Posts Tagged ‘netscaler’

Recently I migrated from Safeword to Azure Radius NPS Extension for Citrix Netscaler

Web Authentication worked fine , however whenever you tried to activate the .cr file for Receiver the below error showed

Error: "Cannot retrieve discovery document" when the Provisioning File is  Run

Needed to change the Storefront and Netscaler Gateway this from Domain and Security Token to just Domain

GD Star Rating
GD Star Rating
  • Install a new NPS Server ( cannot be existing as MFA will take over existing requests such as Wifi! ) 
  • Installed Azure AD NPS Plugin and Enroll in Azure AD
  • Add a Radius Client to the NPS server of the IP ( VIP ) of the Netscaler 
  • Add the Radius server in Authentication – Set Timeout to 10Seconds , set Password to MsChapv2 Set NASID to MFA
  • NPS Server Policies


GD Star Rating
GD Star Rating

Recently a client had the following come up on their StoreFront Event Viewer

Failed to launch the resource ‘WTCITRIX.XenApp Desktop $S1-1’, unable to obtain a ticket from the configured Secure Ticket Authorities.


This is usually mimicked with an Error on the reciver end

Connection to “Desktop” Failed with Status (Unknown client error 0)

Make sure your Citrix StoreFront is configured with the STA details in the NetScaler Gateway section (remember you only need to use the STA in case of remote users, for which you would have to configure a NetScaler Gateway). They need to be the same also clear DNS cache if you have recently updated a DNS Record

Similarly the NetScaler itself is configured with the STA details. 

GD Star Rating
GD Star Rating

Open Netscaler and generate RSA Key

Create a new RSA key 

Create a new CSR



Request File Name is name.csr

Key FileName is the RSA key you just generated

Digest Method : SHA 256

Use PEM and Enter Company Details

Once CSR Created , download and open this key and enter it into your Cert Provider.

Download the New Key as a .PEM format 

Upload the New Key to the Certificates

Install the Certificate

Certificate File Name is the one you have uploaded from your provider ( .pem ) 

The Key File Name is the RSA Key you generated at the start

Install CA/Intermediate certs

If the certificate requires any Intermediate certs, Upload these to Certificates, then install

Link the CA Certificates with the new SSL Certificate

Right Click on your certificate you have installed under following directory and click Link , choose the CA cert that matches its chain


Change the SSL Cert on the Netscaler Virtual Server and Load Balancer

Navigate to your Virtual Server


Choose Server Certificate 

Add Binding

Select your new certificate . Select and Bind

Repeat step on Load Balancer


Make sure you SAVE THE CONFIG!

Test the chain using :


GD Star Rating
GD Star Rating

Use : to check your chain is correct  :

or Download and Run the “Digicert Certificate Utility: and go to Tools , then Check Install

Enter the URL link and make sure the URL is coming back with 2 Certs , the top one should be your cert and there should be a Root Cert underneath

If one one cert if coming back , go into your Netscaler , Go to Configuration , Traffic Management , SSL , Certificates, Server Certificates and Link your SSL Cert there to a root one by right clicking and choosing Link

A manual way

Export the .cer files for the certificate using Internet Explorer ( Run as Administrator to Copy to file otherwise it will be greyed out ) and also the Root CA for that cert

Put these somewhere the Mac can access like a dropbox folder

Install the Certs to the Mac’s keychain

GD Star Rating
GD Star Rating

Download the .tgz upgrade file from here

Save your configuration first ( remember this does not save automatically ) and backup a config backup.

If this is a virtual machine do a snapshot / chekpoint

Let’s get started with the upgrade wizard:

NetScaler upgrade wizard

select the location for the firmware file:


Next, verify the licenses you have already installed these will work with the new netscaler and begin the upgrade.\

NetScaler upgrade warning

The upgrade will take down the gui first , then after the netscaler when it says rebooting

Other key things to note – the upgrade has turned back on SSLv3 support on the Gateway vServer…however, it has enabled support for TLSv1.1 and TLSv1.2 which was missing from the 8007.e release. Nice!




The new web interface will look like below

If you see a solid black screen after upgrade you will need to delete your cache or do a CTRL and F5



Double check the SSL Profile on your virtual server make sure it’s set to : ns_default_ssl_profile_frontend

With SSL3 off and TLS 1.2 on , you can check via :

GD Star Rating
GD Star Rating