Citrix Web Interface Netscaler Gateway Incorrect Credentials Try Again
I of the nigh annoying problems in Citrix NetScaler is ICA / HDX connection issues. The reason for this is the way connectedness problems are reported.
There are two potential sources of trouble: Citrix StoreFront and Citrix NetScaer Gateway. Then I will split up my weblog into three sections: How to find the source of trouble, Troubleshooting Citrix StoreFront and Troubleshooting Citrix NetScaler Gateway.
How to notice the source of trouble
Information technology seems to be abrasive and inappreciably possible. I am 1 of the moderators of a Facebook group nearly Citrix. Questions about connection issues come up up quite often. Most of the answers don't focus to the right source. They hardly ever inquire: Which component is guilty. Instead, people give misleading tips. I want to keep away from misleading tips, instead guide you through a well-structured troubleshooting guide.
Let'due south attempt to understand what's going on:
The stages of a Citrix NetScaler Gateway connection
I talk almost using Citrix StoreFront website, there is non then much difference to a receiver for web site. If you lot even so use Citrix WebInterface: not much divergence in that location, only my screen shots won't exist of any help.
- a user connects to the NetScaler Gateway website and is prompted with a login folio
- the user enters his credentials. These credentials are checked against logon providers similar LDAP and RADIUS-based sources (Active Directory, RSA, Safety Word, SMS Token and many more).
- The user will see applications but later on logging on successfully. And so logon is done and without any issue as presently every bit nosotros run across applications!
We now know: NetScaler Gateway was able to cosign the user, it too connected to Citrix StoreFront (or Web Interface) successfully and StoreFront was successfully connecting to XML broker service.
And so no need to check here, it's already checked: Logon works perfectly fine, the connection to StoreFront / Web Interface worked fine, and its connection to XML broker service is tested (we would not run into any application if any of them fails) - The user clicks an application. This click is proxied via NetScaler Gateway and StoreFront (WI) to XML broker service. XML broker service selects a resources, a desktop or an application, connects to this resource's IP vis HTTP(southward) (XenDesktop) or IMA (XenApp up to version half-dozen.5), and stores this user's credentials inside this motorcar. The auto returns a and so-chosen NFuse ticket (NFuse is the old name of Citrix Web Interface). The IP address together with this NFuse ticket is returned to StoreFront (Web Interface).
- Getting an STA ticket: This is the starting time source of the problem I desire to become into: Nosotros accept to shop the target's IP accost within our secure surroundings. The store nosotros utilize is called STA, and it's usually 1 of the XenApp servers or XenDesktop DDCs (desktop delivery controller). The STA returns a so-chosen STA ticket.
- Nosotros now create an ICA file. The ICA file will contain the proper noun of the NetScaler Gateway (FQDN), the NFuse ticket and the STA ticket (don't mix these up!) together with some information nigh the screen resolution, clipboard mapping and then on. I attached a sample ICA file:
[ApplicationServers] Notepad= ... [Notepad] Address=;twoscore;STA324731891;832A84599E0B7449B8578DCB8DBA95 this is STA ID and STA ticket AutologonAllowed=ON BrowserProtocol=HTTPonTCP CGPSecurityTicket=On ClearPassword=E16458A6937769 This is the 1st one-half of the NFuse ticket ... Domain=\C48CC641E8301B33 This is the 2nd half of the NFuse ticket ... InitialProgram=#Notepad ... Launcher=WI ... LogonTicket=E16458A6937769C48CC641E8301B33 this is the NFuse ticket LogonTicketType=CTXS1 ... SSLProxyHost=gateway.norz.at:443 The FQDN of the NetScaler Gateway used by Receiver ... TransportDriver=TCP/IP
- This ICA file is returned to the client via NetScaler Gateway. Nosotros don't demand to consider this connection to be guilty for our problems equally it already tested: it worked fine earlier!
- The browser forwards this ICA-File to the Citrix receiver. ( Brainstorm of second part! ) Citrix receiver will read the ICA file and
- connect to the NetScaler Gateway. We can see this equally nosotros will see a progress bar.
- The receiver will send the STA ticket to the NetScaler Gateway. NetScaler Gateway will connect to the STA and effort to resolve this ticket.
- As presently a NetScaler Gateway was able to resolve the ticket, NetScaler Gateway will try to connect to the target device (XenApp server, VDI devices)
- the application/desktop launches.
It'south essential to understand the connection process you want to troubleshoot!
So, where does information technology pause into parts?
I have already mentioned: as soon equally the ICA file is created and returned to the client the 2nd part starts. How can we find out? Easy like that: The Citrix receiver (former names: ICA- customer, ICA plugin, Citrix client, and approx 1.742.946 names more) is started, we successfully passed the first phase. So this is my start question: did it download the ICA file?
| No, | Yes |
You are not sure if you received an ICA file or not?
