Steps missing - Duo for NetScaler Web

Rathelm80 · ‎10-14-2024

Just an FYI for anyone else trying to secure Netscaler with the newer application protections. The guide is missing a couple of critical steps. The nFactor flow won't always send the proper password credentials to the Storefront causing an error of unable to connect. The logs will show:

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: test domain: test

To fix this, inside of the login schema that it asks you to create you need to add a couple more variables:

User Credential Index: 1

Password Credential Index: 2

Then you need to make a traffic policy and define:

SSO User Expression: HTTP.REQ.USER.ATTRIBUTE(1)

SSO Password Expression: HTTP.REQ.USER.ATTRIBUTE(2)

Apply the traffic policy to the Virtual Server and it should then properly send the correct password to the storefront.

Hope this helps someone.

DuoKristina · ‎10-21-2024

We've had some customers report they had issues with StoreFront logins after completing primary and secondary auth. We've been in touch with our technical partner contacts at NetScaler, and have put their suggestions into https://help.duo.com/s/article/9044. They indicated they are investigating why this is an issue.

Duo, not DUO.

peter-supply · ‎06-24-2025

We are still on 13.1.x. We need FIPS and there is no FIPS enabled version of the 14.1.x Netscaler as of yet.

While I can successfully get Duo integrated with the Netscaler, we still receive a "Cannot complete your request" even though we've completed the steps in this KB: https://help.duo.com/s/article/9044?language=en_US.

To clarify, we cannot use this KB: https://duo.com/docs/netscaler-web as we are not on 14.1.x.

We are using: https://duo.com/docs/sso-netscaler

Is there a way to get Duo to successfully pass the credentials on to the Storefront using https://duo.com/docs/sso-netscaler?

Thanks.