Error: “pluginlist.xml file is tampered, or NetScaler version is older” on NetScaler Gateway Configured with EPA

Software Solution Disclaimer

This package contains a software solution that has been replaced by a more recent version available for download from the Citrix support website (support.citrix.com). It is provided merely for your convenience. Citrix recommends applying the most up-to-date version of the software, which addresses the fix or enhancement being targeted. Later versions of the release may include multiple changes that address different areas including security vulnerabilities, code fixes, and enhancements. Installation of this software should only be performed on test or developmental environments. This software is not supported and is provided “AS IS.” You are solely responsible for your selection and use of the software. Any reported issues will require the most current revision of the software (http://www.citrix.com/English/SS/supportThird.asp?slID=5107&tlID=1861652). Please visit our security site for additional security notices and information (support.citrix.com/securitybulletins ).

CITRIX MAKES NO REPRESENTATIONS OR WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE PROVIDED SOFTWARE SOLUTION. THE SOFTWARE SOLUTIONS ARE DELIVERED ON AN “AS IS” BASIS WITH NO SUPPORT. YOU SHALL HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACK-UP OF ANY DATA USED IN CONNECTION WITH THE SOFTWARE SOLUTION. IN NO EVENT SHALL CITRIX BE LIABLE FOR (i) SPECIAL, INDIRECT, DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR (ii) ANY OTHER CLAIM, DEMAND OR DAMAGES WHATSOEVER RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE SOLUTION, WHETHER AN ACTION IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, OR OTHERWISE.

Related:

  • No Related Posts

Error: “Your logon has expired. Please log on again to continue.” When Users Logon to StoreFront 1.2

After IT Administrators enable the ‘requireTokenConsistency’ parameter to ‘true’ on StoreFront’s ‘store’ configuration file (C:inetpubwwwrootCitrix<StoreName>Web.config) users might not be able to access the resources.

User-added image

This feature is used to allow SmartAccess conditions to be passed from StoreFront server to the XML servers for either XenApp or XenDesktop farms. Users login through Access Gateway to the Receiver for Web site, might receive the following error message:

“Your logon has expired. Please log on again to continue.”

User-added image

The error might also be seen when the users try to subscribe to an application from the application catalog (under All Apps).

Checking the Citrix StoreFront server Event Viewer > Citrix Delivery Services, the following error message can be observed:

Log Name: Citrix Delivery ServicesSource:WebApplicationDate:9/13/2012 12:49:58 PMEvent ID:23Task Category: (2001)Level:WarningKeywords:ClassicUser:N/AComputer:example.amc.ctxDescription: Gateway data from the request and the authentication token are not matching. Request was made to store <StoreName>Request data:Remote Address:X-Citrix-Via:X-Citrix-Gateway:X-Forwarded-For:Token data:Remote Address:X-Citrix-Via: ag5.user.ctxX-Citrix-Gateway:X-Forwarded-For: 10.10.10.10Gateway configuration:System.String[]

In addition, the issue might be seen on Access Gateway 5.0.4 (Access Controller mode), 9.3 or 10.x connecting to a Citrix StoreFront 1.2 version.

Note: The issue has not been witnessed when Citrix Receiver is used to connect to a ‘store’.

Related:

  • No Related Posts

Error: “This version of Citrix Receiver does not support selected encryption” When Launching XenApp Application

This issue has been resolved. The fix was first introduced with a special release of Receiver 3.4 CU2. This update had also been included with the 4.x version release of Receiver for Windows on June 26, 2013.

There is also a fix for this issue in HDX RealTime Optimization Pack 1.4.200. This update has also been included with 1.5 and all later versions of HDX RealTime Optimization Pack.

Solution 1

Note: If you are still experiencing this error, you may have a corrupt Receiver installation. Try the following steps, if a fresh installation is required:

  1. Download and Run – CTX137494 – Receiver Clean-Up Utility
  2. Verify in Control Panel > Programs and Features or Add/Remove Programs to confirm that the Citrix Receiver software is no longer present.
  3. Restart your computer.
  4. Download and install the latest Citrix Receiver.

Note: If the issue persists, restart your computer and try again.

