Citrx XenApps Fundamentals 6, SSL

I have installed a test XenApps Fundamentals 6 installation.  The end user already has a UCC SSL certificate.  So I have added the FQDN of the XenApps server as a SAN (subject alternate name) to the SSL certificate.

The SSL certificate is a GoDaddy one.

I have installed the updated SSL certificate onto the Domain controller for the domain and exported it with private key to import onto the XenApps server.

I have imported it seemingly without problems, but when I attempt to run the Quick Start Wizard/External Access job I get the following error after I have selected the imported certificate and cannot continue:

Quick Start: Failed to grant required privileges to the specified certificate. External access has not been enabled.

The SSL certificate has Server Authentication and Client Authentication enabled.

Any help would be greatly appreciated.
3D2KAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

basrajCommented:
Does the certificate your imported have a private key in it?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RedinetSupportCommented:
Hi,


I'm not sure about the certificate you are using, purely for the fact you mention you installed it onto your domain controller first? Generally the certificates to be used with Citrix Web Interface, Secure Gateway or SSL relay need to be a standard web server certificate, no need for server auth.

You also need to make sure that the Private key is actually imported with the certificate. If you view the certificate from the MMC snap in on the XenApp server, does it list the private key as being associated with it?
You should also make sure it is stored under the computer account and not the user account.


The XenApp Fundamentals console has a built in CSR generation tool, you may find it easier to simply drop the existing certificate and start over. The tools ensures that the private key gets associated.
If you are only testing things out why not just get a trial certificate? This will stop the need for changing/altering existing production certificates.
I'm not sure if GoDaddy do trial certs, when installing proof of concepts we generally get a Globalsign trial certificate.


Hope this helps!



3D2KAuthor Commented:
Basraj

I believe so.  I followed these instructions to export/import:

http://www.digicert.com/import-export-ssl-certificate.htm

I know it's not GoDaddy but it looked plausible to me.

By the way I hate dealing with SSL certificates...:-(

Thanks

Brian
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

3D2KAuthor Commented:
RedinetSupport

Thanks.

The SSL certificate is a what's called a UCC SAN certificate and I use it on a domain controller to validate some remote connectivity.

I can send a CSR and ReKey it but then I believe that will break what it's main function is on the DC.  I suppose I could then export and import it back into the DC, but knowing my luck that would break that which would be even more grief.

This is a trial and I don't want to spend any money on a single SSL certificate for this project when it looks like the GoDaddy one "should" do the job. I also want to avoid having to install client side certificates on remote devices, I've already been there with Citrix in a previous life with self-certs.



Brian

3D2KAuthor Commented:
Basraj

The certificate General tab states:

"You have a private key that corresponds to this certificate".

So I think the answer is to your question is yes.

Brian
3D2KAuthor Commented:
RedinetSupport

The SSL certificate is installed in Certificates(Local Computer)->Personal->Certificates.

Brian
3D2KAuthor Commented:
Basraj

I've seen those already thanks.  Are you suggesting I contact Citrix?

The certificate I'm exporting is coming from IIS 6.0 and I'm importing it into IIS 7.0.

Don't suppose that could be an issue?

Brian
3D2KAuthor Commented:
Basraj/RedinetSupport

I've exported and reimported the SSL certificate again and lo and behold it has now let me configure External Access.

The only problem now is that the URL for the remote site is taking the primary name from the certificate and not the actual XenApps server name which I have added as a SAN so it looks like I'm hosed.

Wonderful.
3D2KAuthor Commented:
Thanks guys, I think I need to re-assess how to run this trial.  End user has bought an iPad on my confidence to get this solution working. :-(
3D2KAuthor Commented:
Guys,

I should have also pointed out that the domain name (web site) is hosted externally and so the URL  offered up by the Remote Access wizard is going somewhere completely different from where the XenApps server is located.

Brian
RedinetSupportCommented:
Brian,


I would say using the GoDaddy certificate for the trial is going to cause you more problems than it fixes! Especially with the SAN element being there. Globalsign do a FREE 30 day trial certificate that you can get your hands on quite quickly (within 15 minutes) providing you have access to the administrator account of the domain in question (they simply send a verification email to administrator@ or admin@). Their DomainSSL certificate does the job perfectly.

The Citrix receiver app is quite impressive on the iPad, hopefully once you get it working it will be enough encouragement to buy the new cert.

