Issue: Citrix Gateway Authentication Loop After ADC 13.1 Firmware Update

citrix gateway authentication loop 13.1 adc firmware upgrade

Issue and Background

For the last few months, circa Citrix ADC firmware 13.1 b17.42 or higher, we’ve fielded some inquiries from customers experiencing authentication issues at Citrix Gateway post-upgrade. Generally, the user will authenticate to Citrix Gateway successfully (and aaad.debug shows as much) and they’re immediately dropped back onto the login page and prompted to re-login.

Strangely in some instances, failing over to a secondary node seems to stop the issue (but failing back seems to cause it to return inexplicably), or from the user’s end, clearing cookies of the Citrix Gateway webpage at login seems to work consistently. The appearance of the issue does not seem to be consistent across deployments on affected firmware, even if the root cause is present.

Within the 13.1 b24.38 release notes there were fixed issues that appeared to rectify the matter, however, we’ve seen this issue occur in the subsequent firmware release of 27.59. We have also read reports of this happening on more current 13.0 firmware (builds 8x.xx +).

Root Cause and Resolution

In our experience so far, this has been a fairly easy fix. In the instances, we’ve discovered the problem came down to the Session Profile in use on the Citrix Gateway defaulting to a global setting. There has been some conflicting documentation over the years from Citrix on whether to override the global setting for the session time-out parameter in the Client Experience tab, but current documentation indicates no need to override it, even if relying on the default 30-minute setting.

citrix_adc_gateway_auth_looping_session_timeout_bad

By flipping this to “Override Global”, the issue seems to disappear. It seems the session time-out setting at the global level is not being honoured / taking effect thus the user is dropped back on the login page as soon as they hit the session policy. Note that some admins have reported needing to set the parameter to 720 minutes, but for security reasons, we’d recommend starting with the default.

citrix_adc_gateway_auth_looping_session_timeout_good

Hopefully, this resolution sorts someone out in a pinch should they encounter this issue.

 

Update October 15th, 2022

Per a thread on Citrix Discussions, it appears the development team has narrowed down the issue to issues within two JavaScript files and support has been able to provide corrected files to customers without the need to modify the session time-out in the session policy. It is claimed this issue will be rectified in a later firmware build.

0 0 votes
Article Rating
Subscribe
Notify of
guest
3 Comments
Inline Feedbacks
View all comments
Lance Baumgartner
Lance Baumgartner
1 year ago

We have this issue on VPX 13.1 17.42 and have the timeout set to default. One thing that I see that was not mentioned is that we see, for a moment, “loading apps” message before it goes back to login page. Have you noticed that?

Anders Wittendorff
Anders Wittendorff
1 year ago

Think it’s related to this one: https://support.citrix.com/article/CTX459672/going-back-to-the-login-page-after-putting-in-the-login-credentials-with-oauth-nfactor-in-130-8515

Found that if you override global, no matter what value, even the same as set in global, it will work.
Originally the CTX only described issues with Oauth, but was updated with SAML as well.
And in my case only an issue with login from Workspace App.

3
0
Would love your thoughts, please comment.x
()
x