Solution 2

If solution 1 did not resolve the issue and you are using Receiver 4.2 or newer, then try increasing the timeout by adding the following key:

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

On 32-bit Windows:

Location: HKEY_LOCAL_MACHINESOFTWARECitrixICA Client

Name: VdLoadUnLoadTimeOut

Type: REG_DWORD

Data: Any value in seconds (Decimal)

On 64-bit Windows:

Location: HKEY_LOCAL_MACHINESOFTWAREWow6432nodeCitrixICA Client

Name: VdLoadUnLoadTimeOut

Type: REG_DWORD

Data: Any value in seconds (Decimal)

Note: Registry key values are typically listed in decimal format, unless specified otherwise.

Same VdLoadUnloadTimeout registry setting is used in two places with two different default values:

  • By WfcRun32.exe, when it has seen an error from the engine, and needs to kill the WfIca32.exe process. It waits for this registry setting with a default of 1 second before terminating the process.
  • By WfIca32.exe, when it is loading virtual drivers. It waits for this registry setting with a default of 5 seconds for the Virtual driver to load.


If you set the registry setting, then both processes will use the value that you set (in seconds). There is no upper limit.

Lower limits are forced. If the value is less than 1 for WfcRun32.exe, it will be forced to 1. If the value is less than 5 for WfIca32.exe, it will be forced to 5.


Solution 3

Misconfigured registry value if there:

Location: HKLMSOFTWAREWow6432NodePoliciesCitrixICA ClientEngineLockdown ProfilesAll RegionsLockdownLogonLocal Credentials

Name: LegacyLocalUserNameAndPassword

Data: (Default)=true

Note: when we uninstall receiver check if all Citrix related keys under HKLMSOFTWAREWow6432Node keys are removed properly.

How Do I Articles

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust ‘Certificate Authority’…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts

Error: “Unable to launch your application. SSL Error 38” When Launching an Application Through NetScaler Gateway

Issue with Installation or Imaging of XenApp Server

You receive the following error when trying to start the published applications:

“Error could not connect to Application.”

Disabling Session Reliability results in the following error:

“SSL Error 38: This proxy denied access to STAXXXXXXXXXXXXXX port 1494″

User-added image

When you examine the Published Applications, under the NetScaler Gateway Virtual Server, you see identical identifiers:

User-added image

Complete one of the following methods to resolve the issue:

This issue can be caused because of problem in the installation or imaging of the XenApp Server.

XML Broker Waiting for Shutdown Reason

One of the XML brokers had been shut down and was waiting for input as to the reason for the shutdown. After the reason for restarting the server was entered, applications were able to be launched.

Verify if NetScaler Gateway has Insufficient User Licenses

If this error occurs while attempting to open a published application, verify the following:

  • The appliance has sufficient NetScaler Gateway Users licenses.

    User-added image

  • The maximum number of users are adjusted to match the number of licenses.

    User-added image

To troubleshoot further, complete the following steps:

  1. After SSL Error 38 appears, log on to the appliance using a secure shell (SSH).
  2. Run the following command to launch an opened application until you receive an SSL Error 38 again:

    nsconmsg -d stats | grep ica_license_failure
  3. When the error appears run the following command again:

    nsconmsg -d stats | grep ica_license_failure
  4. If the counter increased, then the error is indeed caused by license allocation.

STA Servers Configured Does Not Match on NetScaler Gateway and StoreFront

The STA servers defined on NetScaler Gateway should match those configured on the Web Interface/StoreFront. This includes matching a machine name versus the Fully Qualified Domain Name (FQDN).

Issues with Domain Name System (DNS) Name Resolution

This issue can occur because of problems with Domain Name System (DNS) name resolution. When launching an application, the NetScaler Gateway appliance uses the method specified in the WebInterface.conf file for name resolution. The Web Interface generates the ICA file. If the WebInterface.conf file is set to dns-port and DNS resolution is not possible, either because no DNS server is specified in NetScaler Gateway configuration or the appliance being in a DMZ where no DNS server is reachable, then the launch of the application fails with the preceding error message.

