Skip to content

Citrix ShareFile – SAML Authentication Error after upgrading to NetScaler v11 and Unified Gateway – http/1.1 Service Unavailable

After upgrading my existing and fully functional NetScaler v10.5 Build 57.7 to the latest v11.0 Build 55.23 and implementing Unified Gateway for XenMobile and XenDesktop, my users were unable to SAML authenticate with ShareFile, i.e.

  • by using their MDX wrapped ShareFile app on iOS devices and locking it into an endless authentication loop without any errors:

Photo_20150714_081802

  • by using their ShareFile Outlook Plugin in order to send Download and/or Upload links as they received an error stating Authentication Error - http/1.1 Service Unavailable while trying to utilize the Browser Login included with the ShareFile Outlook Plugin Configuration Wizard:

sharefile_saml_6

  • by authenticating to our company's custom ShareFile SAML Login page via Browser:

sharefile_saml_11

We've implemented a Custom Login Page for ShareFile as described in this article:

sharefile_saml_0

The Login button redirects to https://mysubdomain.sharefile.com/saml/login which in return redirects to my AppController's ShareFile SAML authentication Web/SaaS ... and the NetScaler Login page should be displayed, but instead gave me an error:

sharefile_saml_10

Authentication Flow:

"The following diagram represents the flow of events for user authentication when XenMobile is used as a SAML identity provider:

rtaImage

  1. A user navigates to https://subdomain.sharefile.com/saml/login
  2. ShareFile redirects to https://NSGatewayFQDN/cginfra/https/AppController/samlsp/webssp.do?action ...
  3. NetScaler Gateway displays a log on form to the user, who supplies ShareFile log on information.
  4. The authenticated user is logged on to AppController through single sign-on. AppController silently returns a SAML assertion to the user.
  5. The SAML assertion is passed to subdomain.sharefile.com to complete the authentication. The user is then presented with their ShareFile folders at subdomain.sharefile.com.

All ShareFile clients can leverage XenMobile for user authentication using this deployment."

Obviously there was something wrong with my ShareFile SAML authentication configuration. Thus I had a closer look at it by using the following troubleshooting methodology to investigate all parts involved (have a look at the Further Reading section at the end of this blog for all things ShareFile and SAML):

  • ShareFile Control Plane (WebUI)
  • AppController v9.0.0.97000
  • NetScaler v11 Build 55.23

1. ShareFile Control Plane (WebUI)

As AppController can be configured as a SAML IDP for ShareFile. Verify your ShareFile Single Sign-On Login URL by going to https://<MySubdomain>.sharefile.com, logging in with administrative privileges, navigating to Admin => Configure Single Sign-On => Login URL:

sharefile_saml_7

https://vpx.mydomain.de/cginfra/https/appController2.mydomain.de/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1&nssso=true


2. AppController v9.0.0.97000

In AppController you have to configure SAML SSO for ShareFile MDX Apps. You can use AppController along with Worx Home to SSO to ShareFile MDX wrapped applications, i.e. Worx Home obtains a SAML token for the ShareFile login using AppController as an IDP.

Verify that

  • a corresponding SAML authentication server certificate has been installed and is valid as well as trusted by NetScaler and ShareFile:

ac_configuration_1

  • your AppController has been successfully added to ShareFile as an SAML authentication entity:

ac_configuration_2

  • a ShareFile SAML Login Web/SaaS application has been added and configured:

ac_configuration_3


3. NetScaler v11 Build 55.23

The following configuration is required on NetScaler to support the use of AppController as a SAML Identity Provider (IDP):

  • disable the default behavior for requests that come through the /cginfra path
  • create a ShareFile Session Policy and Request Profile
  • configure policies on the NetScaler Gateway vServer

Verify Other Settings:

sharefile_saml_8

Verify ShareFile Session Policy and Profile bound to the NetScaler Gateway vServer:

ns_settings_2

Session Policy Expression:

REQ.HTTP.HEADER Cookie CONTAINS NSC_FSRD

Request Profile Settings:

TabOptionOverride GlobalValue
Client ExperienceHome PageYNone
Client ExperienceSession Time Out (mins)Y1
Client ExperienceSingle Sign On to Web ApplicationsYn/a
Client ExperienceCredential IndexYPRIMARY
Published ApplicationsICA ProxyYON
Published ApplicationsWeb Interface AddressY
Published ApplicationsSingle Sign-on DomainY

Everything seems to be configured as expected and it still didn't work. After doing some more research I found out that the newly added UG Content Switching vServer Session Policy Expression was missing my ShareFile's Single Sign-On Login URL as has been configured by adding AppController as a valid SAML authentication entity:

prior:

is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/Demo")

afterwards:

is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/Demo") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cginfra/https/<FQDN of my internal AC>")

You have to add the URL part followed right after your NetScaler Gateway's public URL, e.g.

  • Public NetScaler URL: https://vpx.mydomain.com
  • ShareFile SSO Login URL: https://vpx.mydomain.com/cginfra/https/appController2.mydomain.com/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1&nssso=true
  • simply add: /cginfra/https/appController2.mydomain.com as part of the Expression mentioned above

Then I tried to access my ShareFile SAML Login page via browser once more. I successfully got redirected to my NetScaler Login, entered my credentials, and was then authenticated and redirected to ShareFile.

My ShareFile Outlook Plugin worked as well again:

sharefile_saml_9

Further reading:

Leave a Reply