cloudportal services manager 11.5 - citrix.com configuration problems and trouble shooting ......

© 2016 Citrix Systems, Inc. All rights reserved.

CloudPortal Services Manager 11.5.5

SAML Authentication Support in ShareFile Service 11.5.5



Version: 1.0

Last Updated: April 12, 2016



Contents

Copyright and Trademarks ....................................................................................................................... 4

Welcome to ShareFile Service 11.5.5 ....................................................................................................... 5

What’s new in this release ..................................................................................................................... 5

Documentation and support for CloudPortal Services Manager ........................................................... 5

ShareFile SAML authentication topology .................................................................................................. 6

How to deploy and manage ShareFile Service 11.5.5 .............................................................................. 7

Install and configure Microsoft ADFS service ........................................................................................... 8

Configure ShareFile service with SAML authentication ............................................................................ 8

SAML authentication settings in customer plan .................................................................................... 8

SAML Authentication Context ............................................................................................................ 9

Provision the ShareFile service with SAML authentication ..................................................................... 10

Deprovisioning the service .................................................................................................................. 10

To provision the ShareFile service to resellers ................................................................................... 11

To provision the ShareFile service to customers ................................................................................ 11

Relying Party Trust used by ShareFile service ................................................................................ 12

To provision the ShareFile service to users ........................................................................................ 13

About ShareFile Client Id and Client Secret ........................................................................................ 13

How to customize ShareFile login page .............................................................................................. 13

How to configure properties when ADFS proxy is used ...................................................................... 13

View authentication method configured in ShareFile service for each customer .................................... 13

View Relying Party Trust used by ShareFile service .............................................................................. 14

View token-signing certificates status used by ShareFile service ........................................................... 15

Expiration of token-signing certificate .................................................................................................. 17

View ADFS certificates status managed by Microsoft ADFS service ..................................................... 18

Common configuration problems and trouble shooting .......................................................................... 19

Known Issues .......................................................................................................................................... 22



Copyright and Trademarks Use of the product documented herein is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included with your installation media.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.


The following are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries:

Citrix®, Citrix Access Gateway™, Citrix App Orchestration™, Citrix Receiver™, Citrix XenApp™, CloudPlatform™, CloudPortal™, ICA®, NetScaler®, NetScaler App Delivery Controller™, NetScaler Gateway™, XenApp®, XenDesktop™, XenServer™

All other trademarks and registered trademarks are the property of their respective owners.



Welcome to ShareFile Service 11.5.5 Thank you for choosing App Orchestration. This document includes information and instructions to help you learn more about planning your App Orchestration deployment, prepare core components, and perform tasks such as creating offerings and subscribing tenants to those offerings.

What’s new in this release • Support for ADFS SAML authenticaiton: In this version, ShareFile service support to

enable/disable ADFS based SAML authentication. Thereby the end user can use their CPSM domain account to authenticate against ShareFile. Moreover, various SAML authentiaiton configuration settings can be easily configured via CPSM.

• Support for self managed SAML authentication: Besides support ADFS as Identity Provider (IdP), other IdPs are supported, it can work with the ShareFile service as well.

• Default customer plans for different authentications: To serve different requirements, in this version, ShareFile service create several default customer plans for different authentication methods to faciitate the SAML configuration in difffernt scenarios.

• View and monitor certificate status: To help administrators in monitoring and maintaining of ADFS based SAML authentication of ShareFile, this version support to view and monitor the certificate status used by SAML authentication, allows administrator to get early warning and take proper actions.

• Support for view authencation configuration of all customers in summary: Support to quickly view the authentication summary of all individaul customers including ADFS server, authentication method selected and related authenticaion settings. There informaiton is useful for maintainance and troubleshooting.

Documentation and support for CloudPortal Services Manager • ShareFile Service in CloudPortal Services Manager 11.5 in Citrix eDocs: This section of eDocs is

your primary source for all resources that support ShareFile 11.5.x. Configuration guides, admin manuals and other materials to help you progress smoothly through each stage of deployment and managment.

• CloudPortal Services Manager Discussion Forum: Use this Citrix Discussions site to ask questions and contribute your knowledge about CloudPortal Services Manager.



ShareFile SAML authentication topology In this version, ShareFile service supports to configure the ADFS based SAML authentication for ShareFile, the system topology is as following:

To configure the SAML authentication on ShareFile web app, at least one additional ADFS server need to be deployed. The ADFS server acts as IdP (Identity Provider), and ShareFile web app acts as SP (Service Provider). CPSM will configure both ADFS server and ShareFile web app to active/deactive the SAML authentication.

