In the last couple of months, I came across some NetScaler redeployments regarding the latest CVE and on the other hand moving over from basic policies to advanced policies.
For this to work we are depending on the AAA setup with authentication profiles to combine it all with a Citrix Gateway deployment.
For RADIUS there is a nice article containing a how to: Deployment Guide: Learn how to configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for MFA
And down the article we have https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/gateway-mfa.html#apply-a-login-schema-that-presents-the-user-with-a-user-name-password-and-passcode-field that presents a username/password/token code field which was specific for this customer.
One would think this would all work instantly, it did to a point that after the challenge/response and token input we would logon and be presented a nice “cannot complete your request” which gives the invalid SSO logon entries in StoreFront. This was strange because the entire setup works with the older 12.1 / basic policy configuration, the 13.0/13.1 doesn’t do anything that different. This is all correct up to the point we are using a login schema which takes the whole process in a bit different direction.
Turns out the SSO got garbled because of a missing SSO entry field on the login schema. (the one being mentioned as “lschema_dual_factor_builtin”)
Long story short the solution for this particular problem is to edit the login schema and the profile in question and select “Enable Single Sign On Credentials”.
This was one of the issues you can get when switching from basic to advanced profiles regarding authentication, my colleague Brian Timp also encountered a strange issue which came to light when switching from basic to advanced.
This was regarding users who would logon via RADIUS via sAMAccountName and userPrincipalName. The latter would error out also with the “cannot complete your request” message, this in turn was the cause of the SSO value being present in the session policy of the gateway regarding NETBIOS, FAS is also one of those things which error out on this. Solution is to remove the NETBIOS value in the session policy and afterwards both logon flows would work.
Hope it helps!