[Citrix ADC] DYNAMIC Type VRID

ADC (NetScaler) learned DYNAMIC Type VRID without any VRID configration.

> show vrid

VRID Type Priority State Ifaces

—- —- ——– —– ——

1) 2 DYNAMIC 255 INIT

Done

• As seen in above output that this vrID is not associated with any interface so it is not responsible for any VMAC configuration of netscaler.

• Since type of this VRID is dynamic that means netscaler learned it from the local LAN.

• So it seems like that there is a network device connected which is configured in a VRRP setup which is advertising its configured vrID in local LAN

• Because of which we are seeing it on netscaler, but since a dynamically learnt VRID cannot be associated with any interface on ns so it barely has any signifance.

Related:

  • No Related Posts

SAML SLO with Multiple SP and Citrix ADC and IDP

Scenario: AAA Vserver on Citrix ADC as SAML IDP used by Multiple SPs

Login:

User Logs in to SP1 and is redirected to AAA Vserver for authentication, post successful authentication user is redirected back to SP1 with SAML Assertion.

User Logs in to SP2 and is redirected to AAA Vserver for authentication, user would already have session cookies from AAA Vserver so auth is seamless and user is redirected back to SP2 with SAML Assertion.

Logout

At this point if user logs out from SP1, then SP1 will redirect the user to AAA Vserver with SAML logout request and ADC will log the user out and redirect the user back to SP1 with a Logout Response.

Then ADC will look for other SPs where user is logged into and send back-channel logout requests to each SP directly. This communication will be initiated from SNIP to the SLO Endpoint of the SP as configured in the IDP profile. In this example SP2 will receive the back-channel SLO request from ADC

Dependencies for the back-channel SLO to work

  1. ADC should be able to resolve the SLO endpoint FQDN to an IP address
  2. There should be reachability between SNIP to SLO FQDN’s resolved IP Address on port 443 / 80 depending on the SLO url.
  3. SP should support back-channel Logout

Packet trace from Test Environment, that shows the expected SLO flow

Client IP: 10.101.255.87

AAA Vserver IP: 10.110.201.88

SNIP: 10.110.201.62

SP1: 10.110.201.87

SP2: 10.110.202.8

Incoming Logout Request from Client (After being redirected from SP1)


Debug Logs Generated in ADC after receiving above logout request, note ADC has identified that there is another SP, SP2 for which it needs to send the back-channel logout request and sends it directly from snip

Logout Response sent to client by redirecting to SP1 (the initiating SP)

Back-Channel Logout request sent from SNIP to SP2

Logout Response Received from SP2

Related:

  • No Related Posts

SUPPORT WIKI : SAML Integration with NetScaler

Citrix Secure Web Gateway, formerly NetScaler Secure Web Gateway

What is SAML ?

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee

Why SAML ?

The SAML authentication mechanism provides an alternative approach for Authenticating a User belong to a company for one or more service hosted at service provider that hosts a number of applications for the company.

Consider a scenario in which a service provider (LargeProvider) hosts a number of applications for a customer (BigCompany). BigCompany has users that must seamlessly access these applications. In a traditional setup, LargeProvider would need to maintain a database of users of BigCompany.

This raises some concerns for each of the following stakeholders:

  • LargeProvider must ensure security of user data.
  • BigCompany must validate the users and keep the user data up-to-date, not just in its own database, but also in the user database maintained by LargeProvider. For example, a user removed from the BigCompany database must also be removed from the LargeProvider database.
  • A user has to log on individually to each of the hosted applications.


The concerns raised by traditional authentication mechanisms are resolved as follows:

  • LargeProvider does not have to maintain a database for BigCompany users. Freed from identity management, LargeProvider can concentrate on providing better services.
  • BigCompany does not bear the burden of making sure the LargeProvider user database is kept in sync with its own user database.
  • A user can log on once, to one application hosted on LargeProvider, and be automatically logged on to the other applications that are hosted there.

In addition, SAML supports

  • Cross-Domain Single Sign-On (SSO)
    • A user authenticates to one web site (domain) and then is able to access resources at some other web sites (domains)
    • In simple words user “Alice” is authenticated at DomainA.com and can access resources at both DomainA.com and DomainB.com
  • Federated Identity
  • Attribute based authorization

SAML Terminologies :

SAML SP / Relaying party : Requester Role

SAML IDP / Asserting party : Responder Role

Assertion : Requests and responses

Metadata : Configuration data

SAML Service Provider(SP) :

The SAML Service Provider (SP) is a SAML entity that is deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP).

The SP also validates SAML assertions that are received from the IdP.

SAML Identity Provider(IdP) :

The SAML IdP (Identity Provider) is a SAML entity that is deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the user directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP.

The SP validates the token, and the user is then granted access to the requested protected application.

SAML Assertion:

Assertion is a claim, statement, or declaration of fact made by the SAML authority. It’s the information collection by the SAML authority.

Types of Assertions :

Authentication – the user is authenticated by a particular means at a particular time

Authorization – the user was granted or denied access to a specified resource

Attributes -the user is associated with the supplied attributes

Metadata:

Metadata is the configuration data in SP and IDP to know how to communicate to each other which will be in XML standards

Required root Element:

<md:EntityDescriptor> </md:EntityDescriptor>

Required Role Element:

SP: <md:SPSSODescriptor> </md:SPSSODescriptor>

IDP: <md:IDPSSODescriptor> </md:IDPSSODescriptor>

SP: <md:SPSSODescriptor>

1. <md:KeyDescriptor>

2. <md:AssertionConsumerService>

3. <md:AttributeConsumingService>

4. <md:NameIDFormat>

Types of Services :

Assertion Consumer Service : Request URL

Single Logout Service: Logout URL

As Service Provider(SP):

Assertion Consumer path: /cgi/samlauth

Single Logout path: /cgi/tmlogout

As Identity Provider(IdP):

Assertion Consumer Service Path: /saml/login

Single Logout Service: /saml/login

SAML Bindings :

  1. HTTP Redirect Binding
  2. HTTP Post Binding
  3. HTTP Artifact Binding


Web SSO Profiles :

The Web Browser SSO profile supports a variety of options, based on whether the message flows are IdP-initiated or SP-initiated and and whether the IdP pushes SAML assertions to the SP or the SP pulls them from the IdP.

The push approach involves using either HTTP redirects or HTTP POST messages to deliver a SAML message.

The pull approach involves sending a artifact to the receiver, which then uses the artifact to dereference and obtain the related SAML message.

A combination of message flow and binding techniques gives rise to eight different combinations as listed below.