In this version, CPSM ONLY support to configure SAML with ADFS as IdP. If you want to to use other IdP, you need to configure it manually.

There are two components of Microsoft ADFS solution, one is ADFS server, the other is ADFS proxy server. The ADFS server has to be installed on the machine within the domain. Only ADFS server can be configured by CPSM. If you want to work with ADFS proxy server, please refer How to configure properties when ADFS proxy is used.

Terminal CPSM ShareFileOnline

ADFSADDomainController



How to deploy and manage ShareFile Service 11.5.5 Before you deploy or upgrade the ShareFile service, follow the edoc guide to review the deployment requirements and common steps to deploy ShareFile service without SAML authentication support. To support SAML authentication, the following extra steps are required:

• Install and configure Microsoft ADFS serivce.

• Configure ShareFile service with SAML authentication.

• Provision the ShareFile service with SAML authentication.

After deploying the ShareFile service with SAML authentication support, use the following topics to manage the ADFS servers, Relying Party Trust and token-signing certificates.

• View authentication method configured in ShareFile service for each customer.

• View Relying Party Trust used by ShareFile service.

• View token-signing certificates status used by ShareFile service.

• View ADFS certificates status managed by Microsoft ADFS service.

Note: To do SAML authentication against ShareFile, a special logon URL is required which is displayed in Services > ShareFile > SSO management > Authentication Mehtod page, please refer View authentication method configured in ShareFile service for each customer for more details.



Install and configure Microsoft ADFS service Please refer Microsoft ADFS service manual for detail steps of install and configure Microsoft ADFS service.

ShareFile service use ADFS as its Identity Provider (IdP) and will create Relying Party Trust in ADFS for each customer with ADFS based SAML authentication enbabled. If you plan to enable this feature, please make sure the ADFS server and Microsoft ADFS service works before continue with the following steps.

Configure ShareFile service with SAML authentication The general configuration steps of ShareFile service 11.5.5 are the same to previous version. Please refer Configure the ShareFile service for detail steps.

The only difference during service package importing is to choose “Add” action for three new customer plans shown below.

Customer Plan Configuration

ShareFile - SAML Auth Only SAML authentication is enabled. User can only use CPSM domain account to logon ShareFile.

ShareFile – Standard & SAMLAuth Both ShareFile and SAML authenticaiton are enabled. User can use either ShareFile account to CPSM domain account to logon ShareFile.

ShareFile – Standard Auth Only ShareFile authentication is enabled. User can only use ShareFile account to logon ShareFile.

You might choose to enable some or all of these plans in location level or choose to create new customer plans depends on your requirement. The following section will give more details about properties of SAML authentication in customer plan.

Note: If upgrade from previous version of ShareFile service, by default CPSM will not manage SAML authentication settings for these customer plans, the property “SSO is managed by CPSM” will not be enabled.

SAML authentication settings in customer plan This table lists all properties of SAML authentication in customer plan.

Property in CPSM Property in ShareFile web app

What Happens

SSO is managed by NA If disabled, CPSM will leave the SAML authenticaiton settings unchanged in



Property in CPSM Property in ShareFile web app

What Happens

CPSM ShareFile web app. It willl be disabled in all self created customer plan if ShareFile is upgraded from previous version.

Enable SAML Authentication

Enable SAML Users can access ShareFile by SAML authentication after the property was enabled. If the property is disabled, it means the SAML authentication is disabled

Only allow SAML Authentication access

Require SSO Login The behaviour depends on whether “Enable SAML Authentication” is enabled, please refer to below table

ShareFile SP-Initial Auth Context

SP-Initiated Auth Context ShareFile uses the selected authentication method here to do authentication for the user against ADFS server. Please refer SAML Authentication Context for more details.

Property Auth. Method

Enable SAML Authentication

Only allow SAML Authentication access

SAML authentication only Y Y

ShareFile authentication only N NA

SAML + ShareFile authentication Y N

Note: In the following cases, the end user might need to use their ShareFile account. • Only ShareFile authentication is enabled • Switch authentication method from SAML authentication only to ShareFile authentication only or SAML and

ShareFile authentication • SAML authentication setting is not managed by CPSM To get the password, each user must click “Forget password?” link in login page of ShareFile web app.

SAML Authentication Context ShareFile supports the following authentication types provided by SAML providers, from least secure to most secure.



