Jump to content


Photo

7.12 -> VDA SSL -> The Citrix ICA Transport Driver received SSL initialization error 0xc0000241

Started by Torsten Streng , 13 March 2017 - 09:30 AM
19 replies to this topic

Best Answer Kishore Kunisetty , 05 April 2017 - 03:28 PM

I've tested now with NetScaler. It's not working, neither with IE11 nor with Firefox ESR 45.8

That means the only working way is currently directly to StoreFront with IE11.

Please try applying the ciphers as suggested in the  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/tls.html  to the 2012 R2 OS VDA machine try the session launch via IE 11 browser through NetScaler. (refer to the snippet of the info from that page)

 

Once the session launch works when using IE 11 browser via NetSclaer, please try using Firefox ESR 45.8 also through NetSclaer and share the result.

 

Using the Group Policy Editor, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order:
 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Thanks

Kishore

Torsten Streng Members

Torsten Streng
  • 12 posts

Posted 13 March 2017 - 09:30 AM

Hello,

 

I want to use the HTML 5 Receiver and tried to activate SSL on the VDA. Unfortunately it's not working for Windows Server 2012 R2.

 

All requirements are in place. I have one machine catalog and delivery group for a 2008 R2 server and the same for a 2012 R2 server.

 

For 2008 R2:

 

Standard Receiver --> SSL working

HTML 5 Receiver --> SSL working

 

For 2012 R2:

 

Standard Receiver --> SSL working

HTML 5 Receiver --> SSL not working (Event ID 1014: The Citrix ICA Transport Driver received SSL initialization error 0xc0000241)

 

A Citrix case is already opened and a GTM with an expert is done. He agreed that the configuration itself is correct. Now they want a lot of traces, incl. Wireshark.

 

On the StoreFront servers we had to disable TLSv1.2 because the NetScaler 11.1 is not able to initialize the SSL handshake when it's enabled. For this we have another case open. But it will also not work when trying directly (modified Firefox) without the NetScaler.

 

An idea?



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 385 posts

Posted 13 March 2017 - 02:11 PM

Hello,

 

I want to use the HTML 5 Receiver and tried to activate SSL on the VDA. Unfortunately it's not working for Windows Server 2012 R2.

 

All requirements are in place. I have one machine catalog and delivery group for a 2008 R2 server and the same for a 2012 R2 server.

 

For 2008 R2:

 

Standard Receiver --> SSL working

HTML 5 Receiver --> SSL working

 

For 2012 R2:

 

Standard Receiver --> SSL working

HTML 5 Receiver --> SSL not working (Event ID 1014: The Citrix ICA Transport Driver received SSL initialization error 0xc0000241)

 

A Citrix case is already opened and a GTM with an expert is done. He agreed that the configuration itself is correct. Now they want a lot of traces, incl. Wireshark.

 

On the StoreFront servers we had to disable TLSv1.2 because the NetScaler 11.1 is not able to initialize the SSL handshake when it's enabled. For this we have another case open. But it will also not work when trying directly (modified Firefox) without the NetScaler.

 

An idea?

can you provide your case id?

 

what version of netscaler 11.1 you have in your setup?



Torsten Streng Members

Torsten Streng
  • 12 posts

Posted 15 March 2017 - 08:36 AM

Hi Kishore,

 

It's NS11.1 Build 51.21nc but it's also not working without NS.

 

Case ID is SR#72343379

 

Additional cases:

 

SR#72283762 - [NS11.1: Build 51.21nc] Event ID 36888: A fatal alert was generated and sent to the remote endpoint. [...] fatal error code is 40. [...] Schannel error state is 1205 --> This case was closed without solution and opened a new one 72353142

 

SR#72353142 - TLSv1.2 not working on Storefront --> This case was closed without solution for a new case 72351715

 

SR#72351715 - Schannel TLS error



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 385 posts

Posted 15 March 2017 - 10:43 AM



Hi Kishore,

 

It's NS11.1 Build 51.21nc but it's also not working without NS.