  1. SP Initiated with SAML(Request and Response) Binding as POST
  2. SP Initiated with SAML (Request and Response) Binding as Redirect
  3. SP Initiated with SAML Request as POST and SAML Response as Redirect
  4. SP Initiated with SAML Request as Redirect and SAML Response as POST
  5. IDP Initiated with SAML(Request and Response) Binding as POST
  6. IDP Initiated with SAML (Request and Response) Binding as Redirect
  7. IDP Initiated with SAML Request as POST and SAML Response as Redirect
  8. IDP Initiated with SAML Request as Redirect and SAML Response as POST


SP-Initiated SSO—Request and Response as POST (Refer 1 above) :

In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST.

Processing Steps :

1. The user requests access to a protected SP resource. The request is redirected to the federation server to handle authentication.

2. The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP’s SSO service.

3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.

4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

5. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

SP-Initiated SSO—request as Redirect- Response as POST (Refer 4 above) :

In this scenario, the SP sends an HTTP redirect message to the IdP containing an authentication request. The IdP returns a SAML response with an assertion to the SP via HTTP POST.

Processing Steps :

1. A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.

2. The SP returns an HTTP redirect (code 302 or 303) containing a SAML request for authentication through the user’s browser to the IdP’s SSO service

3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.

4. Additional information about the user Attributes may be retrieved from the user data store for inclusion in the SAML response.

5. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

6. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

IDP-Initiated SSO—Request and response as POST (refer 5 above) :

In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.


Processing Steps :

1. A user has logged on to the IdP.

2. The user requests access to a protected SP resource. The user is not logged on to the SP site.

3. Optionally, the IdP retrieves attributes from the user data store.

4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

5. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

Netscaler Deployment :

The NetScaler appliance can be deployed as a SAML Service Provider (SP) and a SAML Identity Provider (IdP).

When the NetScaler appliance is configured as an SP, all user requests are received by a traffic management virtual server (load balancing or content switching) that is associated with the relevant SAML action.

When the NetScaler appliance is configured as an IdP, all requests are received by an authentication virtual server that is associated with the relevant SAML IdP profile.

Note :

  • A NetScaler appliance can be used as a SAML SP in a deployment where the SAML IdP is configured either on the appliance or on any external SAML IdP.
  • A NetScaler appliance can be used as a IdP in a deployment where the SAML SP is configured either on the appliance or on any external SAML SP.

Refer the Docs page below for detailed steps on configuring NetScaler as a SAML IdP or SP.

http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-idp.html

http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-sp.html

Troubleshooting:

NetScaler as SP and IDP:

SP IP: 10.107.165.147

SP FQDN: saml-sp.repro.lab

IDP IP: 10.107.165.150 (AAA VIP)

IDP FQDN: saml-redirect.repro.lab

DNS:

Saml-sp.repro.lab: 10.107.165.147

Saml-redirect.repro.lab: 10.107.165.150

SAML Request and Response in XML format

<samlp:AuthnRequest AssertionConsumerServiceURL=”https://saml-sp.repro.lab/cgi/samlauth

Destination=”https://saml-redirect.repro.lab/saml/login” ForceAuthn=”false”

ID=”_59d52136c277a2ae101124b8e40142bf” IssueInstant=”2018-01-25T08:55:22Z”

ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Version=”2.0″

xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”>

<saml:Issuer xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>https://netscaler.repro.lab</saml:Issuer>

<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“>

<ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“>

<ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod>

<ds:Reference URI=”#_59d52136c277a2ae101124b8e40142bf”>

<ds:Transforms>

<ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform>

<ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod>

<ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZFGVUSIybolMjQW7zsSeqeCrD/OIoPGY6m1Vi5Gdy4922QQ+k2r1OBXrYX3IqykuRrIYaTg5iPanE0k9Eugv7N/jcmMzGC8tuwYvU/b++F6Cu+A8TEsIebB5quKa+Kj3EFox4WOhQ7uIZV9vmw03hz8797SF5+1fVmRWUfaaWu0yJCu38jNWTNqCxXzU3PzwkgGIJcRqZJ+jCgOb695A4KUpdwuCt8LFNkfTnrYjm+l3P3THJj4Cg==</ds:SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zKgxbBGyMHnte7shGYZjNqG/BbE4L/AvjGE5LIjrjrVtnpXrrXkTGuF4zqr1CInO4UVHRVNBYSQg0o47SavGO+BVpXf2hsJhf9RoPybzbVuiqOokbh8b7FDQ7qb3N2LybzoEQtXhauPqaaOR8FTv8EvtawVLcNeFrmXkM7uMAKie6VNSI67gYzW/TF4beJklqp9CrA1lLCVxFYuM5gE7I8egJb5Yj0oruGJlMPME018IkMJMz38bdl1uVarrCR0OGzG67Ba3h22+Mw1+SGFU6xJZlFRjt6qIEo1GxXpSfQIDAQABo4ICDDCCAggwHQYDVR0OBBYEFDm8ULXQIl9eQnVDR2sh5pcKJb/TMB8GA1UdIwQYMBaAFD8lH99VTE9/LCuTwcMaVWuk/Rv1MIHBBgNVHR8EgbkwgbYwgbOggbCgga2GgapsZGFwOi8vL0NOPUFEMS1SZXBybyxDTj1BRDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuQYIKwYBBQUHAQEEgawwgakwgaYGCCsGAQUFBzAChoGZbGRhcDovLy9DTj1BRDEtUmVwcm8sQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQB9TkENUTV6UPUdbi6Xn0ama5ccd1iJdTV4GPaBsyoC/SrrvJCJei7o0ItgpMaEMyCGjqDsKNWtsABSr4Qea8TCIod8QJH2y8SOPVGHkN8kQJumb0Q7dRASaRb53uWs8ci1ajX6LPw/9C1RaR2FW5HdzoCoih1pn7n+GsQ3UcmZJSBHdsA2OE5ftGguhoplpnQmJug5gTubDwTkBZ83CBXF6qQ1f1dPeT4S0PkyB1bzwfPyUudcr8sMWHqbCDIdXGGmi/vVH9reBlC3rp4fOHC2nrlBtx14igheaaeXoaqvo+YFxT0dT5kXYDpXiC3g1X51ZlZ+HSp/Q+sxqKTkiwOn</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

</samlp:AuthnRequest>


<samlp:Response Destination=”https://saml-sp.repro.lab/cgi/samlauth

ID=”_e2e1e5204f9131fa8e65f8312b3ba8c8″ InResponseTo=”_59d52136c277a2ae101124b8e40142bf”

IssueInstant=”2018-01-25T08:55:26Z” Version=”2.0″ xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”>

<saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”

xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>https://netscaler.repro.lab</saml:Issuer>

<samlp:Status>

<samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Success”></samlp:StatusCode>

</samlp:Status>

<saml:Assertion ID=”_19f8b84b58eab7edd2c317a3baf3955″ IssueInstant=”2018-01-25T08:55:26Z”