• Unsepcified (means it accept any authentication types ADFS provides)

• User Name and Password

• Password Protected Transport

• Transport Layer Security

• X.509 Certificate

• Integrated Windows Autentication

• Kerberos

You may choose the minimum or exact authentication type ShareFile will request from ADFS. For instance, if a minimum of User Name and Password is chosen, ShareFile will negotiate with ADFS to find the most secure Authentication type, starting with Kerberos and working backwards (bottom up) until a supported auth type is found in ADFS. If Forms Based Authentication (FBA) is the only Auth type enabled in ADFS server, ShareFile will try Kerberos, then Integrated Windows Authentication, and so on until User Name and Password is met.

If Integrated Windows Authentication (IWA) was set as the minimum, ShareFile will only allow Kerberos and IWA methods. If the second pull down menu is set to exact, ShareFile will only attempt to negotiate authentication over the chosen type. If, for instance, you only wanted to authenticate via Integrated Windows Authentication, then select exact and it will not negotiate any other authentication types.

Note: By default, “Unspecified + Exact” is selected for SAML Authentication Context in CPSM.

Provision the ShareFile service with SAML authentication Before enabling SAML authentication, Microsoft ADFS service should be enabled and Microsft ADFS server connnection should be created before provisioning ShareFile service to any reseller, customer and user. Please refer Microsoft ADFS service on how to install and configure Microsoft ADFS service.

The configuration of SAML Authenticaiton on ShareFile web app is done by ShareFile customer service provision and deprovision.

Deprovisioning the service When deprovisioning the service for a customer, the customer's users must be deprovisioned, including the ShareFile customer administrator. Upon deprovisioning, the service status will change to “deprovisioned” immediately from the customer in Services Manager. Additionally, you must cancel the customer's account through the ShareFile.com web site.

When a user is deprovisioned, the Employee user account associated with the Services Manager user is deleted immediately. The user receives no notification from ShareFile.

If you want to reprovision the ShareFile service to a customer whose account has been cancelled, the customer must first contact ShareFile to re-establish the former account or create a new one. Afterward, you can provision the ShareFile service to the customer through Services Manager.



Most part of deprovisioning ShareFile customer service is the same as previous version. The differences exist in the SAML configuraiton. There are two cases.

If “SSO is managed by CPSM” (in customer plan) is enabled which means the SAML authtication configuration will be managed by CPSM, CPSM will:

1. Remove the Relying Party Trust on ADFS server if exists.

2. Disable the SAML authentication on ShareFile web app

3. Remove the Login URL setting on ShareFile web app

If “SSO is managed by CPSM” is disabled which means CPSM will not touch the SAML authentication configuration on the ShareFile, the ShareFile customer service deprovision will be the same as before.

To provision the ShareFile service to resellers When provisioning a customer with the ShareFile service, Services Manager suggests a subdomain based on the customer's primary domain name (for example, mycompany.sharefile.com). However, Services Manager does not validate the subdomain prior to account creation. If the subdomain is invalid or in use by another customer, Services Manager displays an error message.

1. From the Services Manager menu bar, click Customers and select the customer for whom you want to provision the service.

2. Click Services and then click Reseller.

3. From the services list, click ShareFile.

4. Choose user plans and customer plans.

5. Click Provision to enable the reseller to offer the ShareFile service to customers.

To provision the ShareFile service to customers By enabling ADFS based SAML authentication, the service uses ADFS as its Identity Provider (IdP) and will create Relying Party Trust in ADFS for each customer. If you plan to enable this feature, please make sure the ADFS server and Microsoft ADFS service works before continue with the following steps.

For customers who do not choose CPSM to manage SSO settings, ShareFile service will not do related configuration in both ShareFile web app and ADFS server.

Note: in each location, only one ADFS server will be used by ShareFile service and shared with all customers in this location. If multiple ADFS servers exist in a location, only the first one will be used.

1. From the Services Manager menu bar, click Customers and select the customer for whom you want to provision the service.

2. Click Services and then click ShareFile.

3. Select the proper customer plan from Customer Plan drop down list.

4. (Optional) Click Edit to change the authentication properties in selected customer plan.



5. Under Account Information, enter the following information:

• ShareFile Domain: The default top-level domain. For example, sharefile.com.

• ShareFile Sub-domain: The customer's ShareFile subdomain. For example, mycompany.sharefile.com.

• Administrator Username: The customer administrator's ShareFile account username. The username must be a valid email address.

• Administrator Password: The customer administrator's ShareFile account password.

