Case Study – Web Browser Displays “401 – Unauthorized: Access is denied due to invalid credentials”

Problem Definition

A customer was attempting to configure ICA Proxy mode on Citrix Access Gateway Enterprise Edition with XenApp 5.0 and Web Interface. The customer reported that when configuring the same, the 401 – Unauthorized Access is denied due to invalid credentials error message is displayed on the Web browser after a successful authentication to the Citrix Access Gateway Enterprise Edition Login page, as shown in the following screenshot:

User-added image

Environment

The customer had installed the following hardware and software components on the network:

  • Windows Server 2008
  • Internet Information Server 7
  • NetScaler appliance
  • Web Interface 5.0
  • XenApp 5.0

Troubleshooting Methodology

To troubleshoot this issue, the Technical Support Engineers investigated the Windows event logs of the XenApp Server and observed an error message in the Citrix Web Interface event log, as shown in the following screenshot:

User-added image

This prompted the engineers to shift the focus of the investigation towards the XenApp Server. The engineers recorded network packet traces on the XenApp server during a login attempt. Each time, the engineers killed the Access Gateway Enterprise Edition session to ensure that a new session starts. The Web Interface makes the outbound https request to the Access Gateway Enterprise appliance to retrieve the SmartAccess settings, such as VServer and Session Policy Name.

When analyzing the packet traces, the engineers observed that when the XenApp Server communicates to the URL in the preceding screenshot, /CitrixAuthService/AuthService.asmx, the XenApp Server sends a FIN-ACK packet during the Secure Socket Layer (SSL) handshake negotiation, as shown in the following screenshot:

User-added image

When attempting to open the /Citrix/XenApp1/auth/agesso.aspx URL, the Web Interface sends the 401 response code because the XenApp server could not complete the SSL handshake.

After further investigating the event logs, the engineers noticed that there was an issue with the SSL certificates.

Related:

  • No Related Posts

Proxy Chaining with Cisco Iron-pot & DLP

I need a solution

Hi,

One of my client want to do chaining proxy with cisco proxy.

He will create one reflect IP on Cicso and then he will divert all HTTPS traffic to Symantec Proxy, Symantec Proxy will decyrpt SSL traffic and send it to DLP Web prevent by HTTPS over ICAP

So need to know what changes need to be done apart from below:

1) SSL Interception on proxy

2) SSL certficate on Proxy 

3) Integration with DLP

Need to know whether we need to import SSL certificate on end User ?

Since Cisco Proxy will send the traffic from Reflect IP , will proxy able to see end user IP or only reflect IP ?

0

Related:

  • No Related Posts

Getting “ERROR:Operation not permitted. To do this Enable default ssl profile by setting ‘setssl parameter -defaultProfile E’

– To enable custom ciphers, the Enhanced SSL profile should be configured by enabling the Enhanced Default SSL profile through the command ‘setssl parameter -defaultProfile E’

– Before enabling Enhanced Default SSL profile through the aforementioned command, as mentioned in the Citrix document, https://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-profiles1.html, save the current configuration and take a back up of ns.conf.

NOTE: When the command ‘setssl parameter -defaultProfile E’ is executed,the Enhanced SSL profile settings will override the existing SSL profile settings bound on the Vserver as well as on the Vservice. Hence, take a backup of existing configuration before executing the above command. So that, customer can check the ns.conf and manually edit the SSL profile settings of specific Vserver with required parameters.

Related:

  • No Related Posts

ProxySG | If access first page https website cannot access internet

I need a solution

Dear All

   My Customer connect proxy type Transparent and not intercept SSL  Authentication with IWA BCAAA

i have issue about if client access to internet first page is HTTPS cannot access internet because cannot authen but if client access first page  is Http  will be fine normal to acess internet

i know this issue it happen because not intercept SSL.

   if cannot intercept ssl who have work around for this issue please recommend.

Thank you so much for your help.

Best Regards,

Chakuttha R.

0

1527475810

Related:

  • No Related Posts

SSL configuration on VDA

Install SSL server certificates on Controllers

For HTTPS, the XML Service supports SSL features through the use of server certificates, not client certificates. To obtain, install, and register a certificate on a Controller, and to configure a port with the SSL certificate:

Change HTTP or HTTPS ports

By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.

To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:BrokerService.exe -WIPORT <http-port> -WISSLPORT <https-port>

where <http-port> is the port number for HTTP traffic and <https-port> is the port number for HTTPS traffic.