Version=”2.0″ xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>

<saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://netscaler.repro.lab</saml:Issuer>

<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“>

<ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“>

<ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod>

<ds:Reference URI=”#_19f8b84b58eab7edd2c317a3baf3955″>

<ds:Transforms>

<ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform>

<ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod>

<ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL21Jolz2MiM3MTlFfJ+1dmflonXJR1TWpXwMz5KNNCe5IQ7X1q/DoyTndBCK2Kmiky5cxb50ctb5fen5c76c0ht6yJAe9hxr2qZbfqpngba2aR4a1YPShRoeBBaTYiEXoLa7E7ADZt6Nh7piJtdS322Dtbknsj0Ef7LazTPMdr5h2aYPjHtChRoYBvtSPLjf+gSr6ICSHL1O0nxgwqmrRIFct6RLDAwSrSnyVQ/4bjLfxC6rOSp7AD/eVx/Prg+533cElnfRuZHE1IUI60ncCuNnipmoZe3CHT9uMM9ZeOJJOzEmCqSrfA==</ds:SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zKgxbBGyMHnte7shGYZjNqG/BbE4L/AvjGE5LIjrjrVtnpXrrXkTGuF4zqr1CInO4UVHRVNBYSQg0o47SavGO+BVpXf2hsJhf9RoPybzbVuiqOokbh8b7FDQ7qb3N2LybzoEQtXhauPqaaOR8FTv8EvtawVLcNeFrmXkM7uMAKie6VNSI67gYzW/TF4beJklqp9CrA1lLCVxFYuM5gE7I8egJb5Yj0oruGJlMPME018IkMJMz38bdl1uVarrCR0OGzG67Ba3h22+Mw1+SGFU6xJZlFRjt6qIEo1GxXpSfQIDAQABo4ICDDCCAggwHQYDVR0OBBYEFDm8ULXQIl9eQnVDR2sh5pcKJb/TMB8GA1UdIwQYMBaAFD8lH99VTE9/LCuTwcMaVWuk/Rv1MIHBBgNVHR8EgbkwgbYwgbOggbCgga2GgapsZGFwOi8vL0NOPUFEMS1SZXBybyxDTj1BRDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuQYIKwYBBQUHAQEEgawwgakwgaYGCCsGAQUFBzAChoGZbGRhcDovLy9DTj1BRDEtUmVwcm8sQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQB9TkENUTV6UPUdbi6Xn0ama5ccd1iJdTV4GPaBsyoC/SrrvJCJei7o0ItgpMaEMyCGjqDsKNWtsABSr4Qea8TCIod8QJH2y8SOPVGHkN8kQJumb0Q7dRASaRb53uWs8ci1ajX6LPw/9C1RaR2FW5HdzoCoih1pn7n+GsQ3UcmZJSBHdsA2OE5ftGguhoplpnQmJug5gTubDwTkBZ83CBXF6qQ1f1dPeT4S0PkyB1bzwfPyUudcr8sMWHqbCDIdXGGmi/vVH9reBlC3rp4fOHC2nrlBtx14igheaaeXoaqvo+YFxT0dT5kXYDpXiC3g1X51ZlZ+HSp/Q+sxqKTkiwOn</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

<saml:Subject>

<saml:NameID Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>admin1</saml:NameID>

<saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>

<saml:SubjectConfirmationData InResponseTo=”_59d52136c277a2ae101124b8e40142bf”

NotOnOrAfter=”2018-01-25T09:00:26Z” Recipient=”https://saml-sp.repro.lab/cgi/samlauth“></saml:SubjectConfirmationData>

</saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore=”2018-01-25T08:50:26Z” NotOnOrAfter=”2018-01-25T09:00:26Z”>

<saml:AudienceRestriction>

<saml:Audience>https://saml-sp.repro.lab</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant=”2018-01-25T08:55:26Z”

SessionIndex=”NSC_TMAAbf20316539bb57cf3c1ee224821b4f4e”>

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

</saml:Assertion>

</samlp:Response>

Packet capture :

Req 1 to the LB VIP :

Netscaler will reset the cookies and in the form action we see the redirect URL as IDP URL with SAML Request

Req 2 to AAA VIP:

Once the SAML request is validated against the parameters it will redirect to /tmindex.html if it is configured on AAA VIP.

Req 3 to SP LB VIP:

User post the SAML response after user is validated against LDAP. After the validation of assertion, it will redirect back to the original request received to LB along with the Set-Cookie Value which set during the authentication


Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643589 0 : “AAATM Login: created session for <admin1> with cookie: <c4dc31027d74b30718142fa0691e4dc9>”

Counters during the success response:

root@NetScaler# nsconmsg -g saml -d current

Displaying performance information

NetScaler V20 Performance Data

NetScaler NS12.0: Build 53.13.nc, Date: Sep 22 2017, 08:43:05

reltime:mili second between two records Thu Jan 25 14:25:22 2018

Index rtime totalcount-val delta rate/sec symbol-name&device-no

0 21006 5 1 0 aaa_samlidp_tot_authnreq_succ

1 7000 3 1 0 aaa_samlidp_tot_post_assertion


Ns.log:

Jan 25 14:25:03 <local0.info> 10.107.165.140 01/25/2018:08:55:03 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643310 0 : User nsroot – Remote_ip 10.100.6.80 – Command “stop nstrace” – Status “Success”

Jan 25 14:25:04 <local0.info> 10.107.165.140 01/25/2018:08:55:04 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643314 0 : netScalerConfigChange (nsUserName = “nsroot”, configurationCmd = “stop nstrace”, authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)

Jan 25 14:25:05 <local0.warn> NetScaler nstraceaggregator: removing old directory : [/var/nstrace/28Dec2017_19_34_40]

Jan 25 14:25:06 <local0.info> 10.107.165.140 01/25/2018:08:55:06 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643324 0 : User nsroot – Remote_ip 10.100.6.80 – Command “start nstrace -nf 24 -time 3600 -size 0 -mode TXB NEW_RX -perNIC DISABLED -link DISABLED -filesize 1024 -doruntimecleanup ENABLED -traceBuffers 5000 -skipRPC DISABLED -skipLocalSSH DISABLED -capsslkeys ENABLED -capdroppkt ENABLED -inMemoryTrace DISABLED” – Status “Success”

