SSL Connection to a XenApp/XenDesktop VDA fails.  Error message on the VDA (CDF or Event logs) will include Error from VDA: "The Citrix ICA Transport Driver received SSL initialization error 0xc0000241."

An additional step is necessary when the VDA is on a Windows Server 2016 or later, or Windows 10 Anniversary Edition or later. This affects connections from Citrix Receiver for Windows 4.6. On the VDA (Windows Server 2016 or Windows 10 Anniversary Edition or later), using the Group Policy Editor, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note: The first four items also specify the elliptic curve, P384 or P256. Ensure that "curve25519" is not selected. FIPS Mode does not prevent the use of "curve25519". When this Group Policy setting is configured, the VDA will select a cipher suite only if appears in both lists: the Group Policy list and the list for the selected compliance mode (COM, GOV, or ALL). The cipher suite must also appear in the list sent by the client (Citrix Receiver or StoreFront). This Group Policy configuration also affects other TLS applications and services on the VDA. If your applications require specific cipher suites, you may need to add them to this Group Policy list.

Problem Cause

Cipher mismatch.

Citrix Documentation - Transport Layer Security (TLS)