Windows Citrix Workspace App - Unable to add account with the given server URL.

[Jeffrey Faulstich]

Recently, we migrated from a Citrix ADC VPX 13.0-67.43 to a Citrix ADC VPX13.1-17.42.nc and are running into issues with the Windows Citrix Workspace app (various versions including 22,4,1.62 (2204.1).  When a user attempts to use the Server URL at the "Welcome to Citrix Workspace" the Citrix ADC Gateway Login Form loads and is able to go through the CAPTCHA and then Login Form with Native OTP.  Once seems like it should complete a successful login the popup embedded browser window kicks back and work, the Citrix Workspace App simply returns:

Quote

Unable to add account with the given server URL.  Ensure that it is correct or enter your email address.

 

 

If the Windows Client uses the HTML5 Citrix ADC Login from their Web Browser they are able to log into the ADC and get to the vApp and vDesktops without issues using the same URL.

 

The frustrating part is the Chromebook Google Admin Extension for Citrix Workspace JSON settings stayed the same and the Chromebooks have no issues whatsoever with the updated Citrix ADC VPX.

 

For you to be able to review, I'll use an example URL of https://adc.example.com which is of course NOT a my Citrix ADC and is not a real.

Example Google Admin "Citrix Workspace" (haiffjcadagjlijoggckpgfnoeiflnem) Extension settings.

Allowed hosts:

https://adc.example.com

 

Policy for extension:

{
    "settings": {
        "Value": {
            "settings_version": "1.0",
            "store_settings": {
                "name": "Example Citrix Gateway",
                "gateways": [{
                    "url": "https://adc.example.com",
                    "is_default": true
                }],
                "rf_web": {
                    "url": "https://adc.example.com"
                }
            }
        }
    }
}

 

When using the Windows Citrix Workspace app "Log Collection" in "Verbose" mode I'm not even finding the URL in any of the files generated when capturing while attempting the "Welcome to Citrix Workspace" attempt.  To me it seems like the "Citrix Workspace" app uses an embedded default web browser window and then is somehow not able to capture what is going on.

 

Any insight on where to look to properly debug the connection attempt would be greatly appreciated.

[Jeffrey Faulstich]

Ends up the Session Policy / Profile that was expected to be firing was NOT being used.

 

SSH in to ADC NSIP:

 

shell

 

nsconmsg -d current -g _hits | grep -i {%Session_Policy_CitrixReceiver_Name%}

{%Session_Policy_CitrixReciever_Name%} = The Session Policy Name on the ADC Citrix Gateway Virtual Server.

 

The Session Policy Expression had been using

Expression:  HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.BODY(1000).AFTER_STR("domain=").BEFORE_STR("&").EQ("{%DOMAINNAME%}")

 

Where {%DOMAINNAME%} = The SELECT Value of the Domain from the Citrix Gateway Schema with Domain XML in Domain Short Name Syntax (not FQDN).

 

This HTML5 (Non-CitrixReceiver) Policy Expression works without issues.

HTML5 Expression: HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT && HTTP.REQ.BODY(1000).AFTER_STR("domain=").BEFORE_STR("&").EQ("{%DOMAINNAME%}")

 

While testing with Citrix Support, we found the Chromebook Citrix Workspace Extension (haiffjcadagjlijoggckpgfnoeiflnem) is not triggering the HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") and is therefore using the HTML5 Expression.  This surprised the Citrix Support Representative and me as we both thought the Citrix Workspace Extension on a Chromebook was truly a Citrix Workspace/Receiver and using the same User Agent string.

 

In order to resolve the Windows Citrix Workspace Receiver issue the Expression had be updated to use some AAA.USER options along with ensuring the LDAP Action used the "Default Authentication Group" with an UPPERSCASE Fully-Qualified Domain Name of the User's Domain.  

 

Example working CitrixReceiver Expression: HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && AAA.USER.GROUPS.CONTAINS("{%FQDN_OF_DOMAIN%}") 

 

{%FQDN_OF_DOMAIN%} = The UPPERCASE Fully Qualified Domain Name of the Domain the user is a member of.  I used the FQDN of the Domains as they of course include the period characters and are not then Groups Names that would exist in the extracted Active Directory Group Names.

 

The Citrix Receiver Session Profile of course then uses the Published Applications "Single Sign-on Domain" value for each of these Domains respectively.  Which I'm using the Domain SHORTNAME as I found this is to be the NetBIOS name which would not be the FQDN of the domain (see Citrix Reference: https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-gateway-session-policies-for-storefront.html ).  This also works nicely in that I can tell the difference from the "Default Authentication Group" and the SELECT "domain" value as well.

 

Hopefully, this info will help out someone else as this was definitely annoying.

[Jeffrey Faulstich]

The Windows Client can use their Web Browser to the same URL to Login if they use the Citrix Workspace "Already installed" option it loads without issues using Citrix Workspace.  The Windows Citrix Workspace App can't handle the registration of the URL which seems really silly as it appears to use an embedded default browser window to load the login screen and continue.

 

Sadly, nothing is being logged that I can find in the Client, ADC or StoreFront that would clue me in as to why this is occurring.  Any thoughts on how to resolve or where to look would be appreciated.

 

Thx!

Edited May 5, 2022 by Jeffrey Faulstich
Improve description

[Jeffrey Faulstich]

At this point I've been working with Citrix Support for a few days.  We're still exploring the support logs and process captures to see what is causing this.

[Le Anh Khoa]

On 5/13/2022 at 11:38 PM, Jeffrey Faulstich said:

At this point I've been working with Citrix Support for a few days.  We're still exploring the support logs and process captures to see what is causing this.

I have same issue. Have you find solution for it?

[Jeffrey Faulstich]

On 5/20/2022 at 12:23 AM, Le Anh Khoa said:

I have same issue. Have you find solution for it?

So far, I have a Case open with Citrix Support where they have downloaded the Support Files, Traces, etc.  So far they haven't been able to give me any way of debugging the client that would specifically capture what is occurring at this point to trigger the issue.  One thing that is possibly an issue is this ADC is setup with a multi-domain configuration where the Authentication is all in the "Authentication Profile" with an "nFactor Flow" to handle the separation of Domains with custom SELECT Domain Input (based on their example XML Domain resource).  From everything I'm seeing a Citrix Gateway Virtual VPN Server Basic or Advanced Authentication is expected so the Anonymous to the Login Form and using the Authentication Profile appears to not be a Standard configuration.  I've been trying to get a straight answer on if using the "Authentication Profile" in this way is supported, but it hasn't been forthcoming (whether lost in translation or they do not think this is the issue and are trying to not get side-tracked).

[Daniel Onyando]

Experiencing the same issue, was there any update on how to resolve this?

Works if I switch theme to default or X1.

[Johann Van Antwerpen]

Also have a customer with the same issue as listed above, has there been any further developments or feedback from Citrix in this regard?