This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

When trying to launch an application from and iOS device using the browser or the Citrix Receiver, the application will begin to launch, but then it will freeze at Starting Application. 

Note: The Application will not launch or error out no matter how long it stays in this state. 

Background

This issue occurs with iOS devices when enabling SSL and TLS protocols for encryption in your published applications properties, as shown in the following screen shot: 

In order for this to work you can either disable SSL & TLS or you can disable Session Reliability. 

Disable SSL and TLS

1. Open the AppCenter Management console.

2. Go to the Published Application Properties for the Application that is experiencing the issue.

3. Click Advanced > Client Options.

4. Uncheck the Enable SSL and TLS Protocols.

5. Click Apply to save the new settings. 

Disable Session Reliability – To disable Session Reliability you will need to explicitly disable it from StoreFront/Web Interface, as well as the XenApp policies: 

1. From the StoreFront Management console, click NetScaler Gateway > Secure Ticket Authority.

2. Uncheck enable session reliability.

3. Click OK to save your new settings.

Note: Propagate the changes to the rest of the StoreFront servers if necessary. 

Web Interface

1. From the Web Interface Management console, select the web site you want to change

2. Click Secure Access

3. Click next at the Specify Access Methods

4. Uncheck Enable session reliability

5. Click Next

6. Click Finish to save your new settings.

XenApp Policies

1. From within the AppCenter Management console select the Policies node to edit the farm policies.

2. Ensure that the Computer Policies tab is selected, then select the policy you intend to make the changes in.

3. Click Edit > Settings tab.

4. Select Session Reliability > Session reliability connections.

5. Click add.

6. Click Prohibited.

7. Click OK twice to save your new policy settings.

Note: To force the policy update right away run gpupdate /force

You can also confirm the policy applied by checking the following key in the registry of the XenApp server: 

Note: This should now be set to a Reg_DWord = 0

Problem Cause

The connection error happens in the initial SSL handshake between the iOS device and server. SSL connections will go through a handshake procedure, which is the function performMultiplexedSslClientHandshake in our code, and in this case, the function just returns: SSL_STATUS_X509ERROR_BAD_CERTIFICATE_CERT_NAME, which is a constant defined in the SSLSDK.

The main reason for this issue is that iOS Receivers do not currently support Session Reliability connections. Please refer to CTX104182 – Receiver - Client Feature Matrix.

Note: The NetScaler Gateway (by default unless disabled) attempts to broker the connection to the XenApp server over the Session Reliability port 2598. In a non-SSL relay configuration if the client does not support Session Reliability this connection can be re-negotiated over the non-SSL relay port 1494. However with SSL relay in play this re-negotiation cannot happen (This is due to the secure nature of the solution).  

• CTX104182 - Receiver - Client Feature Matrix

• CTX108439 - Archive: How to Disable Session Reliability through Web Interface

• CTX106463  - Troubleshooting ICA Session Performance

• Citrix eDocs - Maintaining Session Activity

• Citrix eDocs - Securing Client-Server Communications