Citrix Virtual Apps and Desktops - TLS Configuration causes Web Studio to throw exceptions

book

Article ID: CTX696174

calendar_today

Updated On:

Description

When the CVAD administrator tries to manage tags (Create / Add / Remove / Edit) in WebStudio, the error is displayed and the operation fails.

HAR trace shows a generic exception:

{
  "Items": [
    {
      "Reference": "0",
      "Code": 500,
      "Headers": [],
      "Body": "{\"ErrorMessage\":\"An error occurred while sending the request.\",\"SdkErrorId\":0,\"ErrorType\":\"HttpRequestException\",\"ErrorDetails\":\"Transaction ID: 2ae36653-2492-4928-8020-1212121\\r\\nAction Name: ManageTags_CreateTags\\r\\n\\r\\n\\r\\nException:\\r\\n    Error Source : CitrixOrchestration\\r\\n\",\"SupportLink\":null,\"ErrorReportXml\":null,\"ErrorReport\":null}"
    }
  ]

CDF Control trace shows a socket exception:

Error Source : CitrixOrchestration

ErrorException: System.Net.Http.HttpRequestException: An error occurred while sending the request. 
---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. 
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. 
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Network trace captured on the delivery controller shows a communication attempt with localhost, example:

Cause

Citrix Orchestration service sends some of the requests to localhost rather than the actual binding IP.

Resolution

Workarounds:

1 - Configure SSL Certificate binding and assign to all IP addresses on the delivery controller (0.0.0.0:443) using netsh

netsh http add sslcert ipport=0:0:0:0:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable

2 - You can also configure multiple bindings for a specific IP and also localhost IPs ,example:

netsh http add sslcert ipport=10:10:10:10:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable

netsh http add sslcert ipport=[::1]:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable

netsh http add sslcert ipport=127.0.0.1:443 certhash=b0b5b523cc93deb22c45542a876528ce30d616ba appid={4dc3e181-e14b-4a21-b022-59fc669b0914} disablelegacytls=enable

Citrix bug reference number: CVADHELP-31097

Issue/Introduction

The administrator followed Citrix documentation and configured binding on the Delivery Controller.

The certificate has been bound to a specific IP using command:

netsh http add sslcert ipport=[IP address]:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable

From Citrix Documentation: ipport: The IP address and port. Using 0.0.0.0:443 applies this to all IP addresses. You can instead specify a specific IP address.

Additional Information

Enable TLS on Delivery Controllers
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls-ddc.html

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"