- Firefox: The ICA file goes into your download area, typically %username%\AppData\Local\Temp (or %tmp%). However, it usually gets deleted immediately.
- InternetExplorer: There is a file created in %tmp%, but information technology is non accessible, information technology's an extension is non .ICA. However, it usually gets deleted immediately.
- Chrome: It's the same: the file goes to %TEMP%. Thanks, Hendrik Klinge for this information! It is unchanged, so more or less the same as Firefox.
As the ICA file ordinarily gets deleted immediately y'all may use Microsoft's Process Monitor to exist 100% certain! You could as well edit the ICA file in StoreFront (C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica ). It is a windows INI file. Y'all may change RemoveICAFile=yes to no in [WFClient] department, so it will stay forever (and spam the %tmp% directory).
More methods to find the phase of the connection process
Commonly, yous will see an error message. Information technology's stage 1 (StoreFront alone to blame for your issue) if this error bulletin is displayed inside your browser, it's stage 2 if it'southward a windows (Mac, Linux, …) bulletin box.
Troubleshooting Citrix StoreFront
If you got stuck within the kickoff portion of the connection process, your upshot is not directly related to NetScaler, you don't even need to log on to NetScaler!
- Log on to your StoreFront server and check NetScaler Gateway settings:
- Your authentication methods take to comprise Laissez passer-Through from NetScaler Gateway (right-hand side, lower section, Manage Authentication Methods)
StoreFront: Laissez passer-Through from NetScaler Gateway - You need to ascertain a NetScaler Gateway (right-hand side, upper department, Manage NetScaler Gateways)
Storefront: prepare a NetScaler Gateway 
Storefront: set a NetScaler Gateway, Detail Don't bank check authentication settings: Authentication worked fine, so at that place is nothing to do in here!
- Also, check the STAs. The STAs have to be resolvable! (same dialogue as to a higher place)
STA settings in Citrix StoreFront Use telnet (or putty) to connect to the desired port. So in my example, I would exercise a telnet XD7-DC.norz.local 80. The screen volition plow black if information technology is able to connect. If I enter "something" I will encounter some HTML output. I won't see anything if I connect to an HTTPS based server: telnet XD7-DC.norz.local 443 as I won't be able to do an SSL handshake. If you mistyped the proper name of the STA, or the STA is non reachable you will see:
telnet XD7-DC.norz.lokal 443
connecting to XD7-DC.norz.lokal….
The connection effort volition time out. Always do these tests from your StoreFront servers!
Reasons for an STA not beingness reachable may exist a miss-typed STA proper noun or the (application) firewall blocking connections. - Enable remote access! (right-paw side, lower section, Configure Remote Admission Settings).
Enable remote access in StoreFront
- Your authentication methods take to comprise Laissez passer-Through from NetScaler Gateway (right-hand side, lower section, Manage Authentication Methods)
- In that location should non be the demand to mention, as this is a very basic windows assistants strategy, however, I see tons of people not beingness enlightened of it: Check the event log of your StoreFront servers!
Events and their meanings
If something goes incorrect in StoreFront you usually see this message:
yous volition know: We never downloaded an ICA file. We are in trouble with StoreFront. Never check Citrix NetScaler Gateway, it was not involved, check events in StoreFront server. It may be difficult to locate an issue if yous load balance your StoreFront servers, so I tend to disable all services just one.
Events pointing to STA problems:
The events can be found, both in administrative events or in "Application and Service Logs" -> "Citrix Delivery Services"
In that location will be a set of events: Citrix Store Service, Error 0, Citrix Store Service, Error 1003, Citrix Store Service, Warning 28.
Store Service Error 0: The server name <your server's name> cannot be resolved. The specified Secure Ticket Authority could not exist contacted and has been temporarily removed from the list of agile services.
I call back, the pregnant of this upshot is more than clear: Citrix StoreFront could not connect to at least one of the STA servers you lot specified. There might be a chance to connect if there is more than a single STA server. Anyway: You should set this problem!
Citrix Store Service, Mistake 1003. All the configured Secure Ticket Authorities failed to reply to this XML transaction: https://<yor server mane>/scripts/ctxsta.dll.
This event will e'er follow 1 or more Citrix Store Service, Error 0 events. This is a serious result, it means: Information technology'due south absolutely impossible to launch an awarding or desktop: In that location is no STA server available. Citrix Store Service, Error 1003 has to be fixed, it's the reason for your connection problems! No way: Yous have to set up this problem!
Citrix Store Service, Warning 28: Failed to launch the resource 'Local.<your application/desktop proper name>', unable to obtain a ticket from the configured Secure Ticket Authorities.
This is the terminal result. We could not launch the awarding. It'due south just a summary, ready Citrix Store Service Error 0 to a higher place and you'll get rid of the 1003 and this i at the same time!
