Logging onto Citrix NetScaler VPX 1000 access gateway throws the error: “401 - Unauthorized: Access is denied due to invalid credentials.”

Problem

You attempt to log into your Citrix environment through a NetScaler VPX 1000 access gateway:

… but receive the following error:

Server Error

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permissions to view this directory or page using the credentials that you supplied.

Logging onto your web interface server shows the following event ID 18001 errors logged:

Site path: C:\inetpub\wwwroot\Citrix\XenAppExternal.

A communication error occurred while attempting to contact the Access Gateway authentication service at https://access.someDomain.com/CitrixAuthService/AuthService.asmx. Check that the authentication service is running. The message reported by the underlying platform was: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.. [Unique Log ID: 87cca4b]

For specific information about this message, see the Web Interface documentation at http://support.citrix.com/proddocs/topic/web-interface-impington/wi-log-messages-event-ids-hardwick.html.

Solution

One of the reasons why you may encounter this error when logging through the NetScaler VPX 1000 is because the certificate you’re using with the appliance (the NetScaler VPX 1000) is issued by certificate authority that your web servers does not trust.  In this example, the issuing certificate authority for the certificate on the NetScaler is issued by QuoVadis Root CA 2 followed by an intermediate issuing CA QuoVadis Global SSL ICA:

As shown in the Local Computer certificate store of the web server, the certificate QuoVadis Root CA 2 is in the Trusted Root Certification Authorities but the certificate QuoVadis Global SSL ICA isn’t:

The solution is to simply obtain the certificate you don’t have in your Local Computer’s Trusted Root Certification Authorities and import it:

Copy and paste the certificate, open up notepad, paste the content and save it as a .PEM file:

-----BEGIN CERTIFICATE-----

MIIFTjCCAzagAwIBAgICBXowDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x

GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv

b3QgQ0EgMjAeFw0wNzAxMTIxNjEzMzNaFw0xNzAxMTIxNjEzMTFaMGsxCzAJBgNV

BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR8wHQYDVQQLExZ3d3cu

cXVvdmFkaXNnbG9iYWwuY29tMSAwHgYDVQQDExdRdW9WYWRpcyBHbG9iYWwgU1NM

IElDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk1mD/CiG1+aGcM

xI7LJL0x4qQpmljkCt1BFL1oaoyuFW4l0GKVTNPFsJ6w4a7pLejG1uQJgeRmKy8n

xm12NXgIshfqBvTqVFAcuGViwCreo5S+oZWlLxTIYRVJZB3OujED5IyXVibMLR7g

xWwcXS2BCSNDUnCAN2x+sGHSR9o4sGTbiYFMZPWZfOc0rIbWtms/cUSVfqneyRGN

WgoIvKPdT2vGvf70RpszxqjEEBLT2A1F2QwM/BxgxylzyelGCN6qVDJrE2rP1KRq

AN+qiV7kK9MphZ9RYRkjtHE3qNkIxTi4KLy/FBWCy9abwK7t8+AGP6y+N8Oxf7Ed

9AU37VcCAwEAAaOCASAwggEcMA8GA1UdEwEB/wQFMAMBAf8wOgYIKwYBBQUHAQEE

LjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20w

QgYDVR0gBDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVv

dmFkaXNnbG9iYWwuY29tL2NwczAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU

GoRivEhMMyUE1O7Q9gPEGUbRlGswOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2Ny

bC5xdW92YWRpc2dsb2JhbC5jb20vcXZyY2EyLmNybDAdBgNVHQ4EFgQUMk2hT+rw

rpm27psHLIQIEVCL4n4wDQYJKoZIhvcNAQEFBQADggIBAI5zWxH+LIAvrc/dYIWZ

8zHozDuc1kbd7IaiSgjJCZwNo1vMSLbNfgPg7XIoTDJ903URzDUWh4l8/XncwRil

rRafR23N/iFkM+NF+LoABd9qpF/oAmOGuJ6GwPUf/yhioc8nQ/WXuMVF4/OTdvGF

0QRsk7rivttpGx2aQhGBwO39ft4cySvXToNsBjH4VWcduEooZDg6plIec8S2zrFA

dXvxSgz/sV41QHwyUokTxEY1UoXF9aA5VeGLKIkC1NasTyy26bzuOYOKxgqRUXIu

n6M+CdWiKKJWVi3rBpbnFQWSrsotp4jeQn9zBuovTR0OOijTBWHj9ThxrIG5pb4g

Nmd03/NZDe5l3ja59+UtBUpfCbdqPCCZSUy7t6PLAoDo5JwQKCEOrmNpwD/207GP

2WMo77wh5/mvJRJMFfEZ+CwQXk5LPXXU7EJr+7PYpJB67hryxts1I6FJI0AF3ET9

3YZ4sgEK009h6bdeZbIOvcT4e0v33EAJggFtxU/5xRdtk/PmwxBjSxeg+jBK2xeH

3TScxc6nNvtcw22Lds5GucMsoxmpblYV1adrowg3twQvSXQZ96jzyT3qfmk09M+e

bBTqd3GFwZcJNaQigOw8EQHQtjJm9Zco7FtJ+SxEqcQYFJ+M7QZz+0wWCPwlflMo

7aGlYILpWH4iR3ZhuH/3xMkx

-----END CERTIFICATE-----

Proceed with importing it into your Local Computer’s Trusted Root Certification Authorities store:

If you have more than one web interface servers, import the same certificate to the other nodes.  A restart of the servers or NetScaler is not necessary so once you have the certificates imported, test the login again and you should be able to log in: