Add a registry key “EnableCssTestMode” with a value of 1:
New-ItemProperty -Path HKLM:SOFTWARECitrixDesktopServerLHC -Name EnableCssTestMode -PropertyType DWORD -Value 1
Set the SDK auth to “OnPrem” so that the SDK proxy does not try to redirect the cmdlet calls:
At this point you will be able to use the Broker snap-in to make Get commands to the Secondary Broker provided you point it to the correct port.
For example on a controller you would specify the Secondary Broker as below:
Get-BrokerMachine -AdminAddress localhost:89 | Select MachineName, ContollerDNSName, DesktopGroupName, RegistrationState
Only GET calls should be used when quering against the secondary broker.
PowerShell queries against the secondary broker should only be run when in outage mode.
If using Receiver for Windows 4.7 / 4.8 / 4.9 / 4.9 CU1 / 4.9 CU2 / 4.9 CU3:
There is a legacy issue in these Receivers for Windows where OutbufLength, when passed in an ICA file, is ignored.
Even if the registry value is modified to “*”, meaning accept everything from the ICA file, the ICA file setting is still ignored.
For this to work, in addition to creating the “UDPStackParameters” key as mentioned above, it is also necessary to modify the OutbufLength value in the registry and set it to the desired value determined above (1480 in the example):
1. Obtain the root certificate in PEM format.
Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
2. As the user who installed the package (usually root):
- Copy the file to $ICAROOT/keystore/cacerts.
- Run the following command: $ICAROOT/util/ctx_rehash
1. Logon to the machine with a local administrator account.
2. Obtain the tool netdom.exe from Windows Server 2008 or Windows Server 2008 R2 CD to enable the Active Directory Domain Services role.
3. Note: For Windows Vista and Windows 7, utilize the Remote Server Administration Tools (RSAT) to enable the Active Directory Domain Services role.
4. Run netdom.exe to change the password.
5. Open command prompt with administrator rights.
6. Execute the command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
7. Restart the machine
Provisioning Services Target Device
Make sure that you have configured the PVS environment properly.
Reference the following article: https://support.citrix.com/article/CTX132289
Once that is confirmed. Shut the target device down and reset the machine account password for the affected target device in the PVS console.
Versions of Citrix Receiver for Windows 4.10 and higher are now “DPI scaling aware”, and provide improved support for handling higher DPI resolution in a session. To learn more about high DPI scaling, please visit the following links –
This article provides information on Citrix Client SSL Error Codes.
To assist with troubleshooting, Citrix Technical Support has compiled a list of generic SSL error codes that the Citrix client might present the user or write in the Event log when an error occurs.
Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.
Note: This list contains general information and might not fully explain the reason for your error. This information is provided “as is” and is not meant to be an official rendering of the SSL error code definitions. Refer to the Disclaimer for more information.
|* 0 Everything is fine *|
|* 1 Redo handshake before other things *|
|* 2 Handshake loop is complete *|
|* 3 An error occurred that cannot be further defined *|
|* 4 An error occurred while reading *|
|* 5 An error occurred in the provider. No further information is available *|
|* 6 A required library is missing *|
|* 7 A required library has no entry point? *|
|* 8 Initialization (of whatever was being initialized, library) failed *|
|* 9 There is no memory left for the application to use *|
|* 10 Can’t locate your certificate. *|
|* 11 Your certificate isn’t in a format readable by the provider *|
|* 12 You do not have permission to access the specified certificate *|
|* 13 The SSL package isn’t there (SChannel specific) *|
|* 14 Can’t work to the cipher strength required *|
|* 15 The context has expired or isn’t properly initialized *|
|* 16 The buffer read isn’t a valid SSL packet *|
|* 17 The buffer read isn’t a valid socks 5 packet *|
|* 18 Your SSL packet has been modified illegally *|
|* 19 Your SSL packet is out of sequence *|
|* 20 The data received is not a complete packet *|
