Error: Connection Failed - Citrix Endpoint Management with Certificate Based Authentication
Article ID: CTX691292
Updated On:
Description
Warning Event ID = 39 or ID = 41 on Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 before February 11,2025.
"Connection failed" will be shown by clicking `Test Connection` in PKI Entities after February 11, 2025.
Environment
Resolution
To confirm the connection failure between Citrix Endpoint Management (CEM) or XenMobile Server (XMS) with Microsoft Certificate Authority (CA) server, refer to the Windows Event Viewer.
- Log in to the CA server.
- Navigate to `Event Viewer (Local) -> Windows Logs -> System`.
- Look for Warning Event ID = 39 or Event ID = 41.
Once confirmed, create a new PFX certificate by following the steps in https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html#creating-a-pfx-certificate-from-the-ca-server
Next, upload the new PFX to CEM/XMS by following the steps in https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html#uploading-the-certificate-to-xenmobile
Finally, bind the new PFX certificate with Microsoft PKI entities.
- Access the XMS/CEM console.
- Navigate to `Settings -> PKI Entities -> Edit Microsoft PKI Entities -> General -> SSL client certificate`.
- Select the certificate uploaded in the previous step.
- Test the connection by clicking "Test Connection".
- If "Test Connection" works fine , click "Next" until Save it.
Disclaimer:
Note: This Knowledge Base article will be updated as needed. Microsoft is still working on additional updates for full enforcement mode for certificate templates (online and offline). Currently, this article addresses a solution for online templates.
Problem Cause
Microsoft has announced that Full Enforcement mode will be applied starting February 11, 2025 (as per Microsoft KB5014754). After this date, XMS/CEM will not be able to connect to the CA server if not bound with the new certificate.
