Error: “Cannot add account” When Connecting Through iOS Receiver 6.1.4

This article is intended for Citrix administrators and technical teams only. Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.


The following error is received when connecting through iOS Receiver 6.1.4:

“Cannot add account”

There is no issues on Receiver for Windows and Android.

Related:

  • No Related Posts

Advisory: Receiver for iOS and Apple’s App Transport Security (ATS)

This article is intended for Citrix administrators and technical teams only.Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information

In 2015 Apple introduced App Transport Security (ATS) to enforce best practices in security for connections between apps and backend servers. These changes in code were enabled by default with the release of iOS 9 to force iOS apps to use secure HTTPS connections. However, Apple allowed iOS app developers to disable ATS enforcement. ATS enforcement is currently disabled in Citrix Receiver for iOS.

During the WWDC 2016 event in June, Apple announced that all apps submitted to the App Store will be required to have ATS enabled by the end of year 2016. Since then, Apple has extended this deadline until further notice to give developers and customers additional time to prepare.

Citrix will continue to disable ATS enforcement in the Receiver for iOS client as long as Apple allows. However, Citrix recommends that IT administrators take proactive action to comply with Apple ATS requirements in anticipation for these changes in the future and to align with industry leading practices around network security. Adopting the new recommendations for SSL certificates ahead of time will guarantee that Receiver for iOS users are not affected in the future. Customers can refer to this article for future updates.

The following list provides answers to frequently asked questions by IT administrators on the subject:

Which Citrix components are affected?

Depending on the environment configuration, the ATS mandate may impact Receiver for iOS connections to NetScaler, StoreFront, and Web Interface

What are the requirements to comply with ATS?

Backend services including NetScaler, StoreFront, and Web Interface must be configured with SSL certificates that meet a minimum of TLS v1.2 specifications with AES-128 encryption and SHA-2 hash algorithm.

These requirements would also apply to any third-party networking products, such as gateways or load-balancers, terminating SSL connections at any point in the path of Receiver.

Additional information on ATS can be found at in the Apple Developer website here under the “Requirements for Connecting Using ATS” section.

Does this change require session hosts (VDA) to be configure for secure ICA?

There is no need to configure VDA for secure ICA as part of this change. ATS will only impact connections to NetScaler, StoreFront, and Web Interface for brokering and application/desktop enumeration

Related:

  • No Related Posts

How to Enable and Collect Advanced Logs for Receiver for iOS

New Logging for 5.9.1 and Later:

Enable Access to Log Files. Now with Receiver for iOS 5.9.1 it extends the Advanced Logging feature to gather diagnostic data for authentication, store add, and connection issues.

User-added image

Log options: Log Levels

Log Level Logs hold…
Level 1 Critical Critical notifications
Level 2 Errors Error notifications
Level 3 Warning Warning notifications
Level 4 Informational Receiver information notifications
Level 5 Detailed Information similar to verbose logs
Level 6 Debug All information sent by Receiver

To customize Logging settings:

  1. Click the Settings icon, then go to Support > Log Options.

  2. Choose one of the Log Detail options, for example 6 Debug.

    Note: Set the log level to 6 Debug for troubleshooting Receiver for iOS issues.

  3. Go back to Log Options.

  4. Click No to any warnings.

  5. From Log Destination Options, choose File, Console, or File and console.

  6. Go back to Log Options and set the slider for the Maximum number of log files and Maximum size of a log file.

  7. Click No to any warnings.

There are two ways to collect and send the Advanced Logs from the device:

Using Send Feedback to collect and send Advanced Logs

  1. Go to Settings > Support and select Request Help from Support.

    User-added image

  2. Send the email with compressed Logs.zip (Advanced Logs) to the Technical Support case owner for further investigation.

Sync to iTunes to collect Advanced Logs

  1. Attach and Sync the iPad/iPhone to your authorized Mac or PC with iTunes.

  2. Within the Apps tab of iTunes, ensure that the Receiver is selected to sync. If it is not, select and re-sync.

  3. Scroll down in the Apps tab of iTunes to File Sharing.

  4. Select Receiver under Apps and the CitrixLogs folder on the right pane, under Receiver Documents.

  5. Click Save to… and save the entire Logs directory to your local computer.

    User-added image

    Within the Logs folder are a series of logs. Compress and send the logs into Citrix Technical Support along with the steps preformed during the reproduction.

Related:

  • No Related Posts

MDX managed apps cannot open links properly so that apps which are not managed launch automatically

Solution: use MDX app policies to configure the desired outcome. The specific steps listed on this article achieve success.

App URL Schemes can be misunderstood or easily confused sometimes. These steps can help you with configuration problems….

The following details and points will help for you to configure ‘any’ such app appropriately on your server also:

Secure Web MDX Configuration:

No specific configuration is needed with Secure Web. The following default settings can be used with Secure Web MDX, for the purposes of this example:

App URL schemes:

ctxmobilebrowser:,ctxmobilebrowsers:,ctxmobilebrowserappstore:

(For reference, these are those App URL Schemes which Secure Web will register with iOS as being handled by the Secure Web app itself).

