Error: "401-Unauthorized" When Attempting to Open a Web Interface Page Through NetScaler Gateway

Error: "401-Unauthorized" When Attempting to Open a Web Interface Page Through NetScaler Gateway

book

Article ID: CTX201094

calendar_today

Updated On:

Description

Error: "401-Unauthorized" when attempting to open a Web Interface web page that routes through the NetScaler Gateway.

User-added image

Resolution

Complete the following steps to resolve the issue:

  1. Open the Citrix.DeliveryServices.ProtocolTransition.ServiceHost.exe.config file with Notepad (as an admin) to edit the file.
    Note: Save a backup copy of the config file before making any changes.

  2. After you have a backup copy of the config file, search for the word "thumb" and then manually change the thumbprint to match the thumbprint found on the new SSL certificate, then save the file.
    For example:
    <add id="iis-site-1-cert" store-name="My" thumb="ZZYYXXWWVVUUTTSSRROOPPOONNMMLLKKJJIIHHGGFFEEDDCCBBAA" />
          </certificates>

  3. After you have made the changes restart the "Citrix Delivery Services Protocol Transition Service" to load the newly updated config file.

    User-added image

  4. Open the Web Interface page to test. If the preceding steps did not resolve the issue, run repair on your Web Interface site and test again.

Problem Cause

A config file on the Web Interface server was still referencing the old SSL certificate thumbprint.
C:\Program Files (x86)\Citrix\DeliveryServices\ProtocolTransitionService\ Citrix.DeliveryServices.ProtocolTransition.ServiceHost.exe.config

User-added image

Issue/Introduction

Error: "401-Unauthorized" when attempting to open a Web Interface web page that routes through the NetScaler Gateway.

Additional Information

The Protocol Transition Service (PTS) is only used with NetScaler Gateway when using smart card authentication or SAML and the client requires a ticketed launch, that is, Kerberos Constrained Delegation is required.

Troubleshooting Methodology

  1. Verified if any changes were made to the environment recently. The only change reported in this case was updating an expired certificate.

  2. Verified if the correct certificate is bound to the IIS server and is in the proper key store in MMC.

  3. Restarted the "Citrix Delivery Services Protocol Transition Service".

  4. Examined the event logs:

    User-added image

  5. Attempted to create a new Web Interface Site and received the following errors:

    User-added image

    User-added image

  6. Examined the new SSL Certificate installed recently and noticed that the thumbprint did not match any of the errors encountered.

    User-added image

Powered by Wolken Software