denied due to invalid credentials" - NetScaler Gateway or CAG
Hello everyone.
In this post I am going to share you a solution to fix this dreaded Error: "401 - Unauthorized: Access is denied due to invalid credentials" when you access Citrix Web Interface 5.4 or Storefront via Citrix Access Gateway or Citrix Netscaler Gateway.
There are numerous post out there and also there is a great post from Citrix to investigate and fix this issue if you come across.
Meanwhile I came across this issue with Netscaler 10.5 Citrix Access Gateway and Web Interface 5.4.
Config and Setup info
1 Netscaler with 2 NIC's sitting in a DMZ with access to Backend internal server's via SNIP IP address and management via NSIP IP address, frontend User access via VIP accessible on the Internet.
1 WebInterface in a Gateway Direct mode and authentication at the Netscaler configured for the default Citrix/Xenapp website.
Troubleshooting
I started with looking at the Windows 2008R2 - Web Interface event logs, Application and Security. No events logged whatsoever for the error and nothing related to access error.
Enabled AAA.debug on Netscaler CAG to check if authentication is all okay. Steps to enable AAA.debug on Netscaler. AAA.Debug on Netscaler
All User authentication was successful and enumerating group membership via LDAP Policy.
Enabled and captured Network trace on the Netscaler CAG to check the packet flow.Steps to enable Network Trace on Netscaler.
I could see in the Network trace that WebInterface was rejecting Netscaler with a reset packet and in the data Http 401 - invalid credential error was captured. But I still do not have a clue as to why this was failing.
Microsoft IIS was looked into whether any recent Microsoft patches might have caused a lockdown of access method, including Windows Authentication with Kerberos and NTLM, changes to these made no difference.
Reconfigured the LDAP Policy just to reassure that policy is correctly applies, reconfigured the Sessions Policy on Netscaler.
Other way to test Call Back feature is to access FQDN of the VIP from the WebInterface server and if this is success without any errors that means no issues on the Network config. If you get certificate error or page cannot be displayed than you will have to import the Root Certificate and Intermediate certificate in the computer trusted root and intermediate store.
More details on the Citrix Netscaler Session Policy in this article.
Points to consider when investigating this type of incidents check the logs on Netscaler and WebInterface.
Hope this helps.
In this post I am going to share you a solution to fix this dreaded Error: "401 - Unauthorized: Access is denied due to invalid credentials" when you access Citrix Web Interface 5.4 or Storefront via Citrix Access Gateway or Citrix Netscaler Gateway.
There are numerous post out there and also there is a great post from Citrix to investigate and fix this issue if you come across.
Meanwhile I came across this issue with Netscaler 10.5 Citrix Access Gateway and Web Interface 5.4.
Config and Setup info
1 Netscaler with 2 NIC's sitting in a DMZ with access to Backend internal server's via SNIP IP address and management via NSIP IP address, frontend User access via VIP accessible on the Internet.
1 WebInterface in a Gateway Direct mode and authentication at the Netscaler configured for the default Citrix/Xenapp website.
Troubleshooting
I started with looking at the Windows 2008R2 - Web Interface event logs, Application and Security. No events logged whatsoever for the error and nothing related to access error.
Enabled AAA.debug on Netscaler CAG to check if authentication is all okay. Steps to enable AAA.debug on Netscaler. AAA.Debug on Netscaler
All User authentication was successful and enumerating group membership via LDAP Policy.
Enabled and captured Network trace on the Netscaler CAG to check the packet flow.Steps to enable Network Trace on Netscaler.
I could see in the Network trace that WebInterface was rejecting Netscaler with a reset packet and in the data Http 401 - invalid credential error was captured. But I still do not have a clue as to why this was failing.
Microsoft IIS was looked into whether any recent Microsoft patches might have caused a lockdown of access method, including Windows Authentication with Kerberos and NTLM, changes to these made no difference.
Reconfigured the LDAP Policy just to reassure that policy is correctly applies, reconfigured the Sessions Policy on Netscaler.
Other way to test Call Back feature is to access FQDN of the VIP from the WebInterface server and if this is success without any errors that means no issues on the Network config. If you get certificate error or page cannot be displayed than you will have to import the Root Certificate and Intermediate certificate in the computer trusted root and intermediate store.
If the CAG VIP FQDN is not resolving you will need to then just create a DNS entry or hosts file entry on the WebInterface or StoreFront servers to point to this "internal" facing CAG VIP.
I added host file entry on the WebInterface and even created DNS entry to eliminate the name resolution issue but still the same error, it was evident the issue is on the Netscaler as every flow is fine from WebInterface.
Resolution
I looked into Session Policy on the Netscaler and started looking into the Gateway Session Profile, I noticed under the WebInterface address instead of FQDN of the WebInterface it was IP address of the WebInterface. Behold and as I changed this to FQDN of the WebInterface server followed by the path to the site ie: http://servername.domainFQDN/Citrix/Xenapp I was able to access my Citrix Farm and launch applications.
Points to consider when investigating this type of incidents check the logs on Netscaler and WebInterface.
Hope this helps.
Comments
Post a Comment