Allowed URLs:

^http:,^https:,^mailto:=ctxmail:,+^ctxmailex:,+^ctxmailex2:,+^citrixreceiver:,+^telprompt:,+^tel:,+^col-g2m-2:,+^col-g2w-2:,+^col-g2t-2:,+^maps:ios_addr,+^mapitem:,+^itms-services:,+^itms-apps:,+^itms-appss:,+^ctx-sf:,+^lmi-g2m:,+^lync:

(For reference, these are the App IDs and also the App URL Schemes which Secure Web will be allowed to process. One outcome of a process might be that it is simply ‘allowed’. Clicking on a link and seeing it proceed to load is one example of this. For those entries where an ‘=’ symbol is seen, then not only will this action be ‘allowed to process’ but it will also be an action which is ‘passed over to’ or ‘converted in to’ whatever is on the right side of the ‘=’ symbol).

Secure Mail MDX Configuration:


This is where our solution is used. The following default settings are found:

App URL schemes:

ctxmail:,ctxinternalmail:,ctxmailex:,ctxmailex2:,ctxmailappstore:,ctxmailoauth:,ctxevent:

Allowed URLs

+maps.apple.com,+itunes.apple.com,+apps.apple.com,^http:=ctxmobilebrowser:,^https:=ctxmobilebrowsers:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^lmi-g2m:,+^col-g2w-2:,+^maps:ios_addr,+^mapitem:,+^sms:,+^facetime:,+^ctxnotes:,+^ctxnotesex:,+^ctxmobilebrowser:,+^ctxmobilebrowserappstore:,+^ctxtasks:,+^facetime-audio:,+^itms-apps:,+^ctx-sf:,+^sharefile:,+^lync:,+^slack:,+^slackmdm:,+^msauth:

So that the desired outcome be achieved, change ‘Allowed URLs’ to the following:

+com.booking.BookingApp,+maps.apple.com,+itunes.apple.com,+apps.apple.com,^http://www.booking.com/,^http:=ctxmobilebrowser:,^https:=ctxmobilebrowsers:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^lmi-g2m:,+^col-g2w-2:,+^maps:ios_addr,+^mapitem:,+^sms:,+^facetime:,+^ctxnotes:,+^ctxnotesex:,+^ctxmobilebrowser:,+^ctxmobilebrowserappstore:,+^ctxtasks:,+^facetime-audio:,+^itms-apps:,+^ctx-sf:,+^sharefile:,+^lync:,+^slack:,+^slackmdm:,+^msauth:

Related:

Cisco IOS XE Software Web UI Remote Code Execution Vulnerability

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code with root privileges on the underlying Linux shell.

The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by first creating a malicious file on the affected device itself and then uploading a second malicious file to the device. A successful exploit could allow the attacker to execute arbitrary code with root privileges or bypass licensing requirements on the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-rce-uk8BXcUD

This advisory is part of the June 3, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 23 Cisco Security Advisories that describe 25 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3218

Related:

Cisco IOS, IOS XE, IOS XR, and NX-OS Software One Platform Kit Remote Code Execution Vulnerability

A vulnerability in the Topology Discovery Service of Cisco One Platform Kit (onePK) in Cisco IOS Software, Cisco IOS XE Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient length restrictions when the onePK Topology Discovery Service parses Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol message to an affected device. An exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges, or to cause a process crash, which could result in a reload of the device and cause a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-nxos-onepk-rce-6Hhyt4dC

This advisory is part of the June 3, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 23 Cisco Security Advisories that describe 25 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3217

Related:

Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers Image Verification Bypass Vulnerability

A vulnerability in the image verification feature of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) could allow an authenticated, local attacker to boot a malicious software image on
an affected device.

The vulnerability is due to insufficient access restrictions on the area of code that manages the image verification feature. An attacker could exploit this vulnerability by first authenticating to the targeted device and then logging in to the Virtual Device Server (VDS) of an affected device. The attacker could then, from the VDS shell, disable Cisco IOS Software integrity (image) verification.

A successful exploit could allow the attacker to boot a malicious Cisco IOS Software image on the targeted device. To exploit this vulnerability, the attacker must have valid user credentials at privilege level 15.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-ir800-img-verif-wHhLYHjK

This advisory is part of the June 3, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 23 Cisco Security Advisories that describe 25 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3208

Related:

Cisco IOS Software for Cisco Industrial Routers Virtual Device Server CLI Command Injection Vulnerability

A vulnerability in the CLI parsers of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated, local attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device. The attacker must have valid user credentials at privilege level 15.

The vulnerability is due to insufficient validation of arguments that are passed to specific VDS-related CLI commands. An attacker could exploit this vulnerability by authenticating to the targeted device and including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-iot-vds-cmd-inj-VfJtqGhE

This advisory is part of the June 3, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 23 Cisco Security Advisories that describe 25 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3210

Related: