Problem Definition
When accessing a Secure Gateway site using the MAC Intel client, users receive an SSL 59 Error message.
“SSL Error 59: The server sent a security certificate indentifying "portal.xxx", the SSL connection was to "portal.xxxyyy.zzz".
Error number: 183
Environment
• Web Interface 4.x running on Windows 2003
• Presentation Server 4.0 with HRP 03
• MAC Intel OS X 10.4.10
• Presentation Server Client 7.10.50
Troubleshooting Methodology
The first step was to verify that the certificate was correct on the Secure Gateway server. This was done by running the Secure Gateway configuration wizard and Secure Gateway Diagnostics.
Next we verified that other clients can connect to the Secure Gateway site. MAC PowerPC and Win32 clients did not observe this behavior.
The next step was to capture a network trace from the Client while trying to launch applications from the Secure Gateway site. To do this we ran sudo tcdpump –s 256 –w <outputfile.cap> from a terminal window while launching an application:
This captures on all interfaces and ports, and outputs to a binary file that is readable by Ethereal/Wireshark. The –s increases the amount of data that is captured in the packet; the default amount is 68 bytes, which sometimes doesn’t have as much info as we might need.
After reviewing the capture file it was noted that the certificate returned was valid and the FQDN was in the proper format:
We then verified that the launch.ica file is coming down properly. This is done by right-clicking the icon and selecting Save Target As. We wanted to verify the SSLProxyHost line in the launch.ica file:
[Desktop]
Address=;10;STA9E8B787B3692;CD59D65961205682C9947E20A56F4579
AudioBandwidthLimit=2
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
ClearPassword=AF953904E9398F
ClientAudio=On
DesiredColor=4
DoNotUseDefaultCSL=On
Domain=\ABFD7B232C5C7C1E
HTTPBrowserAddress=!
InitialProgram=#Desktop
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=AF953904E9398FABFD7B232C5C7C1E
LogonTicketType=CTXS1
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=portal.xxxyyy.zzz:443
ScreenPercent=75
SecureChannelProtocol=Detect
SessionsharingKey=4-basic-basic-Domain-User-access
TWIMode=Off
TransportDriver=TCP/IP
UILocale=en
Username=User
WinStationDriver=ICA 3.0
Cause
There is an issue with how certificates are handled on the MAC Intel Client ONLY. The problem occurred because certificates encoded using UTF-8 were not being handled correctly.
Resolution
Version 10.00.600 of the MAC Intel Client has addressed this issue. Download it from http://citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=3250&pID=186.
