Problem Definition

A customer was attempting to configure ICA Proxy mode on Citrix Access Gateway Enterprise Edition with XenApp 5.0 and Web Interface. The customer reported that when configuring the same, the 401 – Unauthorized Access is denied due to invalid credentials error message is displayed on the Web browser after a successful authentication to the Citrix Access Gateway Enterprise Edition Login page, as shown in the following screenshot:

Environment

The customer had installed the following hardware and software components on the network:

• Windows Server 2008
• Internet Information Server 7
• NetScaler appliance
• Web Interface 5.0
• XenApp 5.0

Troubleshooting Methodology

To troubleshoot this issue, the Technical Support Engineers investigated the Windows event logs of the XenApp Server and observed an error message in the Citrix Web Interface event log, as shown in the following screenshot:

This prompted the engineers to shift the focus of the investigation towards the XenApp Server. The engineers recorded network packet traces on the XenApp server during a login attempt. Each time, the engineers killed the Access Gateway Enterprise Edition session to ensure that a new session starts. The Web Interface makes the outbound https request to the Access Gateway Enterprise appliance to retrieve the SmartAccess settings, such as VServer and Session Policy Name.

When analyzing the packet traces, the engineers observed that when the XenApp Server communicates to the URL in the preceding screenshot, /CitrixAuthService/AuthService.asmx, the XenApp Server sends a FIN-ACK packet during the Secure Socket Layer (SSL) handshake negotiation, as shown in the following screenshot:

When attempting to open the /Citrix/XenApp1/auth/agesso.aspx URL, the Web Interface sends the 401 response code because the XenApp server could not complete the SSL handshake.

After further investigating the event logs, the engineers noticed that there was an issue with the SSL certificates.

The engineers resolved the issue by importing the ROOT-CA of the authority who signed the certificate bound to the logon point of the Citrix Access Gateway Enterprise Edition to the Web Interface server.

Note: On the Web Interface server, the ROOT-CA certificate was imported to the Trusted Root Certification Authorities of the Local Computer account and not the local user account, as shown in the following screenshot:

This article was written based on an actual scenario. There are other reasons for the error messages referred in the article. For example, error messages similar to the ones in this article might be displayed when Single Sign On (SSO) fails after passing the credentials to the Web Interface. This occurs because the user might have a different user login name (pre-Windows 2000), which was passed to the Web Interface. The solution in this case is to specify a SSO Name Attribute that matches the pre-Windows 2000 account details, such as SAMAccountName.

Ensure that the Single Sign-on domain specified for the published application is correct in NetScaler Gateway > Policies > Session > Profile, as shown in the following screen shot:

Additionally it would be good if we can install the Intermediate and Server certificate on the Web Interface Server.

Problem Cause

The issue was observed because the certificate on the appliance was not trusted by Web Interface. When this happens on a Web browser, with the correct security settings, a warning message is displayed by the Web browser. However, Web Interface has no means to display a warning message, and chooses not to communicate with an untrusted SSL certificate.