Article Content
Article Number | 000034395 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for Citrix StoreFront RSA Version/Condition: 1.0 |
Issue | After entering Risk Based Authentication (RBA) information such as user ID, password and optionally Security Question answers, the browser displays the following error message: Cannot complete your request. |
Cause | Delegated Forms Authentication (DFA), has not been configured correctly on the Citrix StoreFront and NetScaler devices. KB article 000033532 (How to increase your changes of successfully configuring Citirx Delegated Forms Authentication (DFA)) outlines that DFA should be configured and working successfully for password logons before attempting to add either SecurID passcode or RBA authentication. The article will provide some details on how to do that on the Citrix StoreFront server through PowerShell. For full details, review the DFA Configuration document on the Citrix website. |
Resolution |
The decryption of the delegated form body failed. Is there an encryption key mismatch? System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0 This error indicated that the passphrase was not the same on the NetScaler as the StoreFront, even though it was verified. It turned out the there was a special character in the passphrase, which caused the discrepancy, so we simplified the passphrase to avoid special characters.
If you want to display the Passpharase of an <access_web)_agent> use Get-DSCitrixPSKTrustedClient first, before Update-DSCitrixPSKTrustedClient
|
Workaround | |
Notes | See also 000033186 | How to increase chances for successfully implementing Risk Based Authentication on the RSA Authenticaiton Manager Citrix StoreFront agent. |