Recently a client had the following come up on their StoreFront Event Viewer
Failed to launch the resource ‘WTCITRIX.XenApp Desktop $S1-1’, unable to obtain a ticket from the configured Secure Ticket Authorities.
This is usually mimicked with an Error on the reciver end
Connection to “Desktop” Failed with Status (Unknown client error 0)
Make sure your Citrix StoreFront is configured with the STA details in the NetScaler Gateway section (remember you only need to use the STA in case of remote users, for which you would have to configure a NetScaler Gateway). They need to be the same also clear DNS cache if you have recently updated a DNS Record
Similarly the NetScaler itself is configured with the STA details.
When trying to Setup Citrix SAML , on redirect , the Netscaler showed
Matching policy not found while trying to process Assertion; Please contact your administrator
Navigate to your Virtual Server
Add a new Authentication
Choose SAML and Primary
Request File Name is name.csr
Key FileName is the RSA key you just generated
Digest Method : SHA 256
Use PEM and Enter Company Details
Once CSR Created , download and open this key and enter it into your Cert Provider.
Download the New Key as a .PEM format
Certificate File Name is the one you have uploaded from your provider ( .pem )
The Key File Name is the RSA Key you generated at the start
If the certificate requires any Intermediate certs, Upload these to Certificates, then install
Right Click on your certificate you have installed under following directory and click Link , choose the CA cert that matches its chain
Navigate to your Virtual Server
Choose Server Certificate
Add Binding
Select your new certificate . Select and Bind
Make sure you SAVE THE CONFIG!
Test the chain using : https://whatsmychaincert.com/
Use : https://whatsmychaincert.com/ to check your chain is correct :
or Download and Run the “Digicert Certificate Utility: and go to Tools , then Check Install
Enter the URL link and make sure the URL is coming back with 2 Certs , the top one should be your cert and there should be a Root Cert underneath
If one one cert if coming back , go into your Netscaler , Go to Configuration , Traffic Management , SSL , Certificates, Server Certificates and Link your SSL Cert there to a root one by right clicking and choosing Link
A manual way
Export the .cer files for the certificate using Internet Explorer ( Run as Administrator to Copy to file otherwise it will be greyed out ) and also the Root CA for that cert
Put these somewhere the Mac can access like a dropbox folder
Install the Certs to the Mac’s keychain
Download the .tgz upgrade file from here https://www.citrix.co.uk/downloads/netscaler-adc/firmware.html
Save your configuration first ( remember this does not save automatically ) and backup a config backup.
If this is a virtual machine do a snapshot / chekpoint
Let’s get started with the upgrade wizard:
select the location for the firmware file:
Next, verify the licenses you have already installed these will work with the new netscaler and begin the upgrade.\
The upgrade will take down the gui first , then after the netscaler when it says rebooting
Other key things to note – the upgrade has turned back on SSLv3 support on the Gateway vServer…however, it has enabled support for TLSv1.1 and TLSv1.2 which was missing from the 8007.e release. Nice!
The new web interface will look like below
If you see a solid black screen after upgrade you will need to delete your cache or do a CTRL and F5
Note
Double check the SSL Profile on your virtual server make sure it’s set to : ns_default_ssl_profile_frontend
With SSL3 off and TLS 1.2 on , you can check via : https://www.ssllabs.com/ssltest/