Complete the following steps to resolve this issue:

  1. The first option to resolve this issue is to specify a DNS server in the NetScaler Gateway appliance within the Name Servers pane as shown in the following screen shot:

    User-added image

  2. The second option is to edit the WebInterface.conf file on the Web Interface server for that site, to resolve through ipv4-port rather than dns-port. The default location of the WebInterface.conf file is C:inetpubwwwrootCitrixsitenameconf. Replace the sitename with the name of your site; the default sitename for a Web site on Web Interface is /Citrix/Xenapp. The following screenshots are sample screenshots of the WebInterface.conf file:

    Before

    User-added image

    After

    User-added image

    Restart the IIS Web Server after saving the WebInterface.conf file.

Double Hop Configuration Issue

The SSL error 38 appears while launching published applications through a double hop configuration of the NetScaler Gateway appliance.

User-added image

To resolve the preceding issue, create static host records on the DMZ1. On the XenApp farm Properties dialog box, complete the following tasks:

  1. Navigate to the XenApp Server node and click the General node.
  2. In the Citrix XML Service section clear the XML Service DNS address resolution option.

    This option enables remote connections to work as normal.

    User-added image

This issue occurs because the client is not receiving the FQDN supplied by the XML Service on the XenApp Server. In other words, the NetScaler appliance in DMZ1 was not able to perform a DNS look-up for the FQDN generated by the XML Service, which is behind DMZ2.

Appropriate Ports Not Open

  1. Create services on the NetScaler > Traffic Management using TCP port 1494 to verify communication between XenApp servers and SNIP.
  2. If you have Session Reliability enabled create services on 2598 as well. Confirm this in StoreFront > Manage NetScaler Gateways > Edit > Secure Ticket Authority > Enable Session Reliability. If this is checked, then port 2598 should be open too.

Related:

  • No Related Posts

Error: “No Audio Available, Could NoT Open An Audio Device For Playback” In ICA Session

Complete the following steps on Win 7 and 2008 R2.

  1. First check if RDP- Tcp and ICA- Tcp does not have audio disabled. Go to Administrative tools-> Remote Desktop Session Host Configuration-> RDP-tcp-> Right click-> Properties-> Client Settings. Audio option should be unchecked. Similarly check for ICA-Tcp connection.
  2. Allow Citrix client audio redirection policy in studio console.
  3. Run gpupdate /force on the VDA server.
  4. Verify that Receiver setting for audio is enabled in connection center.
  5. We should be able to get audio working in ICA session.

Steps to be followed on Win 8 and 2012 R2 and above.

Due to the changes in Server 2012 R2, there is no option to modify RDP listener in RDMS (Remote Desktop Management Server) GUI, hence to enable this Audio Redirection in 2012 R2 server, follow the below steps:

  1. Choose Start, choose Run, enter regedit, choose the OK button, and then set the value of the following registry key to 0.
  2. Go to HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp, Edit or create

Value: fDisableAudioCapture

Type: REG_DWORD

Data : 0

Related:

  • No Related Posts

Unable to sign in with Apple ID after deploying the iOS Restrictions policy with the Restrict App Usage set to “Only allow some apps”

Citrix Recommendation:

iOS Restriction Policy > Restricted App usage:

If you change this setting to Only allow some apps: Before deploying this policy, advise users of devices enrolled using Apple DEP to sign in to their Apple accounts from the Setup Assistant. Otherwise, users might have to disable two-faction authentication on their devices to sign in to their Apple accounts and access allowed apps. Restrictions device policy – https://docs.citrix.com/en-us/xenmobile/server/policies/restrictions-policy.html#par_anchortitle_e0ce

Related:

  • No Related Posts

Error: “Propagation failed on one or more servers” when you attempt to propagate changes to Storefront Server Group

Consider the following scenario. You have two or more Storefront servers in the Server Group. When you attempt to propagate changes to the Storefront Server Group, it might fail with the error: “Propagation failed on one or more servers” as shown in the screenshot below:

User-added image
Additionally, following events are recorded in Windows Event Viewer during the time of the issue:

Log Name: Citrix Delivery Services

Source: Citrix Configuration Replication Service

Event ID: 31

Description:

An error has occurred during the all server configuration update process.

Citrix.DeliveryServices.ConfigurationReplication.Exceptions.ServerUpdateConfigurationException, Citrix.DeliveryServices.ConfigurationReplication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

Could not connect to net.tcp://mt-storefront2/Citrix/ConfigurationReplication. The connection attempt lasted for a time span of 00:00:01.0312588. TCP error code 10061: No connection could be made because the target machine actively refused it 10.107.226.9:808.

