Netscaler (Access) Gateway – /cgi/login – HTTP 500 Internal Server Error – HTTP 403 forbidden


Problems with Netscaler (Access) Gateway?

You can login successful, but after logging in you get an HTTP error? /cgi/login page would display a HTTP 500 Internal Server Error 500 Pressing F5 for a refresh would result in an HTTP 403 forbidden: The website declined to show this page

  • Open the ‘Global Netscaler Gateway Settings’ page
  • navigate to ‘Network Configuration’
  • Under ‘Name Server’ add attleast one DNS server (two is a best practice)

Note: in my experience, adding a DNS Virtual Servers caused the error.
Only utilizing DNS Virtual Servers in this tab didn’t seem to work. It should have worked
because their up and runnining, tested. But it would not work.

Resolution: Just insert two DNS Server under the ‘Name Server’ tab

Other causes:

navigate to ‘Published Applications’
Double check the Web Interface Address URL for example: http(s)://storefront-or-webinterface-url.fqdn/ReceiverForWebSite
Check the IPv type


These HTTP errors are quite generic and can have multiple causes.
Hope this wil solve you HTTP 500 or 403.


Goodluck bug hunting,







Citrix XenMobile MDM – SAML authentication limitations


For everyone trying to integrate Citrix XenMobile MDM with (ADFS)/SAML

Some limitations:

– When using SAML for authentication there is no ‘Two Factor’  auth. for enrollment possible anymore

– When using SAML – SAML is only used for device enrollment.. one time. (their is no re-authentication in a specific period)

  • (continuing authentication is based on certificates and SCEP)
  • updated to the AD based user or group account will not propagate. For that to happen, the user has to authenticate again to SAML/ADFS
  • This will not be the case, since the device is already registered. (this is a one-time process)

– It is not possible to use a ‘SAML’ generated user account to log in to the Admin Console
So: Administrators should be basic accounts in the tooling (local) database itself

– It is not possible to use the Self Help Portal
An end-user cannot login to the Self Help Portal – when his/her account is generated by means of SAML

– The Claim rules for MDM are a B*tch, there not well documented.

Using LDAP is the recommended approach if one of above is mandatory

TIP: You can use a ‘Send Group Membership as Claim Rule’ to populate Groups in the MDM database