Jan 25 14:25:06 <local0.info> 10.107.165.140 01/25/2018:08:55:06 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643325 0 : netScalerConfigChange (nsUserName = “nsroot”, configurationCmd = “start nstrace -nf 24 -time 3600 -size 0 -mode …”, authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643408 0 : SPCBId 21868 – ClientIP 10.100.6.80 – ClientPort 2815 – VserverServiceIP 10.107.165.147 – VserverServicePort 443 – ClientVersion TLSv1.1 – CipherSuite “AES-256-CBC-SHA TLSv1.1 Non-Export 256-bit” – Session New – HandshakeTime 5 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643409 0 : “SAML: AuthnReq POST, Algorithm SHA1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_59d52136c277a2ae101124b8e40142bf”><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643410 0 : “SAML: AuthnReq POST, Signature Element computed 3063 <ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_59d52136c277a2ae101124b8e40142bf”><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZF

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643412 0 : SPCBId 21874 – ClientIP 10.100.6.80 – ClientPort 2816 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 4 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643413 0 : “ns_aaa_saml_parse_authn_request: AuthnReq start tag seen, following data xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceURL=”https://saml-sp.rep

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643414 0 : “ns_aaa_saml_parse_authn_request: Issuer tag seen, remaining data /saml:Issuer><ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:SignedInfo><ds:Canonica “

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643415 0 : “SAMLIDP: ParseAuthnReq: signature method seen is 4”

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643416 0 : “SAMLIDP: ParseAuthnReq: digest method seen is SHA1”

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643417 0 : “ns_aaa_saml_parse_authn_request: Digestmethod tag seen, remaining data Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wEl “

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643418 0 : “ns_aaa_saml_parse_authn_request: SignedInfo tag end seen, remaining data <ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZFGVUSIybolMjQW7zsSeqeCrD/OIoPGY6m1Vi5Gdy4922QQ+k2r1OBXrYX3IqykuRrIYaTg5iPanE0k9Eugv7N/jcmMzGC8tuwYvU/b++F6Cu+A8TEsIebB5quKa+Kj3EFox4WOhQ7uIZV9vmw03hz8797SF5+1fVmRWUfaaWu0yJCu38jNWTNqCxXzU3PzwkgGIJcRqZJ+jCgOb695A4KUpdwuCt8LFNkfTnrYjm+l3P3THJj4Cg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zK

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643419 0 : “ns_aaa_saml_parse_authn_request: SignatureValue tag seen, remaining data /ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+ “

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643420 0 : “ns_aaa_saml_parse_authn_request: Signature tag end seen, remaining data </samlp:AuthnRequest> “

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643421 0 : “ns_aaa_saml_parse_authn_request: AuthnReq end tag seen “

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643422 0 : “SAML verify digest: digest algorithm SHA1, input for digest: <samlp:AuthnRequest xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceURL=”https://saml-sp.repro.lab/cgi/samlauth” Destination=”https://saml-redirect.repro.lab/saml/login” ForceAuthn=”false” ID=”_59d52136c277a2ae101124b8e40142bf” IssueInstant=”2018-01-25T08:55:22Z” ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Version=”2.0″><saml:Issuer xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>https://netscaler.repro.lab</saml:Issuer></samlp:AuthnRequest>”

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643423 0 : “SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_59d52136c277a2ae101124b8e40142bf”><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643425 0 : SPCBId 21873 – ClientIP 10.100.6.80 – ClientPort 2817 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 3 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643434 0 : SPCBId 21875 – ClientIP 10.100.6.80 – ClientPort 2818 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 5 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643437 0 : SPCBId 21872 – ClientIP 10.100.6.80 – ClientPort 2819 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 6 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643439 0 : SPCBId 21871 – ClientIP 10.100.6.80 – ClientPort 2820 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 7 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643472 0 : SPCBId 21870 – ClientIP 10.100.6.80 – ClientPort 2821 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 5 ms

Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643474 0 : SPCBId 21869 – ClientIP 10.100.6.80 – ClientPort 2822 – VserverServiceIP 10.107.165.150 – VserverServicePort 443 – ClientVersion TLSv1.2 – CipherSuite “AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit” – Session New – HandshakeTime 6 ms

Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643546 0 : “ns_aaa_advance_authn_policyeval: copying policylabel name Saml-IDP-Vserver to aaa info, type 33 for auth “

Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643547 0 : “aaad_advance_authnpolicy_handler: epa_action_head = 0x2a53da80 “

Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default AAATM Message 14643548 0 : “LoginSchema policyeval did not return an active policy”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643577 0 : “core 0: ns_get_username_password: loginschema gleaned is default “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643578 0 : “ns_aaa_advance_authn_policyeval: copying policylabel name Saml-IDP-Vserver to aaa info, type 33 for auth “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643579 0 : “aaad_advance_authnpolicy_handler: epa_action_head = 0x2a53da80 “

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAA Message 14643580 0 : “(0-594) send_authenticate_pdu: Sending Preamble”

Jan 25 14:25:26 <local0.notice> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAA Message 14643581 0 : “(0-594): Reply Received”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643582 0 : “(0-594) Authentication succeeded, current factor: Saml-IDP-Vserver, for user: admin1 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643583 0 : “SAMLIDP: Checking whether current flow is SAML IdP flow, input U2FtbF9JRFBfUHJvZmlsZQBJRD1fNTlkNTIxMzZjMjc3YTJhZTEwMTEyNGI4ZTQwMTQyYmYmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTmhiV3d0VTFBQVlVaFNNR05JVFRaTWVUbDZXVmN4YzB4WVRuZE1ia3BzWTBoS2RreHRlR2haYVRodFdUTk9lVnBxTURCTk1sa3dUMVJuZWxwRVNURlpWRUp0VFZSRk5BPT0=”

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643584 0 : “SAMLIDP: LOGIN SUCCESS; Core <0>, Logout url is not configured in action <Saml_IDP_Profile> not enabling single logout for user <admin1>”

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM LOGIN 14643585 0 : Context admin1@10.100.6.80 – SessionId: 238- User admin1 – Client_ip 10.100.6.80 – Nat_ip “Mapped Ip” – Vserver 10.107.165.150:443 – Browser_type “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36” – Group(s) “N/A”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643586 0 : “In tmsession_adv_policyeval : pcount = 2”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643587 0 : “In tmsession_adv_policyeval : Calling action-trigger for policy = Dummy_Domain”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643588 0 : “In tmsession_adv_policyeval : Calling action-trigger for policy = SETTMSESSPARAMS_ADV_POL”

