Jump to content
Updated Privacy Statement
  • 17

Citrix Workspace App GlobalSign Root CA post upgrade to Catalina Beta


Question

  • Answers 156
  • Created
  • Last Reply

Top Posters For This Question

Recommended Posts

  • 1

The day has finally come and Citrix are now rolling out a working beta. 

 

Fond memories of when Citrix employee @Tejus Adiga M tried to claim that the problem was nothing to do with them, and the rest of the Internet was at fault...

 

On 7/10/2019 at 6:49 AM, Tejus Adiga M said:

Hi,

 

The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. 

To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176.

 

 

 

  • Like 1
Link to comment
  • 1
8 hours ago, Nathan Shaw said:

Connecting the Workspace app to my Netscaler give me cert errors - the intermediate CA issuer of MY certs.  I don't understand 'Citrix is using obsolete and insecure certificates. That makes all its users less safe including those on the current macOS release' - can you please elaborate?

Alright, so I think we need to steer this back to the real topic - why this particular version isn't working with Catalina. I concur on the NetScaler cert issue, but keep in mind we followed the documentation (details in my previous post) that's Citrix's old way of fixing this issue to get the certs trusted. Everything else (browsers, etc.) actually trust them too after that in Catalina. Except for CX Workspace/Receiver. The warning only comes up in the app, nothing else says it's not trusted. Then you need to compare to Mojave / Sierra, where the 1906 release is still working fine with the SAME netscaler certs. And then you also need to compare with some people's feedback in this thread that the Catalina EAR fixed the issue for them. So I think there's sufficient evidence that the issue is coming from the app code and not from the OS functionality changes. To rephrase the complaint, I'd say Citrix hard-defined trusts in the app code as nothing we do on the OS level affects how the app sees the cert (potentially hard-linking to the built-in trust store, disregarding user imported CAs). SHA1 isn't an issue from what I can see (at least not to the company I work with) as the DigiCert CA signed with SHA256.

 

I'd propose to ask a different question: why don't we have the EAR links? Why are only some people getting it when it's affecting everyone? Is it too much to ask after 3 months to get a workaround for this?

  • Like 1
Link to comment
  • 1
7 hours ago, Sacha Thomet1709152826 said:

 

Try this as Workaround, set the Cryptomodule from FIPS to Standard:

 

I have the same problem, but not yet found out what the problem is. 

 

crypto_stdpng.png

 

Thanks a lot! The tech preview did not work for me either until I did this config update.

 

Cheers

  • Like 1
Link to comment
  • 1
23 minutes ago, andrea zicoschi said:

Hi, are you talking about server or client configuration? I am a user, so I can act only on the configuration of the Citrix client. When you'r mentioning the certificates and suggesting to link those, can you tell how to do it? thanks

I am referring to the SSL certificate applied on the Gateway on the Netscaler (Server Side).  I had an older version of the Workspace app that worked just fine until I did an upgrade to the latest version.  I started getting the error on my MAC client laptop

 

You have not chosen to trust "GlobalSign Root CA", the issuer of the server's security certificate.

 

Under Traffic Management>SSL>Server Certificates I found the Server Certificate was not linked to the issuing intermediate CA.    I uploaded the intermediate and root CA certificates on Traffic Management>SSL>CA Certificates.  I linked the intermediate to the root by right clicking and selecting "Link" on the intermediate cert.   Next, I went to the Traffic Management>SSL>Server Certificates, found the certificate that was being used on the gateway and right clicked and selected "Link" and linked that to the intermediate CA.

 

A reference for Citrix documentation can be found here: https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ssl-certificates/add-group-certs.html

 

It is best practice to chain all of your certs on the Netscaler appropriately.  

  • Like 1
Link to comment
  • 0

I am also experiencing the same, it's the intermediary CA in my case that's the issue, despite trusting all 3 level of the certificate, root, intermediary and end site. In Safari / Chrome / Firefox and in the keychain the certs are trusted for login and system; but as soon as Workspace launches from the .ica I get an error within Citrix to say the intermediary is not trusted. It doesn't appear to be an issue with the SHA-2 which is due to be deprecated in 10.15, but it certainly appears to be something in the interpretation or to do with the handshake of the .ica file.

Link to comment
  • 0

I am also having this same problem. And I use my Macbook Pro to connect to my work. It is critical usage. Hospital and patient care.

So your response that we do not support beta software is pretty callous and basically blows off your clientele. If Apple has a beta version, then I am sure they expect their 3rd party's to follow suit.

Link to comment
  • 0
9 hours ago, Mark Lajer said:

 

Jschaff - if you have Chrome browser you can use the Citrix Workspace extension - it worked for me (a little laggy though)

https://chrome.google.com/webstore/detail/citrix-workspace/haiffjcadagjlijoggckpgfnoeiflnem

Hope to see a new release/beta release of Citrix Workspace soon with Catalina support.

