Greenfield Citrix deployment with Citrix Gateway fronted by Azure MFA SAML with a custom theme.
- Citrix Virtual Apps & Desktops 1811
- Citrix ADC MPX 14080 FW 12.1 b50.31
- Azure MFA
We’d had our ADCs on the new 50.31 firmware release to address the CBC vulnerability documented in CTX240139 without any issues. As I went down the path of uplifting our config from a basic auth with SAML at Gateway setup to one capable of authenticating Workspace App at Gateway with SAML (which requires advanced policies nFactor) I came across a very strange and sporadic behaviour; frequent “Cannot complete your request” errors being thrown by Gateway, which although harmless (clicking OK continued on to redirect to the Azure MFA auth page), was a little unnerving. This was coming up both in Workspace App and in browser.
At first it seemed like the message was coming from StoreFront which seemed impossible as we hadn’t even authenticated yet. But after inspecting the page in Chrome it was clear it was coming from the ADC.
If I unbound the custom theme and reverted to a default theme (ours was X1 based, but also customized a RfWebUI theme with same error result), problem went away. Even cloning a theme and not customizing it would yield the error. Again, this wasn’t occurring when we were not using nFactor.
Sample of the error below:
Root Cause & Resolution:
After doing everything but, finally downgraded the firmware back to 12.1 b50.28. Issue hasn’t come back. I took the liberty to remove the CBC ciphers from any Internet-facing TLS VIPs on the appliance to compensate. My assumption right now is a bug in the 50.31 build that throws this inconsequential but confusing error when employing a custom theme and advanced authentication policies.
Feb 27: Per update later below on this post, Using 50.31 and disabling AAA static page caching fixes the issue in the interim: set aaa parameter -enableStaticPageCaching NO
Update Feb 16:
Have a case opened with support as this was encountered within a week with an altogether different customer. Examining the page loads on successfails we can see it chokes on a configuration jquery with a 412 HTTP error. Of interesting note, this error occurs consistency after other site elements load. On working load attempts that do not throw the error, we can see the same configuration element loads earlier and is of larger size.
Update February 27:
A current workaround is outlined in the following Citrix article below. A future ADC firmware upgrade is projected to remediate this issue.
Michael Shuster is Ferroque Systems’ Chief Architect and noted Citrix authority. A passionate virtualization and digital workspaces advocate, he has designed, engineered, or otherwise advised clients on Citrix, VMware, and Microsoft technology platforms across the globe.