Troubleshooting Citrix NetScaler Gateway
Our problem is related to NetScaler Gateway if we successfully mastered part 1. Then let's troubleshoot problems here.
Before we see an error similar this we will see the progress bar indicating: Citrix Receiver received an STA file. This progress bar is of some interest! Unfortunately, this message may disappear way likewise fast, so you volition probably merely meet the message above.
That'southward absolutely thrilling information for all of you! Click on "more information" and y'all'll run across where nosotros got stuck!
Then this picture shows the receiver establishing a connexion to Citrix NetScaler Gateway. To exist 100% clear: we still are non continued! Nosotros are just establishing a connectedness to NetScaler Gateway, so a TCP Sync packet is sent, just the TCP/IP connection is either yet not established, or the SSL connection is non established notwithstanding!
Reasons for connections declining during this stage:
There may be several reasons for connections failing during this phase:
- the name of the gateway can't get resolved. Check the name in StoreFront.
StoreFront: fix a NetScaler Gateway Storefront: set up a NetScaler Gateway, Item - The Citrix NetScaler Gateway server certificate is not trusted, or the document chain is broken. So as the first stride: download NetScaler Gateway's certificate and open it at your workstation (not in a browser, just from Os). Resolve all bug with this certificate. Don't even think of standing without solving this problem, it doesn't make whatsoever sense at all.
- If y'all miss the intermediate CA certificate you have to download it and import it into NetScaler and link it.
NetScaler 11.1: Go to Traffic Management → SSL → CA Certificates. Import the certificate. Side by side, get to Traffic Management → SSL → Server Certificates. Click the NetScaler Gateway server document. Than Action and Link. It should display the document of the intermediate CA. Click OK.
STA Tickets
And so we successfully connected to Citrix NetScaler Gateway. Connectedness in progress disappeared. The current state is connected: There is an SSL connectedness from Customer to NetScaler Gateway.
During the next phase, the Citrix receiver volition send the STA ticket to NetScaler Gateway, and information technology will endeavour to resolve the STA ticket. To do and then information technology has to connect the configured STA.
STAs don't replicate (actually they don't even know about each other), so nosotros need to specify exactly the same STA to NetScaler Gateway as nosotros did in StoreFront. We will accept to check StoreFront for STAs (see here). We and then will check Citrix NetScaler Gateway for STA settings.
Nosotros navigate to NetScaler Gateway → Global Settings:
Every bit you see: the jump STA appears to be down. There are 3 reasons for this:
- the name is wrong, or tin't get resolved. I would put the proper noun into the clipboard and so navigate to System → Diagnostics and beginning the ping utility. Paste the hostname into the clipboard and see if information technology is ping-able. Yous will see, at least, if the hostname is resolvable
- the hostname is non resolvable. So the DNS server you configured for your NetScaler gateway is unable to resolve the hostname. In both cases the outcome of this ping volition await like that:
NetScaler Gateway: STA host proper noun not resolvable - a firewall is blocking the STA communication.
After resolving all of these issues the STA settings in NetScaler Gateway should await like this:
You will discover the STA IDs, indicating NetScaler Gateway could connect to this STA at to the lowest degree once, and the green light (it may be missing with some elder versions of NetScaler) indicates actual connections.
No more bug well-nigh NetScaler Gateway and StoreFront every bit soon as yous are fine until here!
It takes as well much time to establish connections from outside, compared to within?
Don't blame NetScaler for this:
So NetScaler knows where to connect. NetScaler will employ TCP/2598 for this connection: CGP (Citrix Gateway Protocol, one-time name: Common Gateway Protocol). At least every bit long as y'all did not plough off session reliability. I bet my life, you did not. NetScaler Gateway volition try to connect via CGP for 30 seconds and then surrender and try plain HDX (formerly known as ICA) on TCP/1494. And so open up up TCP/2598 on your firewall, it will safe you lot 30 valuable seconds!
Practice your connections still fail?
Let's keep thinking: we successfully connected to NetScaler Gateway. We successfully resolved the ticket, so NetScaler Gateway now connects to the target device: a Citrix XenApp server or a Citrix XenDesktop VDI device.
So there are two reasons for this effect:
- a firewall blocks the connectedness
- NetScaler Gateway does not know a route to this IP
Only resolve these problems past opening up the firewall ports, or add the route to the desired network.
I hope this helped! Feel free to ask if y'all see additional issues not covered in here, I'll respond your question and add the solution here.
Unfortunately, I was unable to capture screenshots from Citrix Receiver connection stages due to my (relatively) fast environment. I'd be glad to get your screenshots 😉
Source: https://norz.at/?p=447
Post a Comment for "Citrix Web Interface Netscaler Gateway Incorrect Credentials Try Again"