000034395 - RBA logon through RSA Authentication Agent for Citrix StoreFront 1.0 fails with "Cannot complete request"

Document created by RSA Customer Support Employee on Nov 24, 2017
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000034395
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Citrix StoreFront
RSA Version/Condition:  1.0
IssueAfter entering Risk Based Authentication (RBA) information  such as user ID, password and optionally Security Question answers, the browser displays the following error message:

Cannot complete your request.

 
Cannot Complete your request.
CauseDelegated Forms Authentication (DFA), has not been configured correctly on the Citrix StoreFront and NetScaler devices.
KB article 000033532 (How to increase your changes of successfully configuring Citirx Delegated Forms Authentication (DFA)) outlines that DFA should be configured and working successfully for password logons before attempting to add either SecurID passcode or RBA authentication.  The article will provide some details on how to do that on the Citrix StoreFront server through PowerShell. For full details, review the DFA Configuration document on the Citrix website.
Resolution
  1. Configure the Citrix StoreFront back to standard DFA, without RSA SecurID or RBA, in PowerShell with the command:

Set-DSDFAProperty -ConversationFactory ExplicitAuthentication

 
receiver SF Back2Citrix_noRSA1

  1. Test a Citrix logon through DFA with the default LDAP or AD password.  If it still fails, look at the Windows Event Log on the Citrix StoreFront server when you get the authentication failure such as "Cannot complete your request."  In one particular case we saw the following error:
The decryption of the delegated form body failed. Is there an encryption key mismatch? 
System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0
 

Event_Log_Citrix

This error indicated that the passphrase was not the same on the NetScaler as the StoreFront, even though it was verified.  It turned out the there was a special character in the passphrase, which caused the discrepancy, so we simplified the passphrase to avoid special characters.

  1. On the StoreFront server, launch PowerShell and issue the following command to use a different, simpler passpharase:

Update-DSCitrixPSKTrustedClient -clientID <access_Web_agent> -passphrase <passphrase>


Get-DSCitrixPSKTrustedClient_PowerShell_update

If you want to display the Passpharase of an <access_web)_agent> use Get-DSCitrixPSKTrustedClient first, before Update-DSCitrixPSKTrustedClient
  1. se the same less complex passphrase on the NetScaler:
Get-DSCitrixPSKTrustedClient_PowerShell_update_NS

  1. Once you successfully logon to Citrix with an LDAP or AD password through DFA, you can change DFA to use SecurID in PowerShell.

Set-DSDFAProperty -ConversationFactory SecurIDAuthentication

  1. Test SecurID with a fixed passcode.
  2. If the test is successful, test again using RBA. Troubleshoot any script problems or RBA helper problems
Workaround
 
NotesSee also 000033186 | How to increase chances for successfully implementing Risk Based Authentication on the RSA Authenticaiton Manager Citrix StoreFront agent.

Attachments

    Outcomes