• Employee Licenses: The number of Employee users associated with the customer's ShareFile account.

6. Click Provision

By the ShareFile customer service provision, CPSM can activate/deactivate the SAML authentication on ShareFile. If wish to use CPSM to manage the SAML authentication for ShareFile, the “SSO is managed by CPSM” has to be enabled.

If SAML Authentication is enabled within customer plan, during the customer service provisioning, CPSM will :

1. Add Relying Party Trust on ADFS 2. Configure the SSO settings on ShareFile web app to activate the SAML authentication

Besides of by ShareFile customer service deprovision, SAML authentication can be deactived by ShareFile customer service provision as well. If SAML authentication is disabled within customer plan, during the customer service provisioning, CPSM will:

1. Remove Relying Party Trust on ADFS if there is

2. disable the SAML authentication on ShareFile online

3. remove the login URL setting on ShareFile online

Note: if the token-signing certificate is expired on ADFS, the activation of SAML authentication will be failed.

Relying Party Trust used by ShareFile service When ADFS based SAML authenticaiton is enabled, during customer service provisioning, CPSM will create a Relying Party Trust for the customer including the following settings:

1. Specify the display name to ShareFile subdomain name of the customer and add the FQDN of the subdomain to identifiers property.

2. Add the SAML Assertion Consumer Endpoints of the customer’s ShareFile subdomain to EndPoints property of the Relying Party Trust

3. Create two claim rules, which are identical to all customers using ADFS based SAML authentication

a. AD to SAML Email: convert User Pricipal Name to Email format

b. mail to NameID: convert from UPN claim type to NameID claim type



Note: sharefile.com requires a Name ID in Email format. CPSM use the Active Directory User Principal Name (UPN) as the attribute source and convert it into the Name ID and Email attributes. In other words, if the UPN does not match your company email address, you can use the Active Directory Email attribute instead, and manually modify these two claim rules. Please refer Configure ShareFile Single Sign-On with ADFS for more details.

To provision the ShareFile service to users There is no change in user service provision compared to previous version. Please refer user provision steps in Provision the ShareFile service for more details.

The only different in the backend is that if “Only allow SAML Authentication access” is enabled in customer plan, after provisoning the user service, user will not be redirected to “change password” page during their first login.

About ShareFile Client Id and Client Secret The Client Id and Client Secret is used to access ShareFile API v3. It is not recommened to change the default values.

If there is a issue of these two parameters, it is highly recommended to contact Citrix to obtain the new Client Id and Client Secret although they can be obtained by visit https://api.sharefile.com/rest/oauth2-request.aspx. If required, these two properties can be set via “ShareFile ClientID” and “ShareFile ClientSecret” properties within Service Settings.

Note: only Service Provider and Reseller has the permission to configure these properties.

How to customize ShareFile login page After configuring single sign-on you will then be able to adjust your default ShareFile login page. Please refer Custom Login Screen for more details.

How to configure properties when ADFS proxy is used To work with ADFS proxy while ADFS based SAML authentication is enabled, please ensure the DNS record used by ADFS proxy server for SAML authentication is the same as that of ADFS server.

For example, if service name of ADFS server is “adfs” and it serves in “adfs.contoso.com”, then the DNS record used by ADFS proxy server should be “adfs.contoso.com” as well.

More details about ADFS proxy configuration please refer to:https://msdn.microsoft.com/en-us/library/azure/dn528859.aspx.

View authentication method configured in ShareFile service for each customer When a customer has been provisioned ShareFile service, service provider or reseller can view the authentication method configured in ShareFile for that customer. If SAML authentication settings in



ShareFile web app are not configured and managed by CPSM, the authentication page will not show the customer’s authentication method.

1. From the Services > ShareFile, click Authentication Configuration.

2. Click Location drop down list to select the location to be displayed or keep the default “All” to show ADFS Token Signing Certificates of all locations.

3. Or you can enter the customer name in the Search Customers search box to filter the specific customer.

In this page, the following information can be found:

Property Description

Customer The name of the customer

Location The location of ShareFile customer service serves

ShareFile Login URL Users can access this url to login ShareFile by ShareFile authentication. If the property is empty, it means the ShareFile authentication is disabled

SAML Login URL Users can access this url to login ShareFile by SAML authentication. If the property is empty, it means the SAML authentication is disabled.

View Relying Party Trust used by ShareFile service CPSM support to view the details of Relying Party Trusts used by customers. It is helpful if service providers or resellers need to know how Relying Party Trust is configured by CPSM.

