Citrix Receiver for Windows– Troubleshooting Application or Desktop Launch Failures with TLS or DTLS

Citrix Receiver for Windows– Troubleshooting Application or Desktop Launch Failures with TLS or DTLS

book

Article ID: CTX235241

calendar_today

Updated On:

Description

This article is intended for Citrix administrators and technical teams only.
 
Non-admin users must contact their company's Help Desk/IT support team and can refer to CTX297149 for more information.
 

Overview

This article discusses error messages that may occur while launching TLS or DTLS encrypted sessions when using the Citrix Receiver for Windows 4.12 and describes the possible causes of each error message. It also provides troubleshooting steps for each issue. In addition, this article is intended for system administrators.

If these troubleshooting steps do not resolve your issue, please use a network tracing tool such as Wireshark to capture TLS and DTLS network traffic. TLS and DTLS network traffic should be captured at the client device, Citrix NetScaler Gateway, and VDA (if possible). Please be ready to supply this information to your Citrix support representative when requested.

Symptoms or Errors

When attempting to connect to an Application or Desktop using Citrix Receiver for Windows 4.12, you may see connection failures possible related to the new Crypto Kit updates.

To troubleshoot the issues, follow the next steps based on the error messages.

Error MessageSolution
“The published resource is not available currently. Please contact system administrator for further assistance”.
 
“The Citrix SSL Server you have selected is not accepting any connections”.
 
“SSL error 4: Operation completed successfully”.		Go to resolution 1
 
“Socket Operation on Non-socket”.Go to resolution 2
“SSLv3 alert handshake failure”.Go to resolution 3

Resolution

Resolution 1

If you receive one of the error messages below, while attempting to connect to an Application or Desktop using Citrix Receiver for Windows 4.12 via Citrix NetScaler Gateway. Please follow the instructions listed below.

Error Messages:

  • The published resource is not available currently. Please contact system administrator for further assistance.
  • The Citrix SSL Server you have selected is not accepting any connections.
  • SSL error 4: Operation completed successfully

Instructions

Please follow the below steps for configuring the required cipher suites on NetScaler Gateway

  1. Navigate to Configuration tab > Traffic Management > SSL and Select Change advanced SSL Settings.

  2. Check the box labelled ‘Enable Default Profile’ and select OK.
    User-added image

  3. Select Yes when the following prompt message appears.
    User-added image

  4. To verify if the Default profile was enabled, repeat step 1.
    User-added image

  5. Then, navigate to Configuration tab > System > Profiles > SSL Profile > Click on ns_default_ssl_profile_backend and Select Edit

  6. Under the SSL Ciphers section, click on the pencil to edit. Then, remove the DEFAULT_BACKEND option by clicking the ¬minus (¬–) symbol next to it.
    User-added image

  7. Click Add.
    User-added image

  8. Then, search for SHA2 and RSA options. Move them under Configured.
    User-added image

  9. First click OK, then Done to save the configuration.
    User-added image

Resolution 2

If you receive a “Socket Operation on Non-socket” error message while attempting to connect to an Application or Desktop using Citrix Receiver for Windows 4.12, this is because the configuration on the client and/or VDA is currently un-supported. For a supported matrix configuration, go to Receiver for Windows Crypto Kit Updates article.

Used case

For instance, if the setup has FIPS compliance mode enabled and the COM cipher set has been configured on the Client and VDA, session launch fails with Citrix Receiver for Windows 4.12 due to lack of common cipher suite. You can change the configuration to GOV or ANY on client and VDA to resolve the same.

Resolution 3

If you receive “SSLv3 alert handshake failure” error message, this is because certain deprecated RSA cipher suites have been explicitly disabled in Receiver. Some configurations still require these deprecated cipher suites.  You can re-enable these cipher suites using the Receiver Group Policy template as follows.

Instructions

  1. Open the Citrix Receiver GPO administrative template by running gpedit.msc

  2. Navigate to Administrative Templates > Citrix Components > Citrix Receiver > Network Routing > Deprecated Cipher Suites.
    User-added image

  3. Right-click on “Deprecated ciphers suites” and select Edit
    User-added image

  4. Select Enabled the policy and check the TLS_RSA_ option
    User-added image

  5. Click Apply. Then, Ok to save the configuration changes.

Issue/Introduction

"The published resource is not available currently. Please contact system administrator for further assistance”. “The Citrix SSL Server you have selected is not accepting any connections”. “SSL error 4: Operation completed successfully”. “Socket Operation on Non-socket”. “SSLv3 alert handshake failure”. “Protocol Driver error”. TLS v1.0, v1.1, v1.2, GOV, COM, GPO App Launch, Desktop Launch errors
Powered by Wolken Software