|* 21 The server response to socks hello is bad *|
|* 22 The server response to socks connect request is bad *|
|* 23 We do not support the given address type *|
|* 24 Send the given buffer, and terminate the communication (SChannel specific) *|
|* 25 Do socks 5 server side redirection before completing handshake (SChannel specific) *|
|* 26 Unable to open the specified keystore *|
|* 27 Unable to find the specified identity cert *|
|* 28 The socket given to a function is not of the right type (SChannel specific) *|
|* 29 The socks 5 handshake broke down in an unspecified manner *|
|* 30 The buffer supplied is not big enough for all the data *|
|* 31 The SDK context supplied is not valid for the function called *|
|* 32 The clients socks 5 hello is bad *|
|* 33 The clients connect request is bad *|
|* 34 The socks 5 command requested is not supported *|
|* 35 The socks 5 server refuses to redirect to the required destination *|
|* 36 The destination network requested is inaccessible *|
|* 37 The destination host requested is unreachable *|
|* 38 Connection to the destination host requested is refused *|
|* 39 The TTL on the packet sent the destination host requested expired *|
|* 40 The hostname could not be resolved *|
|* 41 A socket could not be created *|
|* 42 Connection to the host is refused *|
|* 43 A close notify alert was received *|
|* 44 An unexpected message alert was received *|
|* 45 A bad mac alert was received *|
|* 46 A decompression failure alert was received *|
|* 47 A handshake failure alert was received *|
|* 48 A no certificate alert was received *|
|* 49 A bad certificate alert was received *|
|* 50 An unsupported certificate alert was received *|
|* 51 A certificate revoked alert was received *|
|* 52 A certificate expired alert was received *|
|* 53 A certificate unknown (untrusted) alert was received *|
|* 54 An illegal parameter alert was received *|
|* 55 An unknown alert was received (probably TLS alert) *|
|* 56 Unable to set the CA certs verify path (OpenSSL specific) *|
|* 57 Unable to set identity certificate *|
|* 58 Unable to set private key *|
|* 59 The common name on the ID certificate is not what was expected *|
|* 60 (OpenSSL specific) a zero depth self signed cert was received *|
|* 61 (OpenSSL specific) a root cert to match the identity received could not be found locally *|
|* 62 (OpenSSL specific) a root cert to match the identity received could not be found at all *|
|* 63 (OpenSSL specific) a self signed cert was in the chain received *|
|* 64 (OpenSSL specific) unable to verify the signature on the leaf cert *|
|* 65 (OpenSSL specific) unable to decode the issuers public key *|
|* 66 (OpenSSL specific) unable to verify the signature on a cert *|
|* 67 (OpenSSL specific) the before field in the cert is corrupt *|
|* 68 (OpenSSL specific) the certificate is not yet valid *|
|* 69 (OpenSSL specific) the expiry field in the cert is corrupt *|
|* 70 (OpenSSL specific) the certificate has expired *|
|* 71 A method called is unimplemented *|
|* 72 The provider could not load any of the root certs in the keystore *|
|* 73 The provider could not load some of the root certs in the keystore *|
|* 74 Client authentication failed *|
|* 75 The connection timed-out *|
|* 76 A server certificate was revoked *|
|* 77 No CRL could not be retrieved for one of the certificates *|
|* 78 Revocation support is not available *|
- CTX120608 – SSL Error 76: “The security certificate was revoked” When Launching an Application Using NetScaler Gateway
- CTX205443 – Receiver for Mac 12.1 displays Error “The remote SSL peer sent a bad MAC alert ” and sessions are disconnected
CITRIX MAKES NO REPRESENTATIONS OR WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE INFORMATION IN THIS ARTICLE. THIS INFORMATION IS DELIVERED ON AN “AS IS” BASIS. YOU SHALL HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACK-UP OF ANY DATA USED IN CONNECTION WITH THIS INFORMATION. IN NO EVENT SHALL CITRIX BE LIABLE FOR (i) SPECIAL, INDIRECT, DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR (ii) ANY OTHER CLAIM, DEMAND OR DAMAGES WHATSOEVER RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THIS INFORMATION, WHETHER AN ACTION IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, OR OTHERWISE.
These software applications are provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.