Recently I ran into a problem after moving from a single NetScaler running firmware 13.1.51.15 with LDAP/Duo authentication using iFrame to an HA Pair running firmware 13.1.37.176 FIPS with Duo SSO using SAML. Everything worked fine when using a browser to access Citrix Apps and Desktops but Workspace App for Windows and Android would not work.
The Issues:
Windows displayed the error: “Your account cannot be added using this server address. Make sure you entered it correctly. You may need to enter your email address instead.
Android gave the error: “An error occurred while connecting. Check your server address and data connection. Error Code 548.”
Both were prompting for the Duo Password and MFA twice before failing.
Troubleshooting Steps:
- Authentication with Duo was completing successfully so I didn’t focus on that.
- Looking at the event log on the StoreFront server there were no events. The sessions were not getting that far.
- On the NetScaler I ran a “tail -f ns.log | grep -v CMD_EXEC” for a live view of the log and then reproduced the issue.
- In the log I could see “SeamlessSSO-EPA-Done or WebView-Done-forms-resumed, continuing to session policy eval for user followed by these errors: “Ica mode status is not okay” “Cannot complete login for user: <me@domainnaem>sessionid <1f2>, session state <15>, reason: <unknown>”
- This pointed me to the Session Profile for Citrix Receiver. There are a lot of KB articles out there for this. I was already using an Advanced Policy with the correct syntax and the same Session Profile settings that were working in the 13.1.51.15 environment.
ICA Proxy: ON
Web Interface Address: Pointing to the storefront/Citrix/storenameweb
Single Sign-on Domain: blank since users were supplying this during Duo SSO authentication
Account services Address: Storefront base URL
The Fix:
I tried messing around with a bunch of stuff but in the end this is what worked:
1. In the Receiver Session Profile blank out the Account Services Address and just use the Web Interface Address. This goes against what the Citrix documentation and all the other documentation I read says:
https://docs.netscaler.com/en-us/netscaler-gateway/current-release/integrate-citrix-gateway-with-citrix-products/integrate-citrix-gateway-with-storefront.html#2-create-a-session-policy-for-citrix-workspace-app-based-access
2. As soon as I did the above the behavior changed to a Duo Login Loop, which was fixed by going to the Client Experience tab and checking the Override Global box next to the Session Time-out field and leaving it at 30 minutes per this article: https://www.ferroquesystems.com/resource/issue-citrix-gateway-authentication-loop-after-adc-13-1-firmware-update/
I’m not sure I needed this but my NetScaler config showed it was missing the Pattern Sets so I did run the commands to add them: https://support.citrix.com/article/CTX554245/ios-cwa-add-url-failed-error-could-not-verify-server-address