Case Study – Web Browser Displays “401 – Unauthorized: Access is denied due to invalid credentials”

Problem Definition

A customer was attempting to configure ICA Proxy mode on Citrix Access Gateway Enterprise Edition with XenApp 5.0 and Web Interface. The customer reported that when configuring the same, the 401 – Unauthorized Access is denied due to invalid credentials error message is displayed on the Web browser after a successful authentication to the Citrix Access Gateway Enterprise Edition Login page, as shown in the following screenshot:

User-added image

Environment

The customer had installed the following hardware and software components on the network:

  • Windows Server 2008
  • Internet Information Server 7
  • NetScaler appliance
  • Web Interface 5.0
  • XenApp 5.0

Troubleshooting Methodology

To troubleshoot this issue, the Technical Support Engineers investigated the Windows event logs of the XenApp Server and observed an error message in the Citrix Web Interface event log, as shown in the following screenshot:

User-added image

This prompted the engineers to shift the focus of the investigation towards the XenApp Server. The engineers recorded network packet traces on the XenApp server during a login attempt. Each time, the engineers killed the Access Gateway Enterprise Edition session to ensure that a new session starts. The Web Interface makes the outbound https request to the Access Gateway Enterprise appliance to retrieve the SmartAccess settings, such as VServer and Session Policy Name.

When analyzing the packet traces, the engineers observed that when the XenApp Server communicates to the URL in the preceding screenshot, /CitrixAuthService/AuthService.asmx, the XenApp Server sends a FIN-ACK packet during the Secure Socket Layer (SSL) handshake negotiation, as shown in the following screenshot:

User-added image

When attempting to open the /Citrix/XenApp1/auth/agesso.aspx URL, the Web Interface sends the 401 response code because the XenApp server could not complete the SSL handshake.

After further investigating the event logs, the engineers noticed that there was an issue with the SSL certificates.

Related:

  • No Related Posts

Unable to deploy custom receiver from Store front. Getting ” An error occurred while saving changes on the “Deploy Citrix Receiver” property dialog. Please check the log in event viewer and try again.”

While trying to add customized “receiver.exe” to deploy receiver option in Storefront, you might get following error while saving it.

“An error occurred while saving changes on the “Deploy Citrix Receiver” property dialog. Please check the log in event viewer and try again”.

It works fine with default receiver.

This was the event:

Log Name: Citrix Delivery Services

Source: Citrix Delivery Services Admin

Event ID: 1

Description:

An error occurred running the command: ‘Update-DSWebReceiverHTML5Config’

Filepath ‘C:Program FilesCitrixReceiver StoreFrontReceiver ClientsWindowsFLExternalTest.EXE’ does not contains a filename.

At C:Program FilesCitrixReceiver StoreFrontManagementCmdletsWebReceiverModule.psm1:1658 char:41

+ $SourceTypeForInstallerForWindows = GetReceiverInstallerSourceType -Installe …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filepath ‘C:Program FilesCitrixReceiver StoreFrontReceiver ClientsWindowsFLExternalTest.EXE’ does not contains a filename.

Citrix.DeliveryServices.PowerShell.Command.RunnerInterfaces.Exceptions.PowerShellExecutionException, Citrix.DeliveryServices.PowerShell.Command.RunnerInterfaces, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

An error occurred running the command: ‘Update-DSWebReceiverHTML5Config’

Filepath ‘C:Program FilesCitrixReceiver StoreFrontReceiver ClientsWindowsFLExternalTest.EXE’ does not contains a filename.

At C:Program FilesCitrixReceiver StoreFrontManagementCmdletsWebReceiverModule.psm1:1658 char:41

+ $SourceTypeForInstallerForWindows = GetReceiverInstallerSourceType -Installe …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

System.Management.Automation.ActionPreferenceStopException, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: Filepath ‘C:Program FilesCitrixReceiver StoreFrontReceiver ClientsWindowsFLExternalTest.EXE’ does not contains a filename.