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643589 0 : “AAATM Login: created session for <admin1> with cookie: <c4dc31027d74b30718142fa0691e4dc9>”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643590 0 : “nFactor: SAMLIDP: Auth complete; sending autopost for reload user: admin1”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643592 0 : “SAMLIDP: Checking whether current flow is SAML IdP flow, input U2FtbF9JRFBfUHJvZmlsZQBJRD1fNTlkNTIxMzZjMjc3YTJhZTEwMTEyNGI4ZTQwMTQyYmYmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTmhiV3d0VTFBQVlVaFNNR05JVFRaTWVUbDZXVmN4YzB4WVRuZE1ia3BzWTBoS2RreHRlR2haYVRodFdUTk9lVnBxTURCTk1sa3dUMVJuZWxwRVNURlpWRUp0VFZSRk5BPT0=”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643593 0 : “SAML: SendAssertion: Response tag is <samlp:Response xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” Destination=”https://saml-sp.repro.lab/cgi/samlauth” ID=”_e2e1e5204f9131fa8e65f8312b3ba8c8″ InResponseTo=”_59d52136c277a2ae101124b8e40142bf” IssueInstant=”2018-01-25T08:55:26Z” Version=”2.0″><saml:Issuer xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://netscaler.repro.lab</saml:Issuer><samlp:Status><samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Success”></samlp:StatusCode></samlp:Status>”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643594 0 : “SAML: SendAssertion: Assertion tag is <saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”_19f8b84b58eab7edd2c317a3baf3955″ IssueInstant=”2018-01-25T08:55:26Z” Version=”2.0″><saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://netscaler.repro.lab</saml:Issuer><saml:Subject><saml:NameID Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>admin1</saml:NameID><saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData InResponseTo=”_59d52136c277a2ae101124b8e40142bf” NotOnOrAfter=”2018-01-25T09:00:26Z” Recipient=”https://saml-sp.repro.lab/cgi/samlauth“></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=”2018-01-25T08:50:26Z” NotOnOrAfter=”2018-01-25T09:00:26Z”><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceRestriction></saml:Conditio

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643595 0 : “SAML: SendAssertion, Digest Method SHA1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_19f8b84b58eab7edd2c317a3baf3955″><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643596 0 : “SAML: SendAssertion, Signature element is <ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_19f8b84b58eab7edd2c317a3baf3955″><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL21Jolz2MiM3MTlFfJ+1dmflonXJR1TWpXwMz5KNNCe5IQ7X1q/DoyTndBCK2Kmiky5cxb50ctb5fen

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643598 0 : SPCBId 21867 – ClientIP 10.100.6.80 – ClientPort 2831 – VserverServiceIP 10.107.165.147 – VserverServicePort 443 – ClientVersion TLSv1.1 – CipherSuite “AES-256-CBC-SHA TLSv1.1 Non-Export 256-bit” – Session New – HandshakeTime 4 ms

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643600 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Assertion xmlns:saml=”urn:oasi “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643601 0 : “ns_aaa_saml_parse_assertion: Parsed Assertion/Response tag remaining data: ” IssueInstant=”2018-01-25T08:55:26Z” Version=”2.0″><saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643602 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Issuer Format=”urn:oasis:names “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643603 0 : “ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: ssuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://netscaler.repro.lab</saml:Is

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643604 0 : “parsing end of tag /saml:Issuer><ds:Signature xml “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643605 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Signature xmlns:ds=”http://www

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643606 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: SignedInfo><ds:Canonicalizatio “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643607 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: CanonicalizationMethod Algorit “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643608 0 : “ns_aaa_saml_parse_assertion: Parsed CanonicalizationMethod tag remaining data: http://www.w3.org/2001/10/xml-exc-c14n#”></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=” “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643609 0 : “parsing end of tag /ds:CanonicalizationMethod><ds “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643610 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: SignatureMethod Algorithm=”htt “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643611 0 : “ns_aaa_saml_parse_assertion: Parsed SignatureMethod tag remaining data: http://www.w3.org/2000/09/xmldsig#rsa-sha1″></ds:SignatureMethod><ds:Reference URI=”#_19f8b84b58eab7 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643612 0 : “parsing end of tag /ds:SignatureMethod><ds:Refere “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643613 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Reference URI=”#_19f8b84b58eab “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643614 0 : “ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: eference URI=”#_19f8b84b58eab7edd2c317a3baf3955″><ds:Transforms><ds:Transform Algorithm=”http://www.

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643615 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Transforms><ds:Transform Algor “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643616 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Transform Algorithm=”http://ww

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643617 0 : “ns_aaa_saml_parse_assertion: Parsed Transforms tag remaining data: Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algo “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643618 0 : “parsing end of tag /ds:Transform><ds:Transform Al “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643619 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Transform Algorithm=”http://ww

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643620 0 : “ns_aaa_saml_parse_assertion: Parsed Transforms tag remaining data: Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643621 0 : “parsing end of tag /ds:Transform></ds:Transforms> “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643622 0 : “parsing end of tag /ds:Transforms><ds:DigestMetho “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643623 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: DigestMethod Algorithm=”http:/ “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643624 0 : “ns_aaa_saml_parse_assertion: Parsed DigestMethod tag remaining data: Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643625 0 : “parsing end of tag /ds:DigestMethod><ds:DigestVal “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643626 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: DigestValue>w9lrTkLx6kB1a3qAJa “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643627 0 : “ns_aaa_saml_parse_assertion: Parsed DigestValue tag remaining data: /ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL2 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643628 0 : “parsing end of tag /ds:Reference></ds:SignedInfo> “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643629 0 : “parsing end of tag /ds:SignedInfo><ds:SignatureVa “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643630 0 : “signedInfo end tag seen, remaining data: SignedInfo><ds:SignatureValue> “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643631 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: SignatureValue>XauLGQnxsSkLMm5 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643632 0 : “ns_aaa_saml_parse_assertion: Parsed SignatureValue tag remaining data: /ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+ “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643633 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: KeyInfo><ds:X509Data><ds:X509C “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643634 0 : “ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: eyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0B “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643635 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: X509Data><ds:X509Certificate>M “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643636 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: X509Certificate>MIIFSDCCBDCgAw “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643637 0 : “ns_aaa_saml_parse_assertion: Parsed X509Certificate tag remaining data: /ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format=”urn “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643638 0 : “parsing end of tag /ds:X509Data></ds:KeyInfo></ds “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643639 0 : “parsing end of tag /ds:KeyInfo></ds:Signature><sa “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643640 0 : “parsing end of tag /ds:Signature><saml:Subject><s “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643641 0 : “signature end tag seen, remaining data: Signature><saml:Subject><saml: “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643642 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Subject><saml:NameID Format=”u “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643643 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: NameID Format=”urn:oasis:names “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643644 0 : “ns_aaa_saml_parse_assertion: Parsed NameID tag remaining data: /saml:NameID><saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectC “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643645 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: SubjectConfirmation Method=”ur “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643646 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: SubjectConfirmationData InResp “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643647 0 : “ns_aaa_saml_parse_assertion: Parsed SubjectConfirmationData tag remaining data: SubjectConfirmationData InResponseTo=”_59d52136c277a2ae101124b8e40142bf” NotOnOrAfter=”2018-01-25T09 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643648 0 : “parsing end of tag /saml:SubjectConfirmationData> “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643649 0 : “subjectConfData end tag seen, remaining data: ></saml:SubjectConfirmation></ “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643650 0 : “parsing end of tag /saml:SubjectConfirmation></sa “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643651 0 : “parsing end of tag /saml:Subject><saml:Conditions “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643652 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Conditions NotBefore=”2018-01- “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643653 0 : “ns_aaa_saml_parse_assertion: Parsed Conditions tag remaining data: “><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceR

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643654 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: AudienceRestriction><saml:Audi “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643655 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: Audience>https://saml-sp.repro

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643656 0 : “SAML: ParseAssertion: Audience parsed is https://saml-sp.repro.lab

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643657 0 : “parsing end of tag /saml:AudienceRestriction></sa “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643658 0 : “parsing end of tag /saml:Conditions><saml:AuthnSt “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643659 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnStatement AuthnInstant=”2 “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643660 0 : “ns_aaa_saml_parse_assertion: Parsed AuthnStatement tag remaining data: “><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProte “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643661 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnContext><saml:AuthnContex “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643662 0 : “ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnContextClassRef>urn:oasis “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643663 0 : “parsing end of tag /saml:AuthnContextClassRef></s “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643664 0 : “parsing end of tag /saml:AuthnContext></saml:Auth “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643665 0 : “parsing end of tag /saml:AuthnStatement></saml:As “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643666 0 : “parsing end of tag /saml:Assertion> “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643667 0 : “assertion end tag seen, remaining data: “

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643668 0 : “SAML: Assertion is signed, trying to verify”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643669 0 : “SAML verify digest: digest algorithm SHA1, input for digest: <saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”_19f8b84b58eab7edd2c317a3baf3955″ IssueInstant=”2018-01-25T08:55:26Z” Version=”2.0″><saml:Issuer Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://netscaler.repro.lab</saml:Issuer><saml:Subject><saml:NameID Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>admin1</saml:NameID><saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData InResponseTo=”_59d52136c277a2ae101124b8e40142bf” NotOnOrAfter=”2018-01-25T09:00:26Z” Recipient=”https://saml-sp.repro.lab/cgi/samlauth“></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=”2018-01-25T08:50:26Z” NotOnOrAfter=”2018-01-25T09:00:26Z”><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceRest

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643670 0 : “SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#“><ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1“></ds:SignatureMethod><ds:Reference URI=”#_19f8b84b58eab7edd2c317a3baf3955″><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature“></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#“></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1“></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643671 0 : “SAML SP: Trying to check if SAMLIDP is also on the same unit”

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643672 0 : “SAML SP: IDP session found on the same instance, reusing the session for admin1”

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM HTTPREQUEST 14643673 0 : Context admin1@10.100.6.80 – SessionId: 238- saml-sp.repro.lab User admin1 : Group(s) N/A : Vserver 10.107.165.147:443 – 01/25/2018:08:55:26 GMT : SSO is OFF : GET / – –

Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643674 0 : “cookie idx is 15, tmaaa cookie 9, temp cookie -1”

Jan 25 14:25:31 <local0.info> 10.107.165.140 01/25/2018:08:55:31 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643705 0 : User nsroot – Remote_ip 10.100.6.80 – Command “stop nstrace” – Status “Success”

Jan 25 14:25:32 <local0.info> 10.107.165.140 01/25/2018:08:55:32 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643707 0 : netScalerConfigChange (nsUserName = “nsroot”, configurationCmd = “stop nstrace”, authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)

SAML Counters :

Below listed SAML counters can be used to debug the issues with SAML in Netscaler.

Counter Description
saml_assertion_verify_success Number of successful assertion verifications; that many sessions must be established.
saml_assertion_parse_fail Number of times assertion parsing is failed.
saml_assertion_stale Number of stale assertions; these have passed verification but are found stale.
saml_signature_verify_fail Number of times signature verification failed, after passing digest verification.
saml_canonicalize_fail Number of times canonicalization (done at aaad) is failed.
saml_digest_verify_fail Number of times digest verification, the first step of verification is failed.
saml_malformed_data Number of malformed assertions or responses from Idp.
saml_no_policy Total number of times policy was not found during verification.
saml_parse_logout_fail Total number of times logout request (from idp) parsing is failed.
saml_tot_sp_init_logout Total number of SP initiated logout requests.
saml_tot_idp_init_logout Total number of IdP initiated logout requests.
saml_large_session_index Total number of times the session index is greater than 64 bytes.
saml_session_bcast_fail Total number of times session broadcast is failed.
saml_reject_unsigned_assertion Total number of times unsigned assertions is rejected.
saml_large_post Post body size is more than the required size.
saml_base64_decode_fail Issue while trying to base64 decode SAML data.
saml_tot_dht_put_success Total number of successful DHT puts.
saml_tot_dht_put_fail Total number of unsuccessful DHT puts.
saml_tot_dht_get_success Total number of success DHT pulls.
saml_tot_dht_get_notfound Total number of times entry was not found, including false positives.
saml_tot_dht_free Total number of times DHT entries are freed.
saml_tot_dht_deserialize_fail Total number of times DHT deserialization is failed
saml_tot_replay_detected Total number of times replay is detected.

Related:

How to Link a New and Existing Citrix Content Collaboration account to Citrix Cloud

Requirements

  • You must have Administrator permissions in both Citrix Cloud and Content Collaboration (ShareFile).
  • The Administrator email address used to sign in to Citrix Cloud must match the email address on record listed in Content Collaboration.
  • Important: Customer linking process must be performed within 30 days of initial Order Date.

If any of these requirements aren’t met, Citrix Cloud might not be able to locate your Citrix Content Collaboration (ShareFile) account for assignment. If you need help with these requirements, contact Citrix Support and open a customer service case for “Content Collaboration (ShareFile) linking verification”.

To link your Content Collaboration account to Citrix Cloud (no new entitlements)

Use the following steps if you’ve previously purchased Citrix Content Collaboration entitlements and want to create a new account and link the entitlements to that account.

  1. Sign in to Citrix Cloud using your Citrix credentials.
  2. From the Citrix Cloud console, under Available Services, locate the Content Collaboration tile.
  3. In Add Service, select Link Account. The Add Content Collaboration Account page appears with the Link Account tab selected.
Add Service menu with Link Account selected
  1. Select the ShareFile account you want to link and then click Link Account.

Important: If no accounts are displayed, verify that you are an administrator for ShareFile and that your email address for Citrix Cloud matches your email address for Content Collaboration (ShareFile). For additional assistance, contact Citrix Support and open a customer service case for “Content Collaboration (ShareFile) linking verification”

Customer bought new entitlements and want to assign them to an EXISTING Content Collaboration account

Use the following steps if you’ve purchased new Content Collaboration (ShareFile) or Workspace entitlements and want to assign(link/connect) and manage your entitlements in Citrix Cloud.

