The Citrix application runs inside Chrome as a tab with a circular ball in the middle (I have also read it mentioned as Half-moon due to the shape seen when not clicked on). This does not allow me. Chrome used to allow it behind a flag, but after the Chrome 44 update, this is no longer supported. Firefox allows it behind a flag (as explained earlier in this article), but it is not recommended. Going forward, only secure (SSL/TLS) web socket connections can be made from Receiver for HTML5.
- Google Chrome Citrix Workspace
- Citrix Workspace For Chromebook
- Google Chrome Citrix Workspace Plugin
- Citrix Workspace - Google Chrome
- Google Chrome Citrix Workspace App
Google Chrome Citrix Workspace
By default, Citrix Workspace app for Chrome OS can open any file extension in the Files App in a Chromebook intended for opening files in Google Drive using the FileAccess component in the VDA. Latest Firefox and Chrome browsers do not support SHA-1 certificate and StoreFront connection fails with error: NET::ERRCERTWEAKSIGNATUREALGORITHM Citrix Receiver for Chrome/HTML5 or Citrix Workspace app for Chrome/HTML5 cannot establish secure connection and session launch will fail. NET::ERRCERTCOMMONNAMEINVALID error. After some extensive googling I came across this post on the Google Help forums Explaining how to white-list specific “browser Protocols” in chrome using a windows registry key. As per example I mentioned above this issue became apparent In my company with users using the citrix receiver or citrix workspace app so the registery key below is.
Recommended Solution(s) for All Browsers
Connect via Citrix Gateway even for internal connections. This would ensure connections work fine regardless of Virtual Apps or Desktops versions.
Deploying SSL/TLS for each Virtual Delivery Agent (VDA) for direct connections. Workspace App for HTML5 supports secure direct SSL/TLS connections with XenApp/XenDesktop 7.6
Read the following articles from the Citrix Blog for more information:
Mozilla Firefox
There is a possible workaround for Mozilla Firefox browser. Download latest mozilla firefox for mac.
Note: This workaround has security implications; consult the security specialist of your organization to consider the following configuration.
Enforce secure communications between Workspace App for HTML5 and applications or desktops (for example, using IPSec).
Use Mozilla Firefox only for Citrix Receiver for HTML5 (not for general website use).
Enforce a secure configuration for Firefox.
Enable the Firefox network.websocket.allowInsecureFromHTTPS option.
Open a new tab in the Firefox browser.
Type about:config Download keynote for mac free. in the address bar.
Double-click network.websocket.allowInsecureFromHTTPS and set the value to true. Download microsoft office for mac free online.
Note: This Firefox option might not be supported in Citrix Receiver for HTML5 future versions.
WARNING! This option on Firefox affects the operation of entire Firefox, not just Citrix Receiver for HTML5.
Important Note
Citrix Workspace For Chromebook
As of version 9, Safari browser allows insecure web socket connections. Internet Explorer never allowed non SSL/TLS web socket connections from HTTPS websites. Chrome used to allow it behind a flag, but after the Chrome 44 update, this is no longer supported. Firefox allows it behind a flag (as explained earlier in this article), but it is not recommended. Going forward, only secure (SSL/TLS) web socket connections can be made from Receiver for HTML5.
Problem Cause
When Workspace App for HTML5 is hosted on a https site (default and recommended), non SSL/TLS websocket connections are prohibited by browsers.
In explaining the technical reason behind this it is important to understand the following two principles:
1. As opposed to existing as a separate process, Citrix Workspace App for HTML5 operates within the frame and process space of the browser itself. As such the browser has the ability to enforce certain security parameters.
Google Chrome Citrix Workspace Plugin
This second point is less obvious in the case of Citrix Workspace App for HTML5 because the published desktop or application displays within the browser frame and “appears” to be connected via the Storefront server. Despite this appearance though, the underlying TCP/UDP connection is still between the client and the VDA. If the Storefront base URL is SSL enabled (where it begins with https as is best practice) and the VDA is not SSL enabled (which it is not by default) the browser in this case will prevent the connection due to what it sees as an underlying inconsistency. The inconsistency is that while the URL shown in the browser frame is prefixed with https, the actual underlying connection is not https even though it is not obvious to the user.
There are two solutions for this.
Solution 1 is to enable SSL on the VDA using the following guide:
This will ensure that the connection path is SSL enabled between the internal client and the VDA.
Solution 2 is to have your connections from the clients first go through a Citrix Gateway. Citrix Gateway will proxy the connections and perform a SSL handshake between the client and the Citrix Gateway. In this scenario there is no inconsistency and connections via HTML5 Receiver will succeed.
Additional Resources
Recommended solution: Update the certificates.
Alternatively, you can try this workaround:
Close the Citrix Workspace app for Chrome / Citrix Receiver for Chrome.
Open Chrome browser in your Chromebook.
Visit your site.
It will show some error as below.
Now, open the Citrix Workspace app for Chrome or Citrix Receiver for Chrome and it might allow you to access your StoreFront/VDA.
Google Chrome Citrix Workspace App
Other possible workaround for specific certificate error:
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM error
Latest Firefox and Chrome browsers do not support SHA-1 certificate and StoreFront connection fails with error: NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Citrix Receiver for Chrome/HTML5 or Citrix Workspace app for Chrome/HTML5 cannot establish secure connection and session launch will failNET::ERR_CERT_COMMON_NAME_INVALID error
Chrome requires Subject Alternative Name for SHA-2 certificate, without SAN (Subject Alternative Name) in the SHA-2 certificate, the connection will fail with error NET::ERR_CERT_COMMON_NAME_INVALID
Session launch fails with CERT_COMMON_NAME_INVALID(-200) error dialog
Workaround for NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM and
NET::ERR_CERT_COMMON_NAME_INVALID:Mozilla:
Enable network.websocket.allowInsecureFormHTTPS from about:config
Chrome:
Chrome by default requires SHA2 Certificate with Subject Alternative Names (SAN)
Add the following registry keys at : SoftwarePoliciesGoogleChromeEnableCommonNameFallbackForLocalAnchors – true
(Note: Chrome need SAN by default)EnableSha1ForLocalAnchors – true
(Note: SHA1 is not supported)
Recommended Solution: Use SHA2 certificates with Subject Alternative Names (SAN).Problem Cause:
CTX134123 - Receiver for HTML5 - Unable to Launch Apps Using HTTPS URL
CTX217352 - How to Collect Logs in Receiver for Chrome and Receiver for HTML5
NET::ERR_CERT_SYMANTEC_LEGACY
From Chrome OS version 66 onwards the SSL certificate from Symantec is distrusted. You can go through https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html to know more about it.
Workaround: Try general workaround mention above.
Recommended Solution: Update SSL certificates.
Problem Cause
CTX134123 - Receiver for HTML5 - Unable to Launch Apps Using HTTPS URL
CTX217352 - How to Collect Logs in Receiver for Chrome and Receiver for HTML5