Strange thing today. Got my NetScaler VPX working perfectly, and suddenly it stopped working and gave me a ‘Cannot complete the request’ after logging in.

The complete error:

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
AuthenticateInternal encountered an exception.
at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)
at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)
at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://if1.domain.local/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
at System.Net.HttpWebRequest.GetResponse()
at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)
at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

Solution

It looked like something was wrong with the callback URL I configured in StoreFront. The strange thing is: I just used the external URL of my NetScaler Gateway. My storefront has internet access and it did work. Up until now. I solved this by adding a new NetScaler Gateway vServer on the NetScaler. I named it _local and configured the vServer with an internal IP and added my public certificate. Nothing else (no authentication or session policies etc.)

After that on the Storefront server I added an entry in my hostfile linking callback URL to the IP of my _local vServer. This ‘trick’ can be used for DMZ scenario’s as well.