Recently working with a customer on a XenMobile 8.7 Enterprise edition deployment and all of sudden Worx apps stopped working and enrolling new users started failing. This was a deployment where everything was working and no changes were made to the environment. The customer was just adding more users to the deployment.
New users trying to enroll would get the following error message.
Now after further discovery and testing, we found it out is was only users on iOS devices. Users with Android devices continued to work fine. Looking deeper into the issue, we narrowed it down to only iOS devices that either had Worx Home upgraded or was a new Worx Home install when adding new users to the deployment. The Worx Home version showing the issue was Worx Home 9.0.0.357. If a user with an iOS device had Worx Home version 8.7.x or below installed, they didn’t have the issue and were able to enroll and/or use Worx apps fine. We also saw that MDM enrollment was working fine and the enrollment failure started when connecting to the App Controller.
I used the following methods to troubleshoot the issue:
- Connected an iOS device to VPN to bypass NetScaler Gateway and tested directly enrolling Worx Home to the App Controller.
- Gathered and reviewed XenMobile Logs – XenMobile Logs Collection Guide.
- Verified users were being applied the proper NetScaler Gateway Session Policy – How to Identify the Session Policy Applied to the User After Authentication.
- Verified users were not having any authentication errors connecting through NetScaler Gateway – How to Troubleshoot Authentication with Aaad.debug.
- Turned off **Require Device Manager enrollment **setting on App Controller to troubleshoot directly since MDM enrollment appeared to be working fine.
- Network traces on the NetScaler were taking while issue was happening and SSL session reuse was disabled on the NetScaler Gateway virtual server – How to Record Network Packet Trace on NetScaler Appliance and Configuring Session Reuse.
To add to the troubleshooting methods above, the NetScaler firmware was on 