 

MarkLajerITR

- I am using this technique and it works well. One issue I am having though is the inability to copy information from my personal computer and paste it into Citrix opened from the chrome extension. Do you know how to solve this problem?

 

Copy paste works within Citrix environment, just can't copy from outside environment into it.

 

Thanks 

Link to comment
  • 0
10 minutes ago, Jeff Schaffer said:

I have installed the chrome extension for Citrix Workspace but when I log on, the script is still trying to find the app to run and it does not complete the log on process. What is the key to getting the remote certificate or script to use the chrome extension.

 

Thanks

 

make sure you are running the chrome extension.

 

from the chrome browser type: chrome://apps

 

this should list all the apps for chrome one of them should be the new Workspace extension

 

it will then prompt you for your details server user etc etc if not already setup

 

Also make sure in the Mac Security & Privacy Settings under the Privacy tab that you have checked Citrix Workspace.app in Accessibility ,Full Disk Access ,Files and Folders and possible in developer tools.  Some of this new Security settings in Catalina Beta are not playing nice with many apps 

 

Hope that helps 

 

Link to comment
  • 0
5 hours ago, Tejus Adiga M said:

In Catalina Apple has tightened its rules to trust the certificates. All the certificates which do not comply with new Apple Cert guidelines will be revoked in Catalina. Administrators have to generate new CA certificates as per Apple guidelines and distribute it to their clients.

https://support.apple.com/en-in/HT210176

You would think attaining the highest possible security would be a higher priority for a company that handles their client's most sensitive data. But no. Citrix is consistently behind the curve when it comes to security certificates and Mac OS. It's disappointing, I expect better.

Link to comment
  • 0
1 minute ago, Tejus Adiga M said:

Hi,

 

The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. 

To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176.

 

 

 

 

Thats NOT the case TejusAdigaM - our certificates are following these rules for long time :-)

 

iOS also following these rules and here the Citrix Workspace works - Chrome version of Citrix Workspace also works - and it's also following these rules.

 

So the problem is the app.. 

Link to comment
  • 0
12 hours ago, Chris Lewis1709161061 said:

So to summarise the issues: 

 

  • TejusAdigaM incorrectly believes that the issue is not related to the Citrix workspace app for Mac, despite the fact that the issue is not present on the equivalent apps on iOS and Google Chrome
  • Citrix appears to have a general policy of not providing beta versions of their app in order to facilitate user testing on beta versions of operating systems, which kind of defeats the purpose of OS vendors releasing beta versions: so that developers can get their apps working in time for the official OS release 
  • The most recent update (1906, released July 8th 2019) has not been notarised by Citrix, which prevents the app from bypassing Gatekeeper checks on all versions of macOS since 10.14.5
  • The release notes on the 1906 update page aren't actually release notes for version 1906, they point to a piece of PR last updated in April 2019

 

All that aside, it's going really well. 

 

When you put it like that I'm feeling pretty hopeful here :S

Link to comment
  • 0
On 7/10/2019 at 4:31 AM, Chris Lewis1709161061 said:

So to summarise the issues: 

 

  • TejusAdigaM incorrectly believes that the issue is not related to the Citrix workspace app for Mac, despite the fact that the issue is not present on the equivalent apps on iOS and Google Chrome
  • Citrix appears to have a general policy of not providing beta versions of their app in order to facilitate user testing on beta versions of operating systems, which kind of defeats the purpose of OS vendors releasing beta versions: so that developers can get their apps working in time for the official OS release 
  • The most recent update (1906, released July 8th 2019) has not been notarised by Citrix, which prevents the app from bypassing Gatekeeper checks on all versions of macOS since 10.14.5
  • The release notes on the 1906 update page aren't actually release notes for version 1906, they point to a piece of PR last updated in April 2019

 

All that aside, it's going really well. 

 

Typically people who make their living in security are the least likely to take security seriously. Examples include RSA letting the app they make for their own conference attendees to get hacked. And don't get me started on John McAffee. It's counterintuitive but basically they don't work for users, they make their bread and butter bamboozling IT folks from large corporation into thinking their products have value. There is very little scrutiny that goes on and very few people are empowered to change the decision to use Citrix.

 

As far as why they don't take pride in their work- they know as well as anyone that Citrix and the crappy remote desktop apps its used for are no match for a good, modern webpage. It's sort of a phone it in job. 

Link to comment
  • 0

I am a physician and testing remote access to our EMR and since upgrade to MacOS Catalina I am also getting the same error. Has there been any solution?  I am not able to evaluate the beta version of MacOS and provide feedback which is the purpose of us trying. Any updates work arounds?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...