Known issues
The Citrix Secure Private Access for on-premises solution has the following known issues:
Domain Controller configurations
-
The one-way trust between domains within the same forest or across different forests isn’t supported. The Secure Private Access for on-premises solution does not work if both of the following conditions are met.
- The machine’s domain where Secure Private Access for on-premises is installed is different than the domain of the administrator logged in to Secure Private Access.
- There’s no trust configured from the machine’s domain to the user’s domain.
-
If the sAMAccountName and UPN are different, then the enumeration fails.
NetScaler Gateway
The SSL virtual server with SSL profile configuration isn’t supported in the following scenario.
- The customer is using NetScaler Gateway 13.1–48.47 and later or 14.1–4.42 and later.
- The
ns_vpn_enable_spa_onprem
toggle is enabled.
Workaround:
Bind the SSL parameters configured in the SSL profile directly to the SSL virtual server or disable the ns_vpn_enable_spa_onprem
toggle.
For details on the toggle, see Support for smart access tags.
RfWeb / Workspace for web
RfWeb / Workspace for web isn’t supported. Though the apps are enumerated, the app launch might fail.
Application icons
Only the ICO icon format is supported. The PNG, JPEG and other formats aren’t supported.
Admin management
- Administrator’s RBAC role changes are reflected only after the current session is invalidated (by sign out or token expiry).
- Admin users must not be part of the default “Domain Users” AD group because authentication fails for such users.
Upgrades
Build-to-build upgrade isn’t supported. Secure Private Access for on-premises prompts you to remove the existing installation and reinstall in build-to-build upgrade.
StoreFront
-
In Stores > Configure Unified Experience, the default receiver for Website must be configured to /Citrix/
<StoreName>
Web. In earlier versions of StoreFront, the default receiver for Website is set to a blank value and that does not work for Secure Private Access. Also, the earlier version of the Receiver UI is displayed on the client. -
If you are using the StoreFront versions 2308 or earlier, the Stores > Manage Delivery Controllers page displays the Secure Private Access plug-in type as XenMobile. This doesn’t impact the functionality.
Logging
- Support bundle generation for the cluster isn’t supported.
- The logs folders for admin and runtime services must not be deleted. Secure Private Access can’t recreate if these folders are deleted.