Skip to content

Citrix Receiver 4.x – Your account cannot be added using this server address – Updated!

When trying to connect to a XenDesktop 7.x and StoreFront 2.x based environment through NetScaler from an external Windows computer you could receive the following error upon finishing the Citrix Receiver initial wizard: Your account cannot be added using this server address:

receiver_error_1

This error can occur in case your StoreFront's Base URL uses http instead of https. Verify whether your StoreFront server utilizes http instead of https for its Base URL:

receiver_error_2.png

If http is being used you have to change the Base URL to https and provide a corresponding server certificate for the underlying IIS web server and ensure it's trusted by your NetScaler in case you use a certifcate signed by your own private CA.

  • Provide an appropiate server certificate for your IIS and change StoreFront's Base URL according to CTX135050

receiver_error_2

  • Adjust all relevant NetScaler settings in terms of StoreFront, i.e. change URLs from http to https in all corresponding Session Profiles

receiver_error_3

receiver_error_4

Update 09/09/2015:

As stated in Citrix Discussions this issue has not been solved completely , yet. Therefore I had to investigate that problem further.

Several sources point out that this error message can have a bunch of different reasons, e.g.

  • the StoreFront's Base URL not utilizing https
  • the StoreFront's server certificate not being trusted by NetScaler
  • the corresponding NetScaler Gateway URL not being added to IE's Trusted Sites Zone
  • the corresponding NetScaler Gateway's server certificate not being trusted
  • a misconfiguration in NetScaler Gateway's corresponding Session Policy and/or Profile
  • a misconfiguration in NetScaler Gateway's corresponding Content Switching vServer in case Unified Gateway (UG) has been implemented

I'm still looking into this issue and will post my results here! My troubleshooting methodology is at follows:

First I verified that the user has been successfully authenticated and the correct NetScaler Session Policies got hit:

  1. LDAP Authentication Policy:
    ns_request_profile_0
  2. UG vServer Content Switching Policy: UG_VPN_

      is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/") || HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cginfra/https/appController2")

  3. NetScaler Gateway vServer Session Policy: PL_OS_

      REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

ns_pol_hits_2

After that I verified the corresponding Request Profile settings:

  • Client Experience Tab: Split Tunnel => Override Global => OFF
  • Client Experience Tab: Clientless Access => Override Global => Allow
  • Client Experience Tab: Plug-in Type => Override Global => Java
  • Client Experience Tab: Single Sign-on to Web Applications => Override Global
  • Security Tab: Default Authorization Action => Override Global => Allow
  • Published Applications Tab: ICA Proxy => Override Global => ON
  • Published Applications Tab: Web Interface Address => Override Global => <StoreFront URL>/Citrix/StoreWeb/
  • Published Applications Tab: Single Sign-on Domain => Override Global => <NetBIOS Name of your Active Directory Domain>
  • Published Applications Tab: Account Services Address => Override Global => <StoreFront URL>

ns_request_profile_1ns_request_profile_2ns_request_profile_3

More things to check:

  • In case your StoreFront server's certificate has been issued by your own private CA make sure that NetScaler trusts the issuer of the server certificate, i.e. import the corresponding CA's certificate into NetScaler.
  • In case your NetScaler Gateway's server certificate has been issued by a private CA make sure the endpoint device fully trusts the issuer, i.e. import the corresponding CA's certificate onto the endpoint device.
  • Add your NetScaler Gateway's URL to the Trusted Sites Zones of IE.

Further reading:

Leave a Reply