With the release of Citrix ADC 13.0 build 64.35, Citrix have made some change to the “Single Sign-on to Web Application” in the Session Profiles:

This is new and can affect the SSO to Citrix Storefront. In my test environment after upgrading to 13.0 build 64.35 I got this error when logging in to the Access Gateway:

 There were no errors in the event viewer of the Storefront Server to help me.

In the release note for ADC 13.0 build 64.35 Citrix state, the flowing:

Title: Support to disable the weak Basic, Digest, and NTLM authentication globally

The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication

– Digest Access Authentication

– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

[ NSAUTH-7747 ]

I got my test environment to work with a simple traffic profile and traffic policy.

Traffic profile:

Traffic policy:

Just bind the policy to the Access Gateway, and you will not get the Storefront error, 😊

CLI commands:

add vpn trafficAction traf_prof_sf_sso http -SSO ON

add vpn trafficPolicy traf_pol_sf_sso true traf_prof_sf_sso

bind vpn vserver <NAME> -policy traf_pol_sf_sso -priority 100 -gotoPriorityExpression END -type REQUEST