Jump to content
Welcome to our new Citrix community!
  • 0

Certificate not trusted when mail discovery is pointing to another FQDN (1905)


Philip Stone

Question

We have our primary domain domainA.com, there we have the subdomain apps.domainA.com which is the address for our NetScaler Gateway. We have a _citrixreceiver._tcp.domainA.com SRV Record that points to apps.domainA.com. This allow us to auto-discover with our primary mail addresses (userA@domainA.com).

 

We have now added a new domain, domainB.com. I have created a SRV record _citrixreceiver._tcp.domainB.com that points as well to apps.domainA.com.

 

When using userB@domainB.com I'm getting the following error:

image.thumb.png.4b7dc2d3e047130989b1c3791e1c2298.png

 

I have captured with WireShark and the DNS Query/Response is correct and points to apps.domainA.com. I could also see that I get the correct certificate from the handshake.

 

From the advanced logs I could also see that I'm getting the correct certificate but directly after that the error is thrown...

 

We have a *.domainA.com cert on the NetScaler but nothing for domainB.com and I don't see the reason for this. The only domain he will connect is apps.domainA.com.

 

I hope anybody have an idea, I don't want to add another domain to that certificate...

 

Thanks for your help!

 

Best regards,

Philip

 

Link to comment

1 answer to this question

Recommended Posts

  • 0

Good morning Philip,

 

I don't think you will be able to overcome this without adding a certificate for domainB.com.

 

Please take a look at the following Citrix Discussion and Citrix Blog post on the subject.

 

https://discussions.citrix.com/topic/345606-dreaded-certificate-provided-by-the-server-is-not-trusted-account-information-cannot-be-added/

 

https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/

 

Quote

You must install a valid server certificate on the Access Gateway appliance and StoreFront/AppController server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install either a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, or a wildcard certificate for the domain containing your users’ email accounts.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...