Problem
You attempt to log into your Citrix environment through a NetScaler VPX 1000 access gateway:
… but receive the following error:
Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permissions to view this directory or page using the credentials that you supplied.
Logging onto your web interface server shows the following event ID 18001 errors logged:
Site path: C:\inetpub\wwwroot\Citrix\XenAppExternal.
A communication error occurred while attempting to contact the Access Gateway authentication service at https://access.someDomain.com/CitrixAuthService/AuthService.asmx. Check that the authentication service is running. The message reported by the underlying platform was: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.. [Unique Log ID: 87cca4b]
For specific information about this message, see the Web Interface documentation at http://support.citrix.com/proddocs/topic/web-interface-impington/wi-log-messages-event-ids-hardwick.html.
Solution
One of the reasons why you may encounter this error when logging through the NetScaler VPX 1000 is because the certificate you’re using with the appliance (the NetScaler VPX 1000) is issued by certificate authority that your web servers does not trust. In this example, the issuing certificate authority for the certificate on the NetScaler is issued by QuoVadis Root CA 2 followed by an intermediate issuing CA QuoVadis Global SSL ICA:
As shown in the Local Computer certificate store of the web server, the certificate QuoVadis Root CA 2 is in the Trusted Root Certification Authorities but the certificate QuoVadis Global SSL ICA isn’t:
The solution is to simply obtain the certificate you don’t have in your Local Computer’s Trusted Root Certification Authorities and import it:
Copy and paste the certificate, open up notepad, paste the content and save it as a .PEM file:
-----BEGIN CERTIFICATE-----
MIIFTjCCAzagAwIBAgICBXowDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
b3QgQ0EgMjAeFw0wNzAxMTIxNjEzMzNaFw0xNzAxMTIxNjEzMTFaMGsxCzAJBgNV
BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR8wHQYDVQQLExZ3d3cu
cXVvdmFkaXNnbG9iYWwuY29tMSAwHgYDVQQDExdRdW9WYWRpcyBHbG9iYWwgU1NM
IElDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk1mD/CiG1+aGcM
xI7LJL0x4qQpmljkCt1BFL1oaoyuFW4l0GKVTNPFsJ6w4a7pLejG1uQJgeRmKy8n
xm12NXgIshfqBvTqVFAcuGViwCreo5S+oZWlLxTIYRVJZB3OujED5IyXVibMLR7g
xWwcXS2BCSNDUnCAN2x+sGHSR9o4sGTbiYFMZPWZfOc0rIbWtms/cUSVfqneyRGN
WgoIvKPdT2vGvf70RpszxqjEEBLT2A1F2QwM/BxgxylzyelGCN6qVDJrE2rP1KRq
AN+qiV7kK9MphZ9RYRkjtHE3qNkIxTi4KLy/FBWCy9abwK7t8+AGP6y+N8Oxf7Ed
9AU37VcCAwEAAaOCASAwggEcMA8GA1UdEwEB/wQFMAMBAf8wOgYIKwYBBQUHAQEE
LjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20w
QgYDVR0gBDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVv
dmFkaXNnbG9iYWwuY29tL2NwczAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU
GoRivEhMMyUE1O7Q9gPEGUbRlGswOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2Ny
bC5xdW92YWRpc2dsb2JhbC5jb20vcXZyY2EyLmNybDAdBgNVHQ4EFgQUMk2hT+rw
rpm27psHLIQIEVCL4n4wDQYJKoZIhvcNAQEFBQADggIBAI5zWxH+LIAvrc/dYIWZ
8zHozDuc1kbd7IaiSgjJCZwNo1vMSLbNfgPg7XIoTDJ903URzDUWh4l8/XncwRil
rRafR23N/iFkM+NF+LoABd9qpF/oAmOGuJ6GwPUf/yhioc8nQ/WXuMVF4/OTdvGF
0QRsk7rivttpGx2aQhGBwO39ft4cySvXToNsBjH4VWcduEooZDg6plIec8S2zrFA
dXvxSgz/sV41QHwyUokTxEY1UoXF9aA5VeGLKIkC1NasTyy26bzuOYOKxgqRUXIu
n6M+CdWiKKJWVi3rBpbnFQWSrsotp4jeQn9zBuovTR0OOijTBWHj9ThxrIG5pb4g
Nmd03/NZDe5l3ja59+UtBUpfCbdqPCCZSUy7t6PLAoDo5JwQKCEOrmNpwD/207GP
2WMo77wh5/mvJRJMFfEZ+CwQXk5LPXXU7EJr+7PYpJB67hryxts1I6FJI0AF3ET9
3YZ4sgEK009h6bdeZbIOvcT4e0v33EAJggFtxU/5xRdtk/PmwxBjSxeg+jBK2xeH
3TScxc6nNvtcw22Lds5GucMsoxmpblYV1adrowg3twQvSXQZ96jzyT3qfmk09M+e
bBTqd3GFwZcJNaQigOw8EQHQtjJm9Zco7FtJ+SxEqcQYFJ+M7QZz+0wWCPwlflMo
7aGlYILpWH4iR3ZhuH/3xMkx
-----END CERTIFICATE-----
Proceed with importing it into your Local Computer’s Trusted Root Certification Authorities store:
If you have more than one web interface servers, import the same certificate to the other nodes. A restart of the servers or NetScaler is not necessary so once you have the certificates imported, test the login again and you should be able to log in:
1 comment:
Please also make sure to enable TLS 1.0 because Web Interface 5.4 only supports the 1.0 version of TLS and not TLS 1.1 or TLS 1.2
Source: https://support.citrix.com/article/CTX206416
Post a Comment