Citrix Unknown Client Error 0

[Cameron Fluet]

Alist containing the majority of Internet Explorer, Firefox and Chrome related support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.

There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.

wdt_ID Brief Description of Issue Brief Description of Fix Applicable Product Versions Affected (if known) Link to supplemental Support Article(s) 1 When launching a published desktop you may receive "Unknown Client Error 1110". This only seems to happen when launching the desktop from Firefox. What happens is Receiver is re-using an .ica file from the previous session. As a workaround you could save the ICA file to disk every time prior to launching it or delete the previous ICA files from temporary folders. A fix for this issue will be released in Receiver for Windows 4.11. Mozilla Firefox. 13 Workspace Control reconnects to only one application session instead of all the disconnected sessions. This issue currently exists when using Chrome to access Receiver for Web. You must manually click on each disconnected application. Citrix StoreFront 3.12 and Google Chrome. 2 If you log on to SharePoint 2013 through Clientless VPN, you cannot use Internet Explorer to open a Word ".doc" document. This is a known issue. Use Firefox or Chrome. NetScaler 11.1.53.11 and still exists in 12.0.53.6 (August 2017). 3 If you log on to SharePoint through Clientless Access, you cannot add a new item to the calendar if using Internet Explorer. Use Firefox or Chrome. NetScaler 12.0.41.16. 4 When using Firefox v51 and later, the NetScaler EPA and VPN plugins do not launch. This is due to Firefox dropping NPAPI plugin support. This has now been resolved in NetScaler 12.0.51.24. 5 Citrix Receiver can not be detected when browsing to the NetScaler Gateway portal and using the latest versions of Firefox. Firefox dropped support for NPAPI plugins which causes this issue. This is now resolved in NetScaler 11.1.55.10 and 12.0.51.24 builds. 6 EPA scans fail occasionally with Safari or Firefox web browsers and display error "3006". Install the NetScaler Gateway plug-in on the client machines before EPA scans are performed. 7 Unable to launch applications from NetScaler Gateway using Google Chrome if "Client Selective Trust (CST)" is enabled. This is a known issue. Follow the steps from the CTX article to configure Google Chrome so that you can access resources via NetScaler Gateway with CST enabled. Google Chrome. 8 After switching off Client Choices, users are still asked to make a selection. This was an issue with Internet Explorer Enterprise Mode. 9 Internet Explorer 8 does not display the NetScaler Gateway portal correctly when the portal theme is set to "Default", "Greenbubble" or "X1". This is a known issue and a bug "ID 669942" is currently open. table.wpDataTable table-layout: fixed !important; table.wpDataTable td, table.wpDataTable th white-space: normal !important; table.wpDataTable td.numdata text-align: right !important;

This is a section of my latest eBook, but I figured that it could be more useful as a blog-section which people could reference if needed and also makes it easier for me to update when new stuff appers to give a simple resolution for known errors.

This is often the case if Storefront cannot talk back with the callback URL which is listed under Manage NetScaler Gateways Edit NetScaler Gateway Authentication Settings Callback URL. Make sure that this URL is accessible from the Storefront server. If this is not possible because of network segmentation. You can deploy a dummy NetScaler Gateway VIP in the internal network.

If you note that you have an error in Event viewer stating that Failed to run discovery this is most likely the case if you have not configured the use of a proper SSL certificate under the IIS administration console of the Storefront server.

You can also notice an error in event viewer of the storefront server under Application and Services Logs -> Citrix Delivery Services. That states, A request was sent to service that was detected as passing through a gateway, but none of these matched the request.

This is typically the case if the NetScaler Gateway URL is configured wrongly. Since this URL needs to be the same as what the end-users are using, in case Storefront will not trust the incoming request and therefore ignore authentication attempts.

This might be that we have an STA server that is down, in which Storefront tries to communicate with or that we have configured the wrong STA server under NetScaler Gateway appliances in Storefront. This can be checked under Manage NetScaler Gateways Edit NetScaler Gateway Secure Ticket Authority.

When logging in you get an error message stating that login exceeds maximum allowed users. This is typically the case if we did not place the virtual server in ICA-only mode. By default, the global AAA settings of NetScaler Gateway is set to allow maximum 5 users logging in using VPN at the same time. If we go and change the settings of the Virtual server to ICA-only mode, this error will go away.

After authenticating to the NetScaler Gateway portal you get a blank page with an error message stating Http/1.1 Internal Server Error 43531. This is typically the case if the Gateway cannot communicate with the Storefront web site. Which might just be a wrong URL in the session policy for instance.

Which basically list the syslog events directly into the UI. Another way is using CLI. Log into the NetScaler appliance using an SSH client, type Shell and then type cat /tmp/aaad.debug

This will in real-time list out all AAA attempts happening against the NetScaler. Now by default the NetScaler does not list out detailed information whenever a user has an expired password or if their account is disabled. However, there is a feature which we can enabled which can give more detailed information back to the end user. This feature is called Enhanced Authentication Feedback

NOTE: This setting is disabled by default, because it might reveal to much information to malicious hackers which try to do a brute force attack, to get information on which users are enabled and not.

Now if a user tries to authenticate but is not bound to an authentication policy, for instance if we have multiple authentication policy for different groups, network segments and someone which fall outside of those policies try to authenticate they are presented with this error message.

This is typically the case if there is a session policy bound to the user which has a default authorization policy of DENY, this might be intended but if not, we should change it to ALLOW.

There are two user interface options for connecting to Citrix Virtual Apps and Desktops (CVAD). Both user interface options rely on a connection to StoreFront. ICA Proxy is configured differently for each user interface.

Hello, i just configured the netscaler gateway for connecting to storefront. When i log on i can start a citrix desktop. But after loading the desktop i get an error: unknown client error 0. Do you know what this could be?

Great article Carl, do you know where I can find some documentation for setting up conditional access for Citrix users coming in through Citrix Gateway on NetScaler? I am looking to limit access to certain published applications based on device posture (i.e. domain joined)?

but when i configure storefront, i am getting the error server address cannot be verified, than i need to click manual setup and have the netscaler gateway inside but cannot save anything like password or use FaceID on Ipad.

Hmm. There were no alerts or odd events because it was actually working. When I tried in Chrome rather than Edge, the ICA file appeared. That made me recreate the receiver session policy, which then worked.

Thanks for the speedy response.

Do a network trace on the NetScaler while somebody tries to add a store to Workspace app. When you do the network trace you can select the SSLPLAIN option to decrypt it so you can see the HTTP traffic.

Here is some final feedback on the topic. Citrix Support has confirmed a bug in version 13.1. Version 14.1 works great and classical policies are still supported.

Unfortunately, there is still no possibility to run MFA with Citrix Gateway license (50) and Advanced Policies.

Hi Carl, thanks for your response, how can I get back to vpn/index as I am not able to see updated page even after applying portal themes to on my gateway virtual server, I am just using LDAP authentication and no advance auth policies.

Launching an icon is completely separate from getting the list of icons. Launching an icon requires the Workspace app to create a separate connection to Citrix Gateway, which then verifies the STA ticket and forwards the traffic to the VDA. If you are internal, can your internal machine reach the Citrix Gateway FQDN?

There are bugs in certain builds. Make sure HSTS is not configured in SSL Parameters. Edit your Session Policy/Profile, on the Client Experience tab, configure a timeout in both Session Timeout and Client Idle Timeout. Make sure your Responder policies have the correct expressions.

Thanks for the great article. Wanted your advice regarding running app firewall on ADC to inspect the ssl component of the proxy. Is it worth the hassle, or will it break ica traffic? It is a policy requirement to have this.

I just came across your article because the storefront logoff page looks quite simple over netscaler after upgrading to 1912 LTSR. Thank you very much for your detailed description on how to deal with this.

Sorry for bothering you; I have tried to follow your guide to setup the ICA proxy and still not able to restrict the client go through the netscaler. What i can see is once the client auth with the citrix gateway, then the connection will be directly connected to the CAVD. I have no idea what went wrong, pleae kindly shield some light for me. Thanks.

3a8082e126