Known issues

The following issues exist in release 2408.

Note:

Some issues are assigned a tracking ID for internal reference only and these do not have any impact on the customer.

Domain Controller configurations

  • The one-way or two-way trust with trust type as “Forest” between domains across different AD forests isn’t supported.

    For example, if a.com and b.com domains are in two different AD forests, and SPA is installed on a machine where the domain is joined to a.com / b.com, then other domain users cannot access SPA published apps.

    [SPAOP-2031]

  • If the machine’s domain where Secure Private Access for on-premises is installed is different than the domain of the administrator logged in to Secure Private Access, then you must do the following:

    Add a different domain service account as an identity in the IIS Application pool for both the Secure Private Access admin and runtime service.

    [SPAOP-1558]

  • Distribution groups are not supported in Secure Private Access. Therefore, policies cannot search for distribution groups to add user and group conditions.
  • Secure Private Access does not capture the domain details in the admin console or service. Hence, it relies completely on the domain that the user provided. Therefore, if the corresponding domain is not accessible or if the domain name is not a valid name, then that domain is not supported.

NetScaler Gateway

  • The SSL virtual server with SSL profile configuration isn’t supported in the following scenario:

    • The customer is using NetScaler Gateway 13.1–48.47 and later or 14.1–4.42 and later.
    • The ns_vpn_enable_spa_onprem toggle is enabled.

    Workaround:

    Bind the SSL parameters configured in the SSL profile directly to the SSL virtual server or disable the ns_vpn_enable_spa_onprem toggle.

    For details on the toggle, see Support for smart access tags.

RfWeb / Workspace for web

Application launch

  • If the ns_vpn_enable_spa_onprem and toggle_vpn_enable_securebrowse_client_mode knobs are not enabled or if these knobs are not supported in your NetScaler Gateway, then app launch fails after the CustomHeaderCryptoKey rotation. The CustomHeaderCryptoKey rotation happens automatically after 30 days.

    [SPAOP-4528]

  • Application launch fails if LDAP UPN and sAMAccountName are different.

    [SPAOP-1412]

StoreFront

  • In Stores > Configure Unified Experience, the default receiver for Website must be configured to /Citrix/<StoreName>Web. In earlier versions of StoreFront, the default receiver for Website is set to a blank value and that does not work for Secure Private Access. Also, the earlier version of the Receiver UI is displayed on the client. For information on StoreFront configuration, see StoreFront.

  • If you are using the StoreFront versions 2308 or earlier, the Stores > Manage Delivery Controllers page displays the Secure Private Access plug-in type as XenMobile. This doesn’t impact the functionality.

Logging

  • Support bundle generation for the cluster isn’t supported.
  • The logs folders for admin and runtime services must not be deleted. Secure Private Access can’t recreate if these folders are deleted.

TCP/UDP monitoring

  • The SPAOP-3315-EnableZTNAApplications feature flag is disabled by default in 2408. As a result, the TCP/UDP monitoring data is not stored and hence the Director integration fails.

    Workaround: If you are using TCP/UDP apps and want to enable Director integration, manually update the database to enable this feature flag.

    [SPAOP-5587]

Upgrade

  • After the database upgrade, the module/section tabs in the UI do not appear for some time (approximately an hour).

    Workaround: Manually restart the IIS service if you want the tabs in the UI to be visible immediately after the database upgrade.

    [SPAOP-5331]

  • When attempting to upgrade versions 2402 or 2407 to 2408 by replacing the MSI, the Secure Private Access tile in the Citrix Virtual Apps and Desktops installer shows Upgrade available. However, clicking the Secure Private Access tile to proceed with the upgrade results in Secure Private Access being uninstalled instead of being upgraded. The Core Components page displays the message “Secure Private Access will be removed.

    [SPAOP-5495]

  • When upgrading from version 2405 or 2407 to 2408, you cannot set up Secure Private Access if it was not configured in versions 2405 or 2407. The database creation process cannot proceed because the Next button on the Database Configuration page is grayed out.

    [SPAOP-5595]

  • After you upgrade to 2408 and edit an existing app whose URL starts with www, then the App Connectivity field does not populate the previous state. You must select the app connectivity type again. This is a one-time action post-upgrade after which the configuration is saved and continues to persist.

    [SPAOP-4216]

  • After you upgrade to 2408, though you can log on to the admin console, you cannot manage applications and policies. An error message appears.

    Workaround: You must upgrade the database using the scripts. For details, see Upgrade the database using scripts.

    [SPAOP-5255]

  • After you upgrade to 2408, application enumeration and application launch fail.

    Workaround: You must upgrade the database using the scripts. For details, see Upgrade the database using scripts.

    [SPAOP-5255]

  • You cannot upgrade the Secure Private Access plug-in from earlier versions to 2408 if the plug-in was installed using the Delivery Controller.

    [SPAOP-4505]

User interface

  • The Application launch count counter in the Secure Private Access > Overview page is not incremented for TCP/UDP apps.

    [SPAOP-4201]

Known issues