Note: After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:

Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS | Unregister-ConfigRegisteredServiceInstance Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" | Register-ConfigServiceInstance 


Enforce HTTPS traffic only

If you want the XML Service to ignore HTTP traffic, set the following registry value in HKLMSoftwareCitrixDesktopServer on the Controller and then restart the Broker Service.

To ignore HTTP traffic, set XmlServicesEnableNonSsl to 0.

There is a corresponding registry value to ignore HTTPS traffic: XmlServicesEnableSsl. Ensure that this is not set to 0.

About SSL settings on VDAs

When you configure SSL on VDAs, it changes permissions on the installed SSL certificate, giving the ICA Service read access to the certificate’s private key, and informing the ICA Service of the following:

A Delivery Group cannot have a mixture of some VDAs with SSL configured and some VDAs without SSL configured. When you configure SSL for a Delivery Group, you should have already configured SSL for all of the VDAs in that Delivery Group.

Configure SSL on a VDA using the PowerShell script

The Enable-VdaSSL.ps1 script enables or disables the SSL listener on a VDA. This script is available in the Support >Tools > SslSupport folder on the installation media.

When you enable SSL, the script disables all existing Windows Firewall rules for the specified TCP port before adding a new rule that allows the ICA Service to accept incoming connections only on the SSL TCP port. It also disables the Windows Firewall rules for:

  • Citrix ICA (default: 1494)
  • Citrix CGP (default: 2598)
  • Citrix WebSocket (default: 8008)

The result is that users can connect only over SSL; they cannot use raw ICA, CGP, or WebSocket to connect.

The script contains the following syntax descriptions, plus additional examples; you can use a tool such as Notepad++ to review this information.

You must specify either the –Enable or –Disable parameter; all other parameters are optional.

Syntax

Enable-VdaSSL {-Enable | -Disable} [–SSLPort <port>] [-SSLMinVersion “<min-ssl-version>”] [-SSLCipherSuite“<suite>”] [-CertificateThumbPrint “<thumbprint>”]

Parameter Description
-Enable Installs and enables the SSL listener on the VDA. Either this parameter or the –Disable parameter is required.
-Disable Disables the SSL listener on the VDA. Either this parameter or the –Enable parameter is required. If you specify this parameter, no other parameters are valid.
–SSLPort <port> SSL port. Default: 443
-SSLMinVersion “<min-ssl-version>” Minimum SSL protocol version, enclosed in quotation marks. Valid values: “SSL_3.0”, “TLS_1.0”, “TLS_1.1”, and “TLS_1.2”. Default: “TLS_1.0”
-SSLCipherSuite “<suite>” SSL cipher suite, enclosed in quotation marks. Valid values: “GOV”, “COM”, and “ALL”. Default: “ALL”
-CertificateThumbPrint “<thumbprint>” Thumbprint of the SSL certificate in the certificate store, enclosed in quotation marks. This parameter is generally used when the certificate store has multiple certificates; the script uses the thumbprint to select the certificate you want to use. Default: the first available certificate found in the Local Computer > Personal > Certificates area of the certificate store.

Examples

The following script installs and enables the SSL listener, using default values for all optional parameters.

Enable-VdaSSL –Enable

The following script installs and enables the SSL listener, and specifies SSL port 400, the GOV cipher suite, and a minimum TLS 1.2 SSL protocol value.

Enable-VdaSSL – Enable –SSLPort 400 ‘SSLMinVersion “TLS_1.2” –SSLCipherSuite “GOV”

The following scripts install and enable the SSL Listener on non persistent machine(MCS Catalog) ,thumprint and machine name added of server vda and a minimum TLS 1.2 SSL Protocol value.

Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (((GEt-ChildItem -Path Cert:LocalMachineMy -DnsName ([System.Net.DNS]::GetHostByName(($env::ComputerName))).Hostname -SSLServerAuthentication) | Where HasPrivateKey -eq 1).Thumbprint) -Confirm:$false -SSLMinVersion TLS_1.2

The following script disables the SSL listener on the VDA.

