Link to home
Start Free TrialLog in
Avatar of 3D2K
3D2KFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Citrx XenApps Fundamentals 6, SSL

I have installed a test XenApps Fundamentals 6 installation.  The end user already has a UCC SSL certificate.  So I have added the FQDN of the XenApps server as a SAN (subject alternate name) to the SSL certificate.

The SSL certificate is a GoDaddy one.

I have installed the updated SSL certificate onto the Domain controller for the domain and exported it with private key to import onto the XenApps server.

I have imported it seemingly without problems, but when I attempt to run the Quick Start Wizard/External Access job I get the following error after I have selected the imported certificate and cannot continue:

Quick Start: Failed to grant required privileges to the specified certificate. External access has not been enabled.

The SSL certificate has Server Authentication and Client Authentication enabled.

Any help would be greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of basraj
basraj
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of 3D2K

ASKER

Basraj

I believe so.  I followed these instructions to export/import:

http://www.digicert.com/import-export-ssl-certificate.htm

I know it's not GoDaddy but it looked plausible to me.

By the way I hate dealing with SSL certificates...:-(

Thanks

Brian
Avatar of 3D2K

ASKER

RedinetSupport

Thanks.

The SSL certificate is a what's called a UCC SAN certificate and I use it on a domain controller to validate some remote connectivity.

I can send a CSR and ReKey it but then I believe that will break what it's main function is on the DC.  I suppose I could then export and import it back into the DC, but knowing my luck that would break that which would be even more grief.

This is a trial and I don't want to spend any money on a single SSL certificate for this project when it looks like the GoDaddy one "should" do the job. I also want to avoid having to install client side certificates on remote devices, I've already been there with Citrix in a previous life with self-certs.



Brian

Avatar of 3D2K

ASKER

Basraj

The certificate General tab states:

"You have a private key that corresponds to this certificate".

So I think the answer is to your question is yes.

Brian
Avatar of 3D2K

ASKER

RedinetSupport

The SSL certificate is installed in Certificates(Local Computer)->Personal->Certificates.

Brian
Avatar of 3D2K

ASKER

Basraj

I've seen those already thanks.  Are you suggesting I contact Citrix?

The certificate I'm exporting is coming from IIS 6.0 and I'm importing it into IIS 7.0.

Don't suppose that could be an issue?

Brian
Avatar of 3D2K

ASKER

Basraj/RedinetSupport

I've exported and reimported the SSL certificate again and lo and behold it has now let me configure External Access.

The only problem now is that the URL for the remote site is taking the primary name from the certificate and not the actual XenApps server name which I have added as a SAN so it looks like I'm hosed.

Wonderful.
Avatar of 3D2K

ASKER

Thanks guys, I think I need to re-assess how to run this trial.  End user has bought an iPad on my confidence to get this solution working. :-(
Avatar of 3D2K

ASKER

Guys,

I should have also pointed out that the domain name (web site) is hosted externally and so the URL  offered up by the Remote Access wizard is going somewhere completely different from where the XenApps server is located.

Brian
Brian,


I would say using the GoDaddy certificate for the trial is going to cause you more problems than it fixes! Especially with the SAN element being there. Globalsign do a FREE 30 day trial certificate that you can get your hands on quite quickly (within 15 minutes) providing you have access to the administrator account of the domain in question (they simply send a verification email to administrator@ or admin@). Their DomainSSL certificate does the job perfectly.

The Citrix receiver app is quite impressive on the iPad, hopefully once you get it working it will be enough encouragement to buy the new cert.

Good luck!
Avatar of 3D2K

ASKER

RedinetSupport

Thanks for your post.

I'd worked out that the UCC SAN was indeed more trouble than it was worth for this.  I placed an order for a GoDaddy single SSL cert as it wasn't too much money (at least for one year).  Then I find out that the XenApps Fundamentals 6 CSR wizard only generates a CSR with 1024 bit encryption which GoDaddy won't accept (it has to be at least 2048)!

