downloadWhy can't I download this file?
You cannot access this session because you are not the brokered user.
In this scenario:
Microsoft office x for mac download.
Applicable Products
- Citrix Virtual Apps and Desktops
- CloudPlatform
- Citrix Cloud
Symptoms or Error
Users may be unable to launch session when using OKTA authentication with following error:You cannot access this session because you are not the brokered user.In this scenario:
- On-prem AD users where migrated to Azure ADDS
- Individual users are specified to allow access to application
Okta Saas
Refer section: Configure the Okta OIDC web application in this article - Step 4
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/okta-identity.html
- Credential from Azure ADDS is used to logon at Citrix Cloud Workspace URL
Solution
Correct the SID in user's attribute at OKTA console, to match with the one which is used during Workspace URL logon.
Problem Cause
Okta Citrix Cloud Login
This could happen due to SID mis-match specified at OKTA console in individual user's SID attribute.
Additionally, you will see following error in DDC trace where DDC or Broker is unable to find or lookup the SID in Azure ADDS:
xxxxxxx,1,yyyy/mm/dd hh:mm:ss.xxxxx,xxxx,xxxx,x,BrokerDAL,1,Error,'AccountNameCache::TrySyncUniversalClaimsForAccount: ERROR SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX not found using Identity API Exception:Citrix.Fma.Sdk.Identity.Interface.IdentityLookupFailureException: The lookup failed as the domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' could not be located ---> Citrix.Fma.Sdk.Identity.Interface.IdentityNotFoundException: [customer id] Specified domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' was not found in: [Name:domainname.com NetBiosName:domainname SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX]
The Broker expects the user SID from Azure AADS and not the one from On-prem Active Directory
Additionally, you will see following error in DDC trace where DDC or Broker is unable to find or lookup the SID in Azure ADDS:
xxxxxxx,1,yyyy/mm/dd hh:mm:ss.xxxxx,xxxx,xxxx,x,BrokerDAL,1,Error,'AccountNameCache::TrySyncUniversalClaimsForAccount: ERROR SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX not found using Identity API Exception:Citrix.Fma.Sdk.Identity.Interface.IdentityLookupFailureException: The lookup failed as the domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' could not be located ---> Citrix.Fma.Sdk.Identity.Interface.IdentityNotFoundException: [customer id] Specified domain 'S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX' was not found in: [Name:domainname.com NetBiosName:domainname SID:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX]
The Broker expects the user SID from Azure AADS and not the one from On-prem Active Directory