RemoteEndpoint: net.tcp://mt-storefront2/Citrix/ConfigurationReplication


Log Name: Citrix Delivery Services

Source: Citrix Delivery Services Admin

Event ID: 1

Description:

An error occurred running the command: ‘Get-DSClusterConfigurationUpdateState’

Could not connect to net.tcp://mt-storefront2/Citrix/ConfigurationReplication. The connection attempt lasted for a time span of 00:00:01.0309845. TCP error code 10061: No connection could be made because the target machine actively refused it 10.107.226.9:808.

At C:Program FilesCitrixReceiver StoreFrontManagementCmdletsConfigurationReplicationModule.psm1:114 char:14

+ $state = Get-DSConfigurationReplicationState -Hostname $clusterMemberHostnam …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Could not connect to net.tcp://mt-storefront2/Citrix/ConfigurationReplication. The connection attempt lasted for a time span of 00:00:01.0309845. TCP error code 10061: No connection could be made because the target machine actively refused it 10.107.226.9:808.

Citrix.DeliveryServices.PowerShell.Command.RunnerInterfaces.Exceptions.PowerShellExecutionException, Citrix.DeliveryServices.PowerShell.Command.RunnerInterfaces, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

An error occurred running the command: ‘Get-DSClusterConfigurationUpdateState’

Could not connect to net.tcp://mt-storefront2/Citrix/ConfigurationReplication. The connection attempt lasted for a time span of 00:00:01.0309845. TCP error code 10061: No connection could be made because the target machine actively refused it 10.107.226.9:808.

At C:Program FilesCitrixReceiver StoreFrontManagementCmdletsConfigurationReplicationModule.psm1:114 char:14

+ $state = Get-DSConfigurationReplicationState -Hostname $clusterMemberHostnam …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Related:

  • No Related Posts

XenApp 7.x: When Accessing Anonymous/Unauthenticated Store, apps fail to enumerate. “There are no apps or desktops available for you..”

To fix this ensure that the following 3 settings are in place:

1) Option to ‘Give Access to unauthenticated users’ is selected by editing Delivery Group.

User-added image

2) On the Storefront, while creating the Store, ensure that the Unauthenticated option is checked.

User-added image

3) On Storefront Console, Click ‘Manage Delivery Controller’ -> Select each controller and Edit. Add transport type as HTTP.

If still the issue is not fixed feel free to Citrix Support Number for immediate assistance.

Related:

  • No Related Posts

Microsoft Releases More Spectre/Meltdown Patches

It’s shaping up to be a relatively light patch load for administrators this month, with just 15 critical vulnerabilities to fix out of a total of 75.

The update round covered a pretty wide range of products as usual: including Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, Exchange and ASP.NET Core.

Two have been publicly disclosed, meaning that hackers may be exploiting them in the wild, although the bugs themselves are only rated “Important”. They are: CVE-2018-0940, affecting Microsoft Exchange Server 2010-2016 and CVE-2018-0808, which hit ASP.NET Core 2.0 systems.

“The Windows Kernel received a lot of attention this month, likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen,” said Ivanti director of product management, security, Chris Goettl. “The good news is I did not see anything higher than an Important rating, but those are a lot of changes in the Kernel. Test the OS updates well this month.”

As regards Spectre and Meltdown, Microsoft has released patches for 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012.

All the critical updates fix problems in the browser, or browser-related technologies and should be dealt with first, claimed Qualys director of product management, Jimmy Graham.

He highlighted another “Important” vulnerability for special attention. CVE-2018-0886 affects security support protocol CredSSP, which is used to process authentication requests and could allow could allow an attacker with Man in the Middle capabilities to gain full access to a Remote Desktop Protocol (RDP) session.

“While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both the CredSSP protocol used by the RDP server as well as the RDP clients,” he explained.

Group Policy settings must be enabled to ensure full mitigation of the vulnerability for RDP. Microsoft has also given a tentative timeline for additional updates. In April, new versions of the RDP client will be released to add better error messages, and in May an update will be released to prevent clients from connecting using insecure versions of CredSSP.”

Adobe also released patches for seven vulnerabilities.

Related:

  • No Related Posts