  1. Sign in to Citrix Cloud using your Citrix credentials.
  2. From the Citrix Cloud console, under My Services, locate the Content Collaboration tile and click Manage. The Assign Content Collaboration Entitlements page appears and displays the new entitlements you have purchased.
    • NOTE: If you are logged into Citrix Cloud, just bought a new entitlement, and you do not see the Content Collaboration tile under ‘My Services’ but instead; you see it under ‘Available Services’, chances are you are logged into the wrong Citrix Cloud account. In order to see your entitlements (and for the tile to show up in the ‘Manage’ state) you have to log into the Citrix Cloud account associated to the Org ID on your Purchasing Order.
  3. Click Assign to Existing Account, the Content Collaboration (ShareFile) Accounts page appears.
User-added image
  • If you have never linked an account to Citrix Cloud, you will NOT be able to assign the entitlement and you will receive the screenshot below. To link an account that has never connected to Citrix Cloud, click Link another account. Citrix Cloud displays the available accounts you can link. Otherwise, if already linked, proceed to step 4.
User-added image
  • Select the Content Collaboration (ShareFile) account you want to assign (link) the entitlement to and then click Link Account.

User-added image

Important: If no accounts are displayed, verify that you are an administrator for Content Collaboration and that your email address for Citrix Cloud matches your email address for ShareFile. For additional assistance, contact Citrix Support and open a customer service case for “Content Collaboration (ShareFile) linking verification”.

  1. Select the account displayed under Available ShareFile accounts that you want to assign the entitlement to.
  2. Select I understand that entitlements assigned to an account cannot be reversed.

Dialog showing acknowledgement selected

  1. Click Assign. The Assign Content Collaboration Entitlements page displays the account assigned to the entitlement.

User-added image

  1. Click Manage to continue to the Content Collaboration Admin Overview.

Related:

  • No Related Posts

Recommended Hotfixes for Citrix Hypervisor (Formerly XenServer )

Citrix Hypervisor, formerly XenServer, is powered by the Xen Project hypervisor.

This article contains the complete set of recommended updates/hotfixes for XenServer 7.x .

For List of XenServer Tools/Management Agent/Windows Driver Updates refer toCTX235403-Updates to Management Agent – For XenServer 7.0 and later​

For XenServer 6.x hotfixes, refer to CTX138115 – Recommended Hotfixes for XenServer 6.x

Citrix HyperVisor 8.0 XenServer 7.6 XenServer 7.1 CU2 XenServer 7.0

For more information, refer to the following Knowledge Center articles

Note: Citrix recommends updating the XenServer Console before updating any new hotfixes. All XenServer hotfixes can be applied at the same time and the hotfixes in the article are not relevant to the installation order

Hotfix XS80E001 – For Citrix Hypervisor 8.0

All customers who are affected by the issues described in CTX251995 – Citrix Hypervisor Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.

Content live patchable** No
Hotfix XS76E006 –

For XenServer 7.6
All customers who are affected by the issues described in CTX251995 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by all customers running XenServer 7.1 CU1 as , since March 12 2019 no further hotfixes will be produced for XenServer 7.1 CU1.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

XenCenter 7.1.3

This release of XenCenter is for customers who use XenCenter as the management console for XenServer 7.1 LTSR. XenCenter 7.1 CU2 is released as part of XenServer 7.1 Cumulative Update 2 and is available only to customers on the Customer Success Services program.

We recommend that you install this version of XenCenter before using XenCenter to update XenServer 7.1 CU1 hosts to XenServer 7.1 CU2.

XS71ECU2

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by customers running XenServer 7.1 LTSR CU1. It includes all previously released XenServer 7.1 CU1 hotfixes. Installation of XS71ECU2 is required for all future functional hotfixes for XenServer 7.1 LTSR.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

Citrix will continue to provide security updates to the base XenServer 7.1 CU1 product for a period of three months from the release date of the XenServer 7.1 Cumulative Update 2 (until March 12, 2019). After this three month period elapses, any new hotfixes released will only support XenServer 7.1 with CU2 applied.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

Content live patchable** No
Hotfix XS71ECU2001 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issue:

  • The XenServer host can experience a memory leak in dom0. This memory leak is triggered by invalid responses to FLOGI messages from connected FCoE equipment.
Content live patchable** Yes
Hotfix XS71ECU2003 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Depending on the guest OS and device, devices passed through to a guest might not function correctly due to missed interrupts.
Content live patchable** No
Hotfix XS71ECU2004 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • If you attempt to reboot a Windows VM from XenServer at the same time as you attempt to reboot the Windows VM from within the VM, the reboot can fail with the following error: “You attempted an operation on a VM that needed to be in state ‘Running but was in state ‘Halted’.
  • Scheduled metadata backups can fail intermittently when the pool backup metadata VDI gets full. The default size of the pool backup metadata VDI has been increased to 500MiB.
  • A VM taking more than 30 seconds to shut down no longer leads to “Domain stuck in dying state after 30s.”
  • While applying a hotfix to a pool, if XAPI restarts on a pool member, it detaches the hotfix update from all hosts in the pool as part of clean-up operations. This can cause the hotfix to fail to apply to other pool members.
Content live patchable** No
Hotfix XS71ECU2007 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Improvements to VM performance and stability.
  • A race condition in XenBus can cause pauses in Windows VM operation, which lead to Timeout Detection and Recovery (TDR) events. The TDR can cause the VM to crash.
  • Under low resource situations, Xennet can consume all of the RAM on a Windows VM. This causes the VM to crash.
  • Windows VMs with the XenVBD driver installed can experience a high number of system interrupts when performing storage operations, especially if you are using fast storage and transferring large amounts of data.

This hotfix also includes the drivers required to support Windows Server 2019 VMs on XenServer 7.1 CU2.

Content live patchable** No
Hotfix XS71ECU2008 – For XenServer 7.1 Cumulative Update 2 All customers who are affected by the issues described in CTX251995 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No

Apply the following hotfixes for XenServer 7.0 and restart XenServer when the hotfix installation is complete.

Hotfix XS70E001 –

For XenServer 7.0
This is a XenCenter update (a .exe file) and not a host side Hotfix. This package needs to be installed

on the Windows Machine Running XenCenter
Hotfix XS70E002 – For XenServer 7.0 All customers who are affected by the CVE-2016-2107 issue described in

CTX212736: Citrix XenServer Multiple Security Updates should install this hotfix.
Hotfix XS70E004 – For XenServer 7.0 Important: This is a critical hotfix for customers running XenServer 7.0. All XenServer 7.0

customers must apply this hotfix.
Hotfix XS70E009 – For XenServer 7.0

This hotfix resolves the following issue:

  • In rare circumstances when a XenServer host is enabling HA, or during a host reboot with HA enabled, the host can fail to establish HA communication with the other hosts. This is due to another process on the host using the listening port required by the HA software.
Update XS70EU001 – Management Agent for XenServer 7.0 The Management Agent update resolves the following issues:

  • Installation of Management Agent can fail after installing newer I/O drivers through Windows Update.
  • Failure to reboot a Windows VM after installing XenServer Tools can result in excessive log entries being written to xensource.log and xenstored-access.log until the VM is rebooted. If customers do not reboot the VM, or delay the reboot, excess logs can fill up the XenServer host log partition.
  • The Management Agent can crash and respawn on systems without a terminal services Windows Management Instrumentation (WMI) object causing high CPU usage and excessive logging in /var/log/daemon.
  • If the Management Agent auto update is enabled after installing XenServer Tools, and a new update is available, the initial auto-update can fail due to a race condition that can cause multiple update attempts to occur simultaneously.
Update XS70EU002 – Management Agent for XenServer 7.0 New versions of the I/O drivers, compatible with Microsoft Windows Server 2016 have been released.
Update XS70EU003 – Management Agent for XenServer 7.0
  • The default behavior of the Management Agent has been improved to enable customers to configure whether any I/O driver updates included in the Management Agent should be applied automatically. For more information, see section 4.3.1 Installing XenServer Tools in the XenServer 7.0 Virtual Machine User’s Guide.
  • This version (v7.1.844) of the Management Agent includes new versions of the I/O drivers that are compatible with Microsoft Windows Server 2016. These drivers have been released previously through the Microsoft Windows Server Update Service. For more information, see Update XS70EU002 – Windows I/O Drivers for XenServer 7.0.
Hotfix XS70E018 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX220112: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX219378: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This hotfix supports the improvements to XenServer’s Direct Inspect APIs.
Hotfix XS70E024 – For XenServer 7.0
  • When booting a vGPU provisioned Virtual Machine (VM) from network, an interaction between VGA BIOS and VGA emulation code in the vGPU device model can result in the corruption of the VM console in XenCenter.
Hotfix XS70E027 – For XenServer 7.0
  • When Installing XenServer or upgrading XenServer to a newer version, PBIS services get enabled (even when Role-based access control (RBAC) is not used) and display a lot of error messages. Also, this issue consumes a lot of control domain (dom0) resources.
Hotfix XS70E028 – For XenServer 7.0 This hotfix supports the following new guest operating systems.

  • Oracle Linux 6.8
  • Red Hat Enterprise Linux 6.8
  • CentOS 6.8
  • NeoKylin Linux Advanced Server 6.5 ( only 64 bit )
  • NeoKylin Linux Advanced Server 7.2 ( Only 64 bit )
  • SUSE Linux Enterprise Server 11 SP4
Hotfix XS70E037 – For XenServer 7.0

This hotfix addresses the following issue:

  • When attempting to use XenServer Conversion Manager (XCM) Console to connect to an XCM Virtual Appliance that runs on a slave host, the connection fails and the following message is displayed by the console: “There was a failure communicating with the plugin.” This hotfix ensures that the XCM Console can connect to a XCM Virtual Appliance that runs on any XenServer host.
Hotfix XS70E041 – For XenServer 7.0

This hotfix resolves the following issue:

  • When using SSH to connect to XenServer, a user might experience a memory leak in systemd on XenServer.
Hotfix XS70E048 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E052 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX232655 – Citrix XenServer Multiple Security Updates should install this hotfix.This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.
Hotfix XS70E061 – For XenServer 7.0

This is a hotfix for customers running XenServer 7.0.

All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Hotfix XS70E062 – For XenServer 7.0

This hotfix resolves the following issues:

  • Virtual machines (VMs) configured with in-guest software RAID may fail to cleanly shut down or restart.
  • After taking a disk-only snapshot for a VM running in the pool, users randomly fail to access the Virtual Hard Disk (VHD) when trying to unpause the VM, and the VM stops responding. This is caused by time racing in Linux Logical Volume Manager (LVM).
  • After rebooting, a XenServer host can fail to connect to iSCSI targets on Compellent arrays.
  • When Intellicache mirroring fails due to ENOSPC on shared storage, the VBD image list gets truncated to point to itself. This causes an infinite loop and can lead to the I/O datapath stopping and subsequently VMs freezing.
  • When a pool master node executes multi-step plugins on the pool member nodes after important events such as coalesce, the plugin continues to execute through all its steps even if one of the previous ones have failed. This can lead to complications such that the other VDI operations are permanently blocked with OTHER_OPERATION_IN_PROGRESS.
  • After deleting a snapshot on a pool member that is not the pool master, a coalesce operation may not succeed. In such cases, the coalesce process can constantly retry to complete the operation, resulting in the creation of multiple RefCounts that can consume a lot of space on the pool member.
  • The storage cleanup process initiated after a VDI destroy can conflict with ongoing VDI copy processes (including Storage XenMotion), causing subsequent operations on the SR to fail.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E063 – For XenServer 7.0

This hotfix resolves the following issues:

  • High Availability (HA) enabled VMs can take longer to restart after a HA failover.
  • In rare cases, when a XenServer host in a pool is restarted, it may not be able to rejoin the pool.
  • In rare cases, attempts to shut down a XenServer host in a pool may not succeed.
  • On HA-enabled pools, when a task is initiated after a XenServer host has failed, VMs running on the host can take longer (about 10 minutes) to restart. This issue occurs when a task is assigned to the host after it has failed, but before XAPI is aware of the host failure. In such cases, the task doesn’t get cancelled even when XAPI is notified about the failure, causing delays in restarting the VMs.
  • When migrating VMs that have Dynamic Memory Control (DMC) enabled, the VMs shutdown operation can unexpectedly fail. This is caused by reducing memory allocation before shutdown and this operation taking longer than expected.
  • On Nutanix hosts, the host’s memory-overhead is miscalculated after first boot. This is because XAPI calculates the available host RAM on startup assuming no domains other than the XenServer Control Domain are running. On first boot this is true but on subsequent boots, the Nutanix Controller VM (CVM) is started before XAPI.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E065 – For XenServer 7.0

This hotfix resolves the following issues:

  • A race condition caused Windows VMs to hang repeatedly and give an error with Event ID 129: “StorPort detected a SRB timeout, and issued a reset”.
  • XenVBD can consume 100% of a vCPU and can block other processes from using that vCPU.
  • If a restart is performed without clicking on the Yes or No buttons of the restart to complete installation dialog box, the dialog box continues to appear even after restarting the VM.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E068 – For XenServer 7.0 All customers who are affected by the issues described in CTX251995 – Citrix XenServer Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.

This hotfix also includes the following previously released hotfixes:

Related:

  • No Related Posts