Good luck!
3D2KAuthor Commented:
RedinetSupport

Thanks for your post.

I'd worked out that the UCC SAN was indeed more trouble than it was worth for this.  I placed an order for a GoDaddy single SSL cert as it wasn't too much money (at least for one year).  Then I find out that the XenApps Fundamentals 6 CSR wizard only generates a CSR with 1024 bit encryption which GoDaddy won't accept (it has to be at least 2048)!

So I've created a manual CSR and when I get SSL certificate issued I'm hoping that XenApps will accept it, fingers crossed.

I'll lodge your recommendation for Globalsign trial certificates in my memory bank for next time.

I've got more trouble with this implementation as I'm trying to use a separate WAN IP for the XenApps stuff but can't get 443 to port forward through the router.  I think I'm in the wrong job :-).

Brian
3D2KAuthor Commented:
RedinetSupport

Hi, it's me again.  Just spent pretty much most of Sunday messing with the XenApps Fundamentals 6 trial.

I've eventually taken your advice and installed a Globalsign trial certificate and still no go remotely.

I've had a real issue ensuring that my ADSL router is passing SSL traffic traffic for the Citrix Server onto it internally and now I'm sure that's OK.

I can get to Xenapps locally, but not externally.

The IIS manager shows what I presume are two web sites:

3D2KAuthor Commented:
RedinetSupport

Hi, it's me again.  Just spent pretty much most of Sunday messing with the XenApps Fundamentals 6 trial.

I've eventually taken your advice and installed a Globalsign trial certificate and still no go remotely.

I've had a real issue ensuring that my ADSL router is passing SSL traffic traffic for the Citrix Server onto it internally and now I'm sure that's OK.

I can get to Xenapps locally, but not externally.

The IIS manager shows what I presume are two web sites:

3D2KAuthor Commented:
RedinetSupport

Now I can't even bloody well use a web site aargh!

There is no mention of 443 in the Bindings for either web site, is that correct.

Also the Default Web Site has a question mark in its icon which look like trouble.

Do you have any thoughts?

Thanls

Brian

iis-01.JPG
3D2KAuthor Commented:
RedinetSupport

One point I forgot to mention.

I had to do manual CSR and SSL certificate installation as the Citrix wizard only uses 1024 bit encryption which none of the SSL certificate vendors use now.  Come on Citrix, wake up and smell the coffee!

Brian
3D2KAuthor Commented:
RedinetSupport

I never mentioned what my actual server is and I've just noticed some posts about numbers of NICs etc.

I have a virtual 2008 R2 server running in XeServer 5.6 with two NICS.  One pointing inwards to the LAN and one pointing outwards to the router and onwards to the WAN.

Brian
3D2KAuthor Commented:
RedinetSupport

The Globasign trial certificate I requested manually and downloaded won't work either as quote:

"The security certificate ?estio-xaf.estiohealthcare.co.uk? is not suitable for use in SSL connections because the corresponding private key is unavailable."

Very interesting. but not funny! (Rowan & Martin's Laugh In circa 1970)

Brian
PROACTIVETGCommented:
You ever get this worked out. I have the same issue. To say I'm frustrated is an understatement.
3D2KAuthor Commented:
PROACTIVEG

You have my complete sympathy, I know what you're going through.

Can you be more specific about your issue as I mention a few in my posts :-).

If it's Citrix I gave up on that as Fundamentals only supports a single NIC which was useless in my clients environment.

If it's SSL issues then the private key issue was because I hadn't created a new CSR request for a test certificate.  Once I did that and used Globalsign's installation instructions the SSL certificate was properly installed with private key.

Brian

samon900Commented:
I have the same problem. I can't assign a new certificate trough the wizard. I have try it with my certificate/ self signed certificate and with the temp cert but the same error.
Capture.PNG
PROACTIVETGCommented:
I think i was able to resolve it by just installing directly using IIS.
samon900Commented:
i have add the 443 direclty in the bidnings and then i receive an protocol driver error.
PROACTIVETGCommented:
Can you post error message?
samon900Commented:
Here's the error message:
Capture.JPG
samon900Commented:
I have configured the certificate under the bindings but if i checked the services the secure access gateway was disabeld.

When we enabeld this and try to start the services it failed, if i remove the 443 in the bindings the services start without any problem.
samon900Commented:
Can an update of the web interface solved this issue?
PROACTIVETGCommented:
Have you installed an intermediate certificate? Are there any event id errors?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.