With the release of Citrix ADC 13.0 build 64.35, Citrix have made some change to the “Single Sign-on to Web Application” in the Session Profiles:
This is new and can affect the SSO to Citrix Storefront. In my test environment after upgrading to 13.0 build 64.35 I got this error when logging in to the Access Gateway:
There were no errors in the event viewer of the Storefront Server to help me.
In the release note for ADC 13.0 build 64.35 Citrix state, the flowing:
Title: Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.
– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign
[ NSAUTH-7747 ]
I got my test environment to work with a simple traffic profile and traffic policy.
Traffic profile:
Traffic policy:
Just bind the policy to the Access Gateway, and you will not get the Storefront error, 😊
CLI commands:
add vpn trafficAction traf_prof_sf_sso http -SSO ON
add vpn trafficPolicy traf_pol_sf_sso true traf_prof_sf_sso
bind vpn vserver <NAME> -policy traf_pol_sf_sso -priority 100 -gotoPriorityExpression END -type REQUEST