ICA launch delay issue after upgrading to Workspace app 2203 CU2
Article ID: CTX492837
Updated On:
Description
After upgrading to Workspace app 2203 CU2, customer may experience ICA launch delay issues.
Resolution
Upgrade to Workspace app 2203 CU3 or 2303 to fix this issue:
-
You might experience delay in enumerating apps and starting apps or desktops when using SSON in an environment that has no active access to external sites. This issue occurs from the Citrix Workspace app version 2210.5 onwards and from the Citrix Workspace app version 2203 CU2 onwards. [CVADHELP-21786]
If it's not possible to upgrade Workspace app version, try below workaround.
Workaround
Decrease Default URL retrieval timeout and Default path validation cumulative retrieval timeout by modifying policy configuration:
1. Launch Group Policy Management Editor.
2. Expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
3. Double-click Certificate Path Validation Settings.
4. In the Certificate Path Validation Settings Properties dialog box, on the Network Retrieval tab, configure policy as the following to lower down timeout for URL retrieval:
Problem Cause
From Workspace app version 2203 CU2, cryptnet.dll will be loaded for checking Certificate Revocation List.
If CryptoAPI is NOT able to access any internet CRL server due to customer network security requirements, it will take more time for CRL checking. It leads delayed launch of wfica32.exe.
How Certificate Revocation Works
CryptoAPI first determines whether a time valid version of the revocation object exists in the CryptoAPI disk cache.
If a time-valid object is not found in the disk cache, the network retrieval process starts. For each URL that is available for retrieval, CryptoAPI starts a background thread to perform the network retrieval of that designated object.
By default, the calling thread will wait up to 15 seconds for the retrieval to complete (as defined in Group Policy).
If the object takes longer than 15 seconds to download, then CryptoAPI will report the server as offline, even as the retrieval continues in the background. If the CRL distribution point specifies multiple working URLs, then CryptoAPI will start the download of the second URL 15 seconds after the URL retrieval began.
If the application performs a second certificate validation while the first background retrieval continues, then the retrieval for the second validation will fail immediately.