Enable-VdaSSL –Disable. or Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWdsicawd" -Name "SSLEnabled" -Value 1 -Type DWORD

Manually configure SSL on a VDA

When configuring SSL on a VDA manually, you grant generic read access to the SSL certificate’s private key for the appropriate service on each VDA: NT SERVICEPorticaService for a VDA for Windows Desktop OS, or NT SERVICETermService for a VDA for Windows Server OS. On the machine where the VDA is installed:

  1. Launch the Microsoft Management Console (MMC): Start > Run > mmc.exe.
  2. Add the Certificates snap-in to the MMC:
    1. Select File > Add/Remove Snap-in.
    2. Select Certificates and then click Add.
    3. When prompted with “This snap-in will always manage certificates for:” choose “Computer account”and then click Next.
    4. When prompted with “Select the computer you want this snap-in to manage” choose “Local computer” and then click Finish.
  3. Under Certificates (Local Computer) > Personal > Certificates, right–click the certificate and then select All Tasks > Manage Private Keys.
  4. The Access Control List Editor displays “Permissions for (FriendlyName) private keys” where (FriendlyName) is the name of your SSL certificate. Add one of the following services and give it Read access:
    • For a VDA for Windows Desktop OS, “PORTICASERVICE”
    • For a VDA for Windows Server OS, “TERMSERVICE”
  5. Double-click the installed SSL certificate. In the certificate dialog, select the Details tab and then scroll to the bottom. Click Thumbprint.
  6. Run regedit and go to HKLMSYSTEMCurrentControlSetControlTerminal ServerWdsicawd.
    1. Edit the SSL Thumbprint key and copy the value of the SSL certificate’s thumbprint into this binary value. You can safely ignore unknown items in the Edit Binary Value dialog box (such as ‘0000’ and special characters).
    2. Edit the SSLEnabled key and change the DWORD value to 1. (To disable SSL later, change the DWORD value to 0.)
    3. If you want to change the default settings (optional), use the following in the same registry path:
      • SSLPort DWORD – SSL port number. Default: 443.
      • SSLMinVersion DWORD – 1 = SSL 3.0, 2 = TLS 1.0, 3 = TLS 1.1, 4 = TLS 1.2. Default: 2 (TLS 1.0).
      • SSLCipherSuite DWORD – 1 = GOV, 2 = COM, 3 = ALL. Default: 3 (ALL).
  7. Ensure the SSL TCP port is open in the Windows Firewall if it is not the default 443. (When you create the inbound rule in Windows Firewall, make sure its properties have the “Allow the connection” and “Enabled” entries selected.)
  8. Ensure that no other applications or services (such as IIS) are using the SSL TCP port.
  9. For VDAs for Windows Server OS, restart the machine for the changes to take effect. (You do not need to restart machines containing VDAs for Windows Desktop OS.)

Configure SSL on Delivery Groups

Complete this procedure for each Delivery Group that contains VDAs you have configured for SSL connections.

  1. From Studio, open the PowerShell console.
  2. Run asnp Citrix.* to load the Citrix product cmdlets.
  3. Run Get-BrokerAccessPolicyRule –DesktopGroupName ‘<delivery-group-name>’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true.

    where <delivery-group-name> is the name of the Delivery Group containing VDAs.

  4. Run Set-BrokerSite –DnsResolutionEnabled $true.

Troubleshooting

If a connection error occurs, check the VDA’s system event log.

When using Receiver for Windows, if you receive a connection error (such as 1030) that indicates an SSL error, disable Desktop Viewer and then try connecting again; although the connection will still fail, an explanation of the underlying SSL issue might be provided (for example, you specified an incorrect template when requesting a certificate from the certificate authority).

Related:

  • No Related Posts

Re: Re: Change Password for Access Key by Object User

If you have configured the AD authentication provider correctly in ECS, any AD user within the search base should be able to authenticate into the management API and obtain a X-SDS-AUTH-TOKEN token.

curl -L –location-trusted -k https://10.247.100.247:4443/login -u “my_ad_user@domain.com:ChangeMe” -v

The curl command above will work without my_ad_user@domain.com existing as a local object user in ECS. This will at least confirm if you have AD configured correctly in ECS. If you can’t get the X-SDS-AUTH-TOKEN, you likely have something configured incorrectly in the AD Auth Provider within ECS.

Once you have a token, you can attempt to generate a secret key. However, you first need to configure the domain portion of a namespace so that when my_ad_user@domain.comgenerates a secret key, ECS can map them to your desired namespace and insert them as a local object user.

Have a look here at example of what the curl commands would look like using an AD user and obtaining a secret key: https://130820690509421904.public.ecstestdrive.com/share/BagOfTricks-CurlWithLDAPUsers.docx

Related:

  • No Related Posts

SEPM certificate replacement

I need a solution

Hello,

Long story short despite my previous post and thoughts about traffic over HTTP/HTTPS. Is it possible to replace SEPM certificate having only one port (443 in this case) open from client servers to SEPM? Theoretically should be possible as apache accepts custom ports but anyone here tried that? 

Best regards

0

Related:

  • No Related Posts