 

Case ID is SR#72343379

 

Additional cases:

 

SR#72283762 - [NS11.1: Build 51.21nc] Event ID 36888: A fatal alert was generated and sent to the remote endpoint. [...] fatal error code is 40. [...] Schannel error state is 1205 --> This case was closed without solution and opened a new one 72353142

 

SR#72353142 - TLSv1.2 not working on Storefront --> This case was closed without solution for a new case 72351715

 

SR#72351715 - Schannel TLS error

 

for the issue when not using NS (direct access and session launch via htmlreceiver case)  - can you please confirm which option has been used in your setup while enabling ssl to the vda (i.e., COM, GOV or ALL)?

 

Are you using default ssl port 443 or any custom port?

 

Also would you be able to open browser debugging tools and capture the trace and share when using HTMLReciever along with HTMLReciever logs?

 

Thanks

Kishore



Torsten Streng Members

Torsten Streng
  • 12 posts

Posted 15 March 2017 - 03:21 PM

SSL was enabled without any specific option. Default port 443 is used.

 

What debugging tools do you mean? Chrome is forbidden. I already uploaded CDF traces to Citrix support. A HTMLReceiver log will not be generated.



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 385 posts

Posted 15 March 2017 - 04:36 PM

SSL was enabled without any specific option. Default port 443 is used.

 

What debugging tools do you mean? Chrome is forbidden. I already uploaded CDF traces to Citrix support. A HTMLReceiver log will not be generated.

http://docs.citrix.com/en-us/receiver/html5/2-3/user-experience.html

 

Can you grab the htmlreceiver logs for your session launch issue when connected via chrome browser without Netscaler Gateway?

 
Also you can get the browser debugging tools using F12 or developer tools when the session launch is attempted with in that tab (before you see the error) for example.
 
there is some info in the troubleshooting connections section on the blog @ https://www.citrix.com/blogs/2015/07/08/receiver-internals-how-receiver-for-html5-chrome-connections-work/ 
 
Sorry I could not spot the traces in your case since you have few of these cases.
 
Thanks
Kishore


Torsten Streng Members

Torsten Streng
  • 12 posts

Posted 16 March 2017 - 08:25 AM

 

Yes I know this link. But a log will not be generated. It does also not work.

 

 

Can you grab the htmlreceiver logs for your session launch issue when connected via chrome browser without Netscaler Gateway?

 

No. As I already wrote, Chrome is not allowed.

 

 

 

Also you can get the browser debugging tools using F12 or developer tools when the session launch is attempted with in that tab (before you see the error) for example.

 

I tried already with Fidler. But nothing found what would help. 

 

 

 

there is some info in the troubleshooting connections section on the blog @ https://www.citrix.com/blogs/2015/07/08/receiver-internals-how-receiver-for-html5-chrome-connections-work/ 

 

 

I alredy know this blog too. Thanks.



Thomas Niedermeier Members

Thomas Niedermeier
  • 26 posts

Posted 01 April 2017 - 05:41 PM

Did you solve the problem? I have the same problem.

 

SSL on the VDA and DC enabled.

 

Receiver working

HTML5 gives error on VDA-Server - The Citrix ICA Transport Driver received SSL initialization error 0xc0000241.

 

Running XenDesktop 7.12 with VDA on Win 2016 and Storefront 3.9.



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 385 posts

Posted 01 April 2017 - 06:34 PM

Did you solve the problem? I have the same problem.

 

SSL on the VDA and DC enabled.

 

Receiver working

HTML5 gives error on VDA-Server - The Citrix ICA Transport Driver received SSL initialization error 0xc0000241.

 

Running XenDesktop 7.12 with VDA on Win 2016 and Storefront 3.9.

 

Please follow the info in the https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/tls.html page and ensure you have applied the required cipher changes?

 

Thanks

Kishore



Torsten Streng Members
  • #10

Torsten Streng
  • 12 posts

Posted 03 April 2017 - 06:41 AM

Did you solve the problem? I have the same problem.

 

SSL on the VDA and DC enabled.

 

Receiver working

HTML5 gives error on VDA-Server - The Citrix ICA Transport Driver received SSL initialization error 0xc0000241.

