This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RBA logon through RSA Authentication Agent for Citrix StoreFront 1.0 fails with "Cannot complete request"

Article Number

000034395

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Citrix StoreFront
RSA Version/Condition:  1.0

Issue

After entering Risk Based Authentication (RBA) information  such as user ID, password and optionally Security Question answers, the browser displays the following error message:

Cannot complete your request.
 
Image descriptionImage description

Cause

Delegated Forms Authentication (DFA), has not been configured correctly on the Citrix StoreFront and NetScaler devices.

KB article 000033532 (How to increase your changes of successfully configuring Citirx Delegated Forms Authentication (DFA)) outlines that DFA should be configured and working successfully for password logons before attempting to add either SecurID passcode or RBA authentication.  The article will provide some details on how to do that on the Citrix StoreFront server through PowerShell. For full details, review the DFA Configuration document on the Citrix website.

Resolution

  1. Configure the Citrix StoreFront back to standard DFA, without RSA SecurID or RBA, in PowerShell with the command:
Set-DSDFAProperty -ConversationFactory ExplicitAuthentication
 
Image descriptionImage description
  1. Test a Citrix logon through DFA with the default LDAP or AD password.  If it still fails, look at the Windows Event Log on the Citrix StoreFront server when you get the authentication failure such as "Cannot complete your request."  In one particular case we saw the following error:
The decryption of the delegated form body failed. Is there an encryption key mismatch? 
System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0
 
Image descriptionImage description
This error indicated that the passphrase was not the same on the NetScaler as the StoreFront, even though it was verified.  It turned out the there was a special character in the passphrase, which caused the discrepancy, so we simplified the passphrase to avoid special characters.
  1. On the StoreFront server, launch PowerShell and issue the following command to use a different, simpler passpharase:
Update-DSCitrixPSKTrustedClient -clientID <access_Web_agent> -passphrase <passphrase>

Image descriptionImage description
If you want to display the Passpharase of an <access_web)_agent> use Get-DSCitrixPSKTrustedClient first, before Update-DSCitrixPSKTrustedClient
  1. se the same less complex passphrase on the NetScaler:
Image descriptionImage description
  1. Once you successfully logon to Citrix with an LDAP or AD password through DFA, you can change DFA to use SecurID in PowerShell.
Set-DSDFAProperty -ConversationFactory SecurIDAuthentication
  1. Test SecurID with a fixed passcode.
  2. If the test is successful, test again using RBA. Troubleshoot any script problems or RBA helper problems

Workaround



 

Notes

See also 000033186 | How to increase chances for successfully implementing Risk Based Authentication on the RSA Authenticaiton Manager Citrix StoreFront agent.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:21 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.