1. From the Services > ShareFile, click ADFS Relying Party Trusts.

1. Click Location drop down list to select the location to be displayed or keep the default “All” to show ADFS Token Signing Certificates of all locations.

2. Or you can enter the display name in the Search Display Name search box to filter the specific relying party trust.



Display Name The display name of the relying party trust

Location The location of the relying party trust serves

Identifier The identifier of the relying party trust




Enabled The status of the relying party trust

Customer If the relying party trust is created by provisioning sharefile service, the property will list the customer name who uses the relying party trust.Otherwise, it will shows the relying party trust not created by ShareFile service.

Please refer Relying Party Trust used by ShareFile service for more details.

View token-signing certificates status used by ShareFile service When ADFS based SAML authenticaion enabled, the imported token-signing certificate in ShareFile web app, which will be used by ShareFile to validate the Claims sent by ADFS server has not been tampered. Normally the token-signing certificate will be regularly updated for security and to avoid expiration. It is a routine maitainance task for administrator to montior the token-signing certificate status to ensure SAML authenticaiton availabe for all ShareFile users:

3. From the Services > ShareFile > SSO Management, click ADFS Token-Signing Certificates

4. Click Location drop down list to select the location to be displayed or keep the default “All” to show ADFS token-signing certificates of all locations.

5. Or you can enter the customer name in the Search Customers search box to filter the specific customer.



Status The status of the token-signing certificate, it can be:

• Invalid: invalid certificate is imported in ShareFile Web App

• Expired in 30 days

• OK: the cerficate is valid

Customer Name The name of the customer

Location The location of ShareFile customer service serves

Certificate Subject The subject field in the token-signing certificate, which can be used to identify the certificate.

Action Whether or not the service provider need to take action, like review the token-signing certificate and re-provision the




ShareFile customer service.



Expiration of token-signing certificate ADFS server requires token-signing certificate to ensure the Claims sent to SAML aware applications have not been tampered. It support both automatically created token-signing certificate or imported manually. By default, ADFS server will automatically create token-signing certificate with one year expiration since ADFS server was setup.

If the token-signing certificate is expired:

• The ADFS based SAML authentication used by ShareFile will fail due to validation failure of Claims in SAML response.

• Provision ShareFile service to customer who needs to use the certificate will fail with error neither.

In this case, the token-signing certificate must be updated to ensure ADFS work normally. If the token-signing certificate has been updated in ADFS server, the provisioned ShareFile customer service must be reprovisioned to customer who still used the expired certificate.

ADFS 2.0 and ADFS 3.0 provide the “auto rollover” function to auto renew the certificate.If auto rollover is enabled on ADFS, it will generate a new certificate X days before the token-signing certificate expried and mark the new certificate as a secondary token-signing certificate. After the new certificate is created,it will be promoted to primary certificate after Y days. Microsoft provides powershell cmdlet to determine whether ADFS renews the certificate automatically and the value of X and Y. You can get the properties following the command:

Add-PSSnapin "microsoft.adfs.powershell"

Get-ADFSProperties

Some useful properties are listed below:

• AutoCertificateRollover – describes whether AD FS is configured to renew token signing and token decrypting certificates automatically.

• CertificateGenerationThreshold – describes how many days in advance of the certificate’s Not After date a new certificate will be generated.

• CertificatePromotionThreshold – determines how many days after the new certificate is generated that it will be promoted to be the primary certificate

• CertificateRolloverInterval – determines Interval in minutes at which ADFS check to see if a new certificate needs to be generated.

The best practice to renew the certificate is to enable the auto certificate renew function when you setup ADFS using the following command in Powershell:

Set-ADFSProperties -AutoCertificateRollover $true

If you want to generate a new token-signing certificate manually, you can refer the Microsoft document: https://technet.microsoft.com/en-us/library/dn781426.aspx.



View ADFS certificates status managed by Microsoft ADFS service To get more information of the ADFS token-signing certificates used by ShareFile SAML authentication, you can use the Services > Microsoft ADFS > Certificate Management page. For more details, please refer Microsoft ADFS.



Common configuration problems and trouble shooting 1. The user does not have the role: AdminSSO.

Symptom: Provison/deprovision customer ShareFile service which should configure SSO on sharefile failed with error message:The user does not have the role admin:SSO.

Root cause: The ShareFile account does have the role:AdminSSO.

Check steps:

• Log in ShareFile web app with the account, check if the account has the admin privilege to configure single sign-on settings.

