Posts Tagged ‘netscaler’

Recently a client had the following come up on their StoreFront Event Viewer

Failed to launch the resource ‘WTCITRIX.XenApp Desktop $S1-1’, unable to obtain a ticket from the configured Secure Ticket Authorities.

 

This is usually mimicked with an Error on the reciver end

Connection to “Desktop” Failed with Status (Unknown client error 0)

Make sure your Citrix StoreFront is configured with the STA details in the NetScaler Gateway section (remember you only need to use the STA in case of remote users, for which you would have to configure a NetScaler Gateway). They need to be the same also clear DNS cache if you have recently updated a DNS Record

Similarly the NetScaler itself is configured with the STA details. 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

When trying to Setup Citrix SAML , on redirect , the Netscaler showed

Matching policy not found while trying to process Assertion; Please contact your administrator

Navigate to your Virtual Server

Add a new Authentication

Choose SAML and Primary

Leave Priority as 100
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

Open Netscaler and generate RSA Key

Create a new RSA key 

Create a new CSR

 

 

Request File Name is name.csr

Key FileName is the RSA key you just generated

Digest Method : SHA 256

Use PEM and Enter Company Details

Once CSR Created , download and open this key and enter it into your Cert Provider.

Download the New Key as a .PEM format 

Upload the New Key to the Certificates

Install the Certificate

Certificate File Name is the one you have uploaded from your provider ( .pem ) 

The Key File Name is the RSA Key you generated at the start

Install CA/Intermediate certs

If the certificate requires any Intermediate certs, Upload these to Certificates, then install

Link the CA Certificates with the new SSL Certificate

Right Click on your certificate you have installed under following directory and click Link , choose the CA cert that matches its chain

 

Change the SSL Cert on the Netscaler Virtual Server and Load Balancer

Navigate to your Virtual Server

 

Choose Server Certificate 

Add Binding

Select your new certificate . Select and Bind

Repeat step on Load Balancer

 

Make sure you SAVE THE CONFIG!

Test the chain using : https://whatsmychaincert.com/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Use : https://whatsmychaincert.com/ to check your chain is correct  :

or Download and Run the “Digicert Certificate Utility: and go to Tools , then Check Install

Enter the URL link and make sure the URL is coming back with 2 Certs , the top one should be your cert and there should be a Root Cert underneath

If one one cert if coming back , go into your Netscaler , Go to Configuration , Traffic Management , SSL , Certificates, Server Certificates and Link your SSL Cert there to a root one by right clicking and choosing Link

A manual way

Export the .cer files for the certificate using Internet Explorer ( Run as Administrator to Copy to file otherwise it will be greyed out ) and also the Root CA for that cert

Put these somewhere the Mac can access like a dropbox folder

Install the Certs to the Mac’s keychain

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Download the .tgz upgrade file from here https://www.citrix.co.uk/downloads/netscaler-adc/firmware.html

Save your configuration first ( remember this does not save automatically ) and backup a config backup.

If this is a virtual machine do a snapshot / chekpoint

Let’s get started with the upgrade wizard:

NetScaler upgrade wizard

select the location for the firmware file:

Firmware

Next, verify the licenses you have already installed these will work with the new netscaler and begin the upgrade.\

NetScaler upgrade warning

The upgrade will take down the gui first , then after the netscaler when it says rebooting

Other key things to note – the upgrade has turned back on SSLv3 support on the Gateway vServer…however, it has enabled support for TLSv1.1 and TLSv1.2 which was missing from the 8007.e release. Nice!

SSL TLS

 

 

The new web interface will look like below

If you see a solid black screen after upgrade you will need to delete your cache or do a CTRL and F5

 

Note

Double check the SSL Profile on your virtual server make sure it’s set to : ns_default_ssl_profile_frontend

With SSL3 off and TLS 1.2 on , you can check via : https://www.ssllabs.com/ssltest/

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)