Jump to content
Welcome to our new Citrix community!

Issues after upgrading to latest 12.1 Build (CVE Fix)

Jens Ostkamp

Recommended Posts

Hey everyone,


does anyone experience issues (specifically with Pre-Auth mechanisms) after Upgrading to latest 12.1 build to fix CVE issues?

I am experiencing several problems (different appliances, similiar configuration):


-Pre-Auth with AAA module (not VPN/Gateway) fails completely after upgrade with following aaad.debug message:

"configuration not found with vsid 956" (the vsid changes with each log message) => after rebooting the appliance error went away and "most" pre-auth worked again, except:

-Pre Auth with Active Sync is not working anymore (still investigating the exact issue), even after reboot. Exact cause is still investigated

(everything behind one CSW vServer)

-SAML Configuration with FAS component (NetScaler does SAML towards Azure, SSO to StoreFront, FAS issues certificate for authentication to terminalserver/worker) => ironically NetScaler as an IdP for ShareFile works just fine, even after implementing the mentioned SAML configuration changes Citrix recommends


I've been using 12.1-58.18 and upgraded to 12.1-62.25.

Couldn't find anything relatable in release notes/known issues.


Any informations if someone is experiencing same issues (or maybe same scenarios regarding configurations but everything working with the upgrade) is greatly appreciated.

Will raise a ticket if I can't find the issue myself throughout the day, will this thread updated.


Thanks anyone in advance :)


Best regards



Link to comment
Share on other sites

After digging deeper and a call with Citrix Support the SSO problems with ActiveSync could've been solved. Issue was, that configuration was still using Session Profile/Policy to achieve SSO to backend basic authentication (Exchange Server). 

This causes SSO (only for ActiveSync though, for example /mapi or /oab still works with Session Profile) to fail (you can see in ns.log something like "SSO Fail/SSO weak user"). After configuring a traffic profile/policy this could've been solved. Corresponding Citrix post: https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html this only mentions 13.0 versions but apparently it affects newest 12.1 aswell (also when configuring session profile you can see "

The SSO setting does not honor the following authentication types. BASIC, DIGEST, and NTLM (without Negotiate NTLM2 Key or Negotiate Sign Flag). Use Traffic profile to configure SSO for these authentication types." under SSO configuration, which points to this issue basically).


SAML configuration issues (Citrix as SP for CVAD with Citrix FAS, Azure as IdP) are still there, support says this shouldn't get affected by the upgrade but it still doesn't work and did before upgrade. Will check this next week deeper and upgrade here, in case anyone facing same problem

Link to comment
Share on other sites

  • 2 weeks later...

I'm finding there are a few little issues here and there following upgrades,


I think there are some issues related to the deprecation of the classic policies/expressions that are really supposed to only appear in 13.0 onwards, but have found their way into the latest 12.1 builds, 


And the traffic policy for SSO seems to be another that's needed after the upgrade  to fix SSO to the likes of Endpoint Management etc. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...