System.Management.Automation.Interpreter.InterpretedFrameInfo: System.Management.Automation.Interpreter.InterpretedFrameInfo[]

at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input, Hashtable errorResults, Boolean enumerate)

at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext)

at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)

at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

Related:

  • No Related Posts

Unable to enumerate resources with error “An error occurred while attempting to connect to the server ‘Delivery Controller’ on port 443”

Under certain conditions, when you login to Receiver or Receiver for Web you might not see any of the published resources. Additionally, following events are recorded on the StoreFront server at the time of the issue.

Source: Citrix Store Service

Event ID: 0

Description: An error occurred while attempting to connect to the server MTXenApp1 on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://MTXenApp1/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Source: Citrix Store Service

Event ID: 4003

Description: All the Citrix XML Services configured for farm Controller failed to respond to this XML Service transaction.

Source: Citrix Store Service

Event ID: 4012

Description: None of the Citrix XML Services configured for farm Controller are in the list of active services, so none were contacted.

Related:

  • No Related Posts

“Unknown Client Error 1110” error when launching Desktop using Firefox

Update: This has been fixed in Citrix Receiver for Windows 4.9 LTSR CU1 and later.

Source code fix has been implemented in DesktopViewer.dll file.

Citrix is aware of this issue and will fix it in an upcoming version of Receiver.

A workaround is to save the ICA file to the disk every time prior to launching it, or to delete the ICA files from system TEMP folders before launching the app:

  • C:Users<username>AppDataLocalTemp
  • C:Users<username>AppDataLocalMicrosoftWindowsINetCache (Windows8 / 10)
  • C:Users<username>AppDataLocalMicrosoftWindowsTemporary Internet FilesLowContent.IE5 (Windows7)

Related:

  • No Related Posts

Citrix Print Manager Service crashes intermittently with the Exception code “0xc0000417”

Follow symptoms are observed:

1) Citrix Print Manager Service crash event is logged in the System event logs with Event ID 7031 and Source “Service Control Manager” with following description:

The “Citrix Print Manager Service” service terminated unexpectedly. It has done this (1..n) time(s). The following corrective action will be taken in 0 milliseconds: Restart the service

2) Application event logs report crash of CpSvc.exe with:

Faulting application name: CpSvc.exe

Faulting module name: MSVCR120.dll

Exception code: 0xc0000417

3) If you check the following registry, you will find Illegal characters or Null entries:

HKLMSOFTWAREPOliciesCitrix<User Session ID>userPrintingPolicies

User-added image

Deleting the above entries doesn’t fixes the issue.

Related:

  • No Related Posts

Secure Mail for Android in Spanish shows “M” for Wednesday instead of “X”

Software Solution Disclaimer

This package contains a software solution that has been replaced by a more recent version available for download from the Citrix support website (support.citrix.com). It is provided merely for your convenience. Citrix recommends applying the most up-to-date version of the software, which addresses the fix or enhancement being targeted. Later versions of the release may include multiple changes that address different areas including security vulnerabilities, code fixes, and enhancements. Installation of this software should only be performed on test or developmental environments. This software is not supported and is provided “AS IS.” You are solely responsible for your selection and use of the software. Any reported issues will require the most current revision of the software (http://www.citrix.com/English/SS/supportThird.asp?slID=5107&tlID=1861652). Please visit our security site for additional security notices and information (support.citrix.com/securitybulletins ).

CITRIX MAKES NO REPRESENTATIONS OR WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE PROVIDED SOFTWARE SOLUTION. THE SOFTWARE SOLUTIONS ARE DELIVERED ON AN “AS IS” BASIS WITH NO SUPPORT. YOU SHALL HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACK-UP OF ANY DATA USED IN CONNECTION WITH THE SOFTWARE SOLUTION. IN NO EVENT SHALL CITRIX BE LIABLE FOR (i) SPECIAL, INDIRECT, DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR (ii) ANY OTHER CLAIM, DEMAND OR DAMAGES WHATSOEVER RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE SOLUTION, WHETHER AN ACTION IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, OR OTHERWISE.

Related:

  • No Related Posts

Error: “Cannot Complete Your Request” After Publishing New App or Customizing App’s Icon on StoreFront

If you experience the error after publishing a new application or customizing an application’s icon, check the event viewer on the StoreFront server and look for the following errors:

Event 1 = There was an error during a resources List request. System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (500) Internal Server Error.