So I've created a manual CSR and when I get SSL certificate issued I'm hoping that XenApps will accept it, fingers crossed.

I'll lodge your recommendation for Globalsign trial certificates in my memory bank for next time.

I've got more trouble with this implementation as I'm trying to use a separate WAN IP for the XenApps stuff but can't get 443 to port forward through the router.  I think I'm in the wrong job :-).

Brian
Avatar of 3D2K

ASKER

RedinetSupport

Hi, it's me again.  Just spent pretty much most of Sunday messing with the XenApps Fundamentals 6 trial.

I've eventually taken your advice and installed a Globalsign trial certificate and still no go remotely.

I've had a real issue ensuring that my ADSL router is passing SSL traffic traffic for the Citrix Server onto it internally and now I'm sure that's OK.

I can get to Xenapps locally, but not externally.

The IIS manager shows what I presume are two web sites:

Avatar of 3D2K

ASKER

RedinetSupport

Hi, it's me again.  Just spent pretty much most of Sunday messing with the XenApps Fundamentals 6 trial.

I've eventually taken your advice and installed a Globalsign trial certificate and still no go remotely.

I've had a real issue ensuring that my ADSL router is passing SSL traffic traffic for the Citrix Server onto it internally and now I'm sure that's OK.

I can get to Xenapps locally, but not externally.

The IIS manager shows what I presume are two web sites:

Avatar of 3D2K

ASKER

RedinetSupport

Now I can't even bloody well use a web site aargh!

There is no mention of 443 in the Bindings for either web site, is that correct.

Also the Default Web Site has a question mark in its icon which look like trouble.

Do you have any thoughts?

Thanls

Brian

iis-01.JPG
Avatar of 3D2K

ASKER

RedinetSupport

One point I forgot to mention.

I had to do manual CSR and SSL certificate installation as the Citrix wizard only uses 1024 bit encryption which none of the SSL certificate vendors use now.  Come on Citrix, wake up and smell the coffee!

Brian
Avatar of 3D2K

ASKER

RedinetSupport

I never mentioned what my actual server is and I've just noticed some posts about numbers of NICs etc.

I have a virtual 2008 R2 server running in XeServer 5.6 with two NICS.  One pointing inwards to the LAN and one pointing outwards to the router and onwards to the WAN.

Brian
Avatar of 3D2K

ASKER

RedinetSupport

The Globasign trial certificate I requested manually and downloaded won't work either as quote:

"The security certificate ?estio-xaf.estiohealthcare.co.uk? is not suitable for use in SSL connections because the corresponding private key is unavailable."

Very interesting. but not funny! (Rowan & Martin's Laugh In circa 1970)

Brian
Avatar of PROACTIVETG
PROACTIVETG

You ever get this worked out. I have the same issue. To say I'm frustrated is an understatement.
Avatar of 3D2K

ASKER

PROACTIVEG

You have my complete sympathy, I know what you're going through.

Can you be more specific about your issue as I mention a few in my posts :-).

If it's Citrix I gave up on that as Fundamentals only supports a single NIC which was useless in my clients environment.

If it's SSL issues then the private key issue was because I hadn't created a new CSR request for a test certificate.  Once I did that and used Globalsign's installation instructions the SSL certificate was properly installed with private key.

Brian

I have the same problem. I can't assign a new certificate trough the wizard. I have try it with my certificate/ self signed certificate and with the temp cert but the same error.
Capture.PNG
I think i was able to resolve it by just installing directly using IIS.
i have add the 443 direclty in the bidnings and then i receive an protocol driver error.
Can you post error message?
Here's the error message:
Capture.JPG
I have configured the certificate under the bindings but if i checked the services the secure access gateway was disabeld.

When we enabeld this and try to start the services it failed, if i remove the 443 in the bindings the services start without any problem.
Can an update of the web interface solved this issue?
Have you installed an intermediate certificate? Are there any event id errors?