 

Running XenDesktop 7.12 with VDA on Win 2016 and Storefront 3.9.

 

It seems that it's just the case when using Firefox ESR 45.8. With IE11 it's currently working for me.



Kishore Kunisetty Citrix Employees
  • #11

Kishore Kunisetty
  • 385 posts

Posted 03 April 2017 - 02:25 PM

It seems that it's just the case when using Firefox ESR 45.8. With IE11 it's currently working for me.

So do you see this failing with above with Firefox ESR 45.8 but it works with IE 11 to the same VDA from the same client machine?

 

Thanks

Kishore



Kishore Kunisetty Citrix Employees
  • #12

Kishore Kunisetty
  • 385 posts

Posted 03 April 2017 - 03:18 PM

So do you see this failing with above with Firefox ESR 45.8 but it works with IE 11 to the same VDA from the same client machine?

 

Thanks

Kishore

are you using this via netscaler or are you seeing this without netscaler with firefox esr 45.8?



Torsten Streng Members
  • #13

Torsten Streng
  • 12 posts

Posted 04 April 2017 - 08:26 AM

Not tested again with NetScaler till now.



Kishore Kunisetty Citrix Employees
  • #14

Kishore Kunisetty
  • 385 posts

Posted 04 April 2017 - 11:59 AM

Not tested again with NetScaler till now.

 

Thanks for clarifying that this is via internal access and not via NetScaler.



Torsten Streng Members
  • #15

Torsten Streng
  • 12 posts

Posted 04 April 2017 - 12:11 PM

???

 

I haven't tested this again till now. That doesn't mean that's it's working via NetScaler.



Kishore Kunisetty Citrix Employees
  • #16

Kishore Kunisetty
  • 385 posts

Posted 04 April 2017 - 12:19 PM

sorry you might have miss understood, I did not mean to say above that you are seeing this working via NetScaler.

 

I was trying to understand that you tried via internal access (without using NetScaler) with Firefox ESR 45.8 -you are not seeing this working where as if you try using Internet Explorer 11(without using NetScaler) -- the same works.

 

And you have not tried via NetScaler with IE 11 or with Firefox ESR 45.8.

 

Thanks

Kishore



Torsten Streng Members
  • #17

Torsten Streng
  • 12 posts

Posted 05 April 2017 - 02:09 PM

I've tested now with NetScaler. It's not working, neither with IE11 nor with Firefox ESR 45.8

That means the only working way is currently directly to StoreFront with IE11.



Kishore Kunisetty Citrix Employees
  • #18

Kishore Kunisetty
  • 385 posts

Posted 05 April 2017 - 03:28 PM

I've tested now with NetScaler. It's not working, neither with IE11 nor with Firefox ESR 45.8

That means the only working way is currently directly to StoreFront with IE11.

Please try applying the ciphers as suggested in the  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/tls.html  to the 2012 R2 OS VDA machine try the session launch via IE 11 browser through NetScaler. (refer to the snippet of the info from that page)

 

Once the session launch works when using IE 11 browser via NetSclaer, please try using Firefox ESR 45.8 also through NetSclaer and share the result.

 

Using the Group Policy Editor, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order:
 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Thanks

Kishore


Best Answer

Torsten Streng Members
  • #19

Torsten Streng
  • 12 posts

Posted 11 April 2017 - 08:48 AM

Please try applying the ciphers as suggested in the  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/tls.html  to the 2012 R2 OS VDA machine try the session launch via IE 11 browser through NetScaler. (refer to the snippet of the info from that page)

 

Once the session launch works when using IE 11 browser via NetSclaer, please try using Firefox ESR 45.8 also through NetSclaer and share the result.

 

Using the Group Policy Editor, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order:
 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Thanks

Kishore

 

Hello Kishore,

 

That's it! When configuring the cipher order as described it's working.

 

Thanks.



Torsten Streng Members
  • #20

Torsten Streng
  • 12 posts

Posted 11 April 2017 - 08:50 AM

That's it. Correct Cipher order solved the problem. Thanks.