2. The ADFS certificate is expired.

Symptom: When provison customer ShareFile service with SAML authentication enabled, the provision failed with error message:The ADFS certificate is expired.

Root cause: The primary ADFS token-signing certificate has expired.

Check steps:

• Log on ADFS server, open ADFS management console,Goto ADFS->Service->Certificates.

• Click on Certificates, double click on primary token-signing certificate,view the certificate information, check if the certificate has expired or not.

3. The provision request failed with HTTP status 401:Unauthorized.

Symptom: Provison/deprovision customer ShareFile service failed with error message: The request failed with HTTP status 401:Unauthorized. Or in ADFS token-signing certifcate page, ADFS relying party trusts page,Certificate Management page an error occurs while loading service data: In ** location, The request failed with HTTP status 401:Unauthorized.

Root cause: There is no valid microsoft ADFS server connection for current location.

Check steps:

• From the Services Manager menu bar, click Configuration->System Manager->Server Connections



• Select current location from Location Filter, make sure there is a “Microsoft ADFS” server connection.

• If there already a “Microsoft ADFS” server connection exists, check the credential and URL Base, click “Test” button, check if the button return correct status

4. Unable to connect the ADFS server.

Symptom: Provison/deprovision ShareFile customer service failed with error message: Unable to connect the remote server. Or in ADFS token-signing certifcate page, ADFS relying party trusts page,Certificate Management page an error occurs while loading service data: In ** location: Unable to connect the remote server.

Root cause: The ADFS server is shut down or the port of Microsoft ADFS server connection for this location is incorrect.

Check steps:

• Make sure the ADFS server is running.

• In ADFS server, go to Configuration->System Manager->Server Connections,make sure the port of ADFS connection is right.

5. The underlying connection was closed: An unexpected error occurred on a send.

Symptom: Provison/deprovision ShareFile customer service failed with error message: The underlying connection was closed:An unexpected error occurred on a send. Or in ADFS token-signing certifcate page,ADFS relying party trusts page,Certificate Management page an error occurs while loading service data: In ** location, The underlying connection was closed:An unexpected error occurred on a receive.

Root cause: ADFS web service is not installed on ADFS server or the protocal of of Microsoft ADFS server connection for this location is incorrect.

Check steps:

• From the Services Manager menu bar, click Configuration->System Manager->Server Connections, check if the protocal of the server connection is right

• Log on ADFS server, check if ADFS web service is installed and configured correctly

6. Specified cast is not valid.

Symptom:Provison ShareFile customer service failed with error message: Specified cast is not valid.

Root cause: ADFS service is not installed or configured correctly.

Check steps:




7. Client_id or Client_secret is invalid.

Symptom: Provison ShareFile customer service failed with error message: client_id or client_secret is invalid

Root cause: client_id or client_secret is invalid.

Remediation:

• Log on api.sharefile.com using you account, get valid client_id and client_secret, change the client_id and client_secret to valid values, then provision customer sharefile service.

8. Test “Microsoft ADFS” Server connection failed.

Symptom: Test “Microsoft ADFS” server connection status return red status

Root cause: “Microsoft ADFS” server connection information failed or the ADFS server cannot be contacted .

Check steps:

• Go to Configuration->System Manager->Server Connections, check if the server,credential,url base, protocol and port of the server connection is right

• Check if CPSM server could connect to ADFS server




Known Issues 1. If you’re using IE 11.x, and set the “IE Enhanced Security Configuration” to Off, make sure

IE->Tools->Compatibility View Settings, Display intranet sites in Compatibility View and Use Microsoft compatibility lists are unchecked, or you may encounter display error.

2. When configuring ADFS service, the service account must be an account who has permission to read object properties under the CustomersOU which can be specified in CPSM. Otherwise, users cannot log in ShareFile using their domain accounts. If ADFS service is running with the service account created automatically by Windows, it does not has the proper permissons to read “CustomersOU”. The solution is use another account that has the proper permission to run ADFS service, for example, “csm_microadfs_svc” or domain administrator. And use the following command to change the account (you can only change the service account of ADFS service via command):

sc.exe config adfssrv obj=<account_name> password=<account_password> For example sc.exe config adfssrv obj="csp3.local\administrator" password="Citrix#123"

3. Password encryption of ShareFile administrator account on CPSM has been implemented via a hotfix, if the version of CPSM you used does not support it yet, please contact the support team to get hot fix.

cloudportal services manager 11.5 - citrix.com configuration problems and trouble shooting ......

Documents