Application Enumeration Failing after Applying Microsoft KB2919355 for Windows Server 2012 R2
Article ID: CTX200185
Updated On:
Description
The following error is reported in the Citrix Delivery Services log for StoreFront:
Log Name: Citrix Delivery Services
Source: Citrix Store Service
Event ID: 0
Task Category: (12346)
Level: Error
Keywords: Classic
User: N/A
Computer: <Name of storefront Server>
Description: An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.
This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
Resolution 1
Prioritize the cipher list within Windows on the Delivery Controllers. The cipher suite order list should either begin with or only contain the values below:TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA
Reference - Microsoft MSDN - Prioritizing Schannel Cipher Suites
1. In the group policy editor browse to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
2. Edit the policy “SSL Cipher Suite Order” By Default, this policy is set to “Not Configured”. Set this policy to Enabled
3. Arrange suites in the correct order; remove any suites you don’t which to use. The following should be the only ciphers listed, or at the top of the list :
TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA
4. Reboot the Delivery Controller.
Resolution 2
The registry value should be set to the ciphers below on the Delivery Controllers.
See Reference - Microsoft - How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_RC4_128_MD5
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_SHA
- TLS_RSA_WITH_AES_256_SHA
Problem Cause
In XenDesktop and XenApp 7.x environments where the Delivery Controllers are installed on Server 2012 R2 and the transport is set for HTTPS, application enumeration can fail after installing KB2919355.Additional Information
Ultimately the issue is a configuration issue. There is no way programmatically to provide a cipher list that is a subset of one protocol to XenDesktop.
XenDesktop or XenApp 7.x receives a list that includes unsupported ciphers by Citrix. After KB2919355 the first one on the list is not supported by default.
XenDesktop or XenApp 7.x receives a list that includes unsupported ciphers by Citrix. After KB2919355 the first one on the list is not supported by default.
Was this article helpful?
Yes
No
Powered by
