VPN Changes In 8.1 (Citrix)?

    General discussion

  • I've upgraded two devices to the Windows 8.1 Preview - a desktop and a Surface Pro.  On both these devices, I am no longer able to log into a Citrix landing page successfully.  In order to get to a login prompt using IE11, I have to add the landing in Compatibility Viewing (no big deal), but any attempts to log in (using two stage authentication including an RSA key) fails with:

    "The credentials you typed are incorrect. Please try again or contact your help desk or system administrator."

    I figured this was an IE11 issue, so I started adjusting the usual suspects.  The page was added as a trusted site, disabled Enhanced Protected Mode, as well as (temporarily) setting all security settings to its lowest value  No change.   I used the same login on another device for verification and connections work as expected.  Logins using the landing page worked normally on both of these devices prior to the 8.1 preview. 

    At the recommendation of our Citrix administrator, I installed "a alternative browser" to eliminate the IE11 variables - while the landing page worked without any compatibility settings, the same error returned upon entering the same credential set.  I'm guessing this is a change at the OS level.  I did the rounds with Bing to see if anyone else had seen this and determined root cause, but I'm apparently the only one with this condition so far.

    I did see that there were changes in 8.1 on how VPNs work (applications can pass VPN  requests directly to the OS), but I can't find out where to set/modify these settings.

    Citrix is  4.x without a published storefront (security compliance thing).  This fails during authentication - the Citrix Receiver hasn't launched yet.   I've seen similar problems reported for Cisco and Juniper VPNs, but I don't have the network adapter listed in the fix.


    Wednesday, July 03, 2013 7:51 AM

All replies

  • I am also having strange issues after upgrading to Windows 8.1.  I can log into our Citrix page, but cannot launch any apps.  I have also tried all the usual suspects with trusted sites, etc.  We also use a Mitel phone system and can no longer authenticate the software on the computer.  I don't know if we are having the same issue or not, but something on the OS definitely changed as both of these were working before the upgrade.
    Monday, July 08, 2013 2:39 PM
  • Hi Frank,

    I've just tested this on a Windows 8.1 virtual machine and am able to log into our Citrix page without any problem, I didn't even have to adjust compatibility settings or add to trusted sites.  I haven't tried launching an app because I don't have a Citrix client installed on the machine yet but it sounds like you're not even getting that far.

    I'd be surprised if the problem you're having is related to any changes in the handling of VPNs because at the point you log into the Citrix site you're not using a VPN, just Windows authentication over HTTPS.  Your Citrix admin should be able to check the logs on the Web Interface/Secure Gateway server to get a bit more information about what's going on behind the scenes.

    Without wanting to sound patronising, it's worth checking the obvious things:

    - Username & password are correct (tested on a third device)

    - SecurID fob needs to be resynced

    - Do you have to enter you domain name infront of your username?  e.g. domain\frankc

    - Caps lock isn't on

    - Administrator has checked the 'Change password at next logon' box on your Active Directory account (possible if you've asked for a password reset recently)

    I hope this helps in some small way



    Monday, July 08, 2013 3:11 PM
  • something on the OS definitely changed

    Some users are finding that some sites can't handle negotiation from TLS 1.2.  Some apparently seem to need to be dropped down manually all the way to SSL 2.0.  Have you tried experimenting in that area?

    Good luck

    Robert Aldwinckle

    Monday, July 08, 2013 4:54 PM
  • I am experiencing the exact same issue, though if I use another browser it works fine.

    I've tried changing the browser security settings down to SSL 2.0 but no joy. I've also tried disabling enhanced protected mode, do not track and various others without success. I just can't seem to log onto Citrix using IE11 with the 8.1 update.

    Like Frank, I also have the site in my trusted sites and had to enable compatibility mode to get more than a blank page. Any thoughts?

    Tuesday, July 09, 2013 12:49 PM
  • Any thoughts?

    Is it only login that is the problem?  Or is that just the first interaction with a particular host?  It appears that User-Agent string has not been mentioned yet.  So, you should try spoofing a different browser with a different UAS.  The new Developer Tools make that less convenient than the old but still provide the equivalent of the old Change User Agent String dialog.  In the Emulation tab, e.g. via F12, Ctrl-8.

    Good luck

    Robert Aldwinckle

    Tuesday, July 09, 2013 2:02 PM
  • Thanks for your reply Robert.

    This is the first interaction with the host (HTTPS Citrix site with dual-factor authentication - RSA and Domain credentials). As you suggested I tried changing the UAS to Chrome and Firefox but neither made a difference unfortunately.

    I'm really not sure what could be causing this as it worked absolutely fine on IE10 before the 8.1 upgrade, perhaps something subtle that we've not noticed.

    Tuesday, July 09, 2013 3:09 PM
  • Not only the Citrix site here...clients like proxpn and tunnelbear won't work for me either 
    Tuesday, July 09, 2013 11:10 PM
  • worked absolutely fine on IE10 before the 8.1 upgrade, perhaps something subtle that we've not noticed.

    FWIW I just had a problem using the Lync plug-in with IE11 and had to switch to IE10 emulation to get past it.   Really weird because it was not the usual case of the site not even trying to work with the browser.   Symptom was that the plug-in apparently never loaded correctly.  I didn't think that IE emulation did much more than give a different UAS to the host.  Perhaps that idea is wrong?  Then I wish such internal differences could be documented, so we could feel that we were doing something rational and not just flipping a coin.  ; }


    Robert Aldwinckle

    Wednesday, July 10, 2013 4:16 PM
  • Any news? I have the same problem and cannot find a solution.
    Thursday, August 08, 2013 10:01 PM
  • I found a solution mentioned in another thread and it works for me.

    1.) Add citrix login site to Compatibility list

    2.) View the login page In Private

    Strange solution, but it works!


    Sunday, August 11, 2013 3:00 AM
  • FYI I had the same problem and gocheif's solution worked. 

    Not very user friendly however as I have to give this solution to a luddite.  I hope they are good at following instructions.

    Thursday, September 26, 2013 12:04 AM
  • I'm also experiencing this with our Citrix site, which also uses RSA two-factor authentication. Works in IE10, but not in 11. I've also tried everything mentioned above, including Compatibility Mode, InPrivate, Intranet Zone, Trusted Site Zone, disabling Protected Mode/EPM, and lowering the zone to the "Low" security settings. Other browsers still work, as well so I know it is not a token issue. Every time I get "Internal Error" after submitting the credentials. It happens on the client detection page, so I suspect it is IE mitigating the site's attempt to identify whether the Citrix Receiver is installed.
    • Edited by xpxp2002 Friday, October 04, 2013 7:02 PM
    Friday, October 04, 2013 7:02 PM
  • Turns out the solution for me was to install the desktop version of Citrix Receiver. I'd prefer to only use the "Windows 8-style" app. Primarily because of my Surface RT, on which the Citrix Receiver desktop application cannot be installed.
    Friday, October 04, 2013 7:23 PM