NetScaler 13.1 53.24: iOS "Network Timed Out" with Outlook/Teams Authentication

NetScaler 13.1 53.24: iOS "Network Timed Out" with Outlook/Teams Authentication

book

Article ID: CTX693064

calendar_today

Updated On:

Description

Users encounter a "Network Timed Out" error on their iOS devices when attempting to authenticate specifically with the following applications:

  • Microsoft Outlook (iOS)
  • Microsoft Teams (iOS)

This authentication failure is isolated to iOS devices; users on Android, Windows, or macOS versions of the same applications do not experience this issue.

Resolution

To resolve this "Network Timed Out" error on iOS devices with Microsoft Outlook and Teams, you need to disable the allowOnlyWordCharactersAndHyphen option within the affected HTTP header validation profiles on your Citrix NetScaler (ADC).

Using the GUI:

  1. Log in to the Citrix NetScaler management interface using the graphical user interface (GUI).
  2. Navigate to System > Profiles > HTTP Profiles.
  3. Identify the HTTP profiles where strict validation is applied. These are typically named:
    • nshttp_default_strict_validation
    • nshttp_default_internal_apps
  4. For each of these identified HTTP profiles:
    • Select the profile.
    • Click Edit.
    • Locate the option Allow Only Word Characters And Hyphen.
    • Set this option to DISABLED.
    • Click OK or Save.
  5. Save the NetScaler configuration.
  6. Test authentication from an iOS device using Microsoft Outlook and Microsoft Teams to verify the issue is resolved.

Using the CLI:

  1. Log in to the Citrix NetScaler command-line interface (CLI).

  2. Execute the following command for each of the affected HTTP profiles:

    set httpprofile <http_profile_name> -allowOnlyWordCharactersAndHyphen disabled

    Replace <http_profile_name> with nshttp_default_strict_validation and nshttp_default_internal_apps. For example:

    set httpprofile nshttp_default_strict_validation -allowOnlyWordCharactersAndHyphen disabled
set httpprofile nshttp_default_internal_apps -allowOnlyWordCharactersAndHyphen disabled

  3. Save the NetScaler configuration using the save ns config command.

  4. Test authentication from an iOS device using Microsoft Outlook and Microsoft Teams.

Problem Cause

Starting with Citrix NetScaler build 13.1-21.50, a security enhancement was implemented that enables the allowOnlyWordCharactersAndHyphen option by default in all HTTP profiles.

This security setting restricts the characters allowed in HTTP header names to only alphanumeric characters and hyphens (A-Z, a-z, 0-9, -). However, Microsoft Outlook and Teams on iOS send a request header named x-ms-PKey-Auth+, which contains the plus sign (+) character. This plus sign is blocked by the newly enforced strict validation, causing the authentication process to fail and resulting in the "Network Timed Out" error specifically on iOS devices. Other operating systems and application versions may not include this specific header or might handle the authentication differently, thus not triggering the issue.

Additional Information

You can check for the below Counter in the NetScaler:
http_err_detect_header_invalid_vchar >> Detectes the invalid visible characters in the header name

Powered by Wolken Software