Event 7 = Unhandled exception thrown for route “DazzleResources/List” System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.

The workaround is to go to Studio > Delivery Groups > Applications > view the properties of the application recently added > Delivery > Application Icon > Change and choose from any of the Citrix default icons.

Related:

  • No Related Posts

Reboot Schedule Doesn’t work for two Delivery Groups in XenApp

Use Case: “We have a schedule to restart the machines in the delivery group every Sunday. The problem is that a few machines don’t turn back on, others don’t even receive the command to turn off.”

Checking the Event Viewer logs in the Delivery Controller we see these errors:

Event ID 3105

Log name: Application

Source: Citrix Broker Service

Text: The Citrix Broker Service has terminated the processing of the GroupReboot for Desktop ‘[Delivery Group name]’ The reboot cycle UID = 999 ended with the final state ‘Abandoned’ Summary: ‘0’ machines successfully rebooted, ‘2’ machines failed to reboot. ‘1’ machines were not processed

Related:

  • No Related Posts

Error: “Your apps are not available at this time. Please try again” When Receiver Connects Through NetScaler Gateway

Solution 1

To resolve this issue change the beacon entries in StoreFront. Add the NetScaler Gateway addresses to external beacon.

Reference: https://docs.citrix.com/en-us/storefront/3-11/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html

External Beacon

If you want to use ICA proxy from internal and external connections (all clients should only go through NetScaler), then add a fake address in the internal beacon of StoreFront.

Note: The internal beacon should only be resolvable inside the network, if the beacon is resolvable externally then Citrix Receiver will not be able to add the account.

Solution 2

The issue relates to compatibility of Receiver 4.x and Web Interface XenApp services site. Receiver 4.x supports services sites but when connecting thru NS, users may experience issues as described in CTX136828 – Error When Using Windows Receiver PNAgent through Access Gateway Enterprise Edition Appliance.

Also note Citrix Documentation – NetScaler to Web Interface XenApp Services site is not supported.

Related:

  • No Related Posts

Access to a Citrix Knowledge Center Article is Denied

Citrix has introduced Customer Success Services that allow customers to see privileged Knowledge Center content. Contact your local Citrix Solution Advisor or call 1-800-424-8749 and listen for the option to contact the Sales department; they can help determine which program is right for you.You will continue to have access to certain content as per the matrix below.

Software Updates

Product Type Readme Visible to Download Available to
XenApp 7.X or Higher

XenDesktop 7.X or Higher

Provisioning Services 7.x or Higher

XenMobile 10.X or Higher
Public or Limited or Superseded All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenApp 6.X or Earlier

XenDesktop 5.6 or Earlier

Provisioning Services 6.x or Earlier

XenMobile 9.X or Earlier

Application Streaming (all versions)

EdgeSight (all versions)

Single Sign-On (all versions)

Secure Gateway (all versions)

Smart Auditor (all versions)

User Profile Management (all versions)

Web Interface (all versions)

CloudPortal Services (all versions)

CloudPortal Business Manager (all versions)

CloudPlatform (all versions)

VDI-in-a-Box (all versions)
Public All All logged in users
Limited or Superseded All
  • Partners
  • Customers with a TRM agreement

XenServer 7.1 LTSR Cumulative Update 1

XenServer CR release earlier to the latest CR release

XenServer 7.0 hotfixes released after 1 December 2017 (XS70E050 and later)

Public All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenServer (Other versions) Public All All logged in users

Citrix Supportability Pack

Readme Visible to Download Available to
All
  • Customer Success Services customers
  • Partners


Premium Content

  • Available to Customer Success Services Customers and Partner designated technical contacts on customer’s support entitlement.


Other Content Type

Type Readme Visible to Download Available to
Technotes All All logged in users
Tools All All logged in users
Learning All All logged in users
Security Bulletins All All


Chat

  • Available only to Customer Success Services customers.


For Application Networking Group products (such as NetScaler, CloudBridge, NetScaler (Access) Gateway, Communication Gateway, and Application Gateway), consider subscribing to the Citrix Appliance Maintenance program.

Related:

  • No Related Posts