With the release of the latest Citrix ADC firmware 13 64.35 an update in the security policies will cause issues with Single Sign On (SSO) to Citrix StoreFront whether this is AD based FAS etc. Release note-let (if you will) NSAUTH-7747 details this change however doesn’t really make it to obvious of the actual effect this will have to the casual observer.
Through a Citrix ADC Gateway when you authenticate with SSO to Citrix StoreFront with this firmware applied you will receive our old friend the “Cannot Complete your Request” message. Head scratching may also increase as no hints of an issue are reflected within the Citrix StoreFront event logs as no errors are captured during the logon process by StoreFront.
However, the fix for the issue is very straight forward and all that is required is a single traffic policy is created and bound to the Gateway virtual server.
Adding the following into your Citrix ADC config (changing the %vservername% for your own one), will resolve the issue and your users will be able to sign in again.
add vpn trafficAction SSO_ACT http -SSO ON
add vpn trafficPolicy SSO_POL true SSO_ACT
bind vpn vserver _%vvservername% -policy SSO_POL -priority 100 -gotoPriorityExpression END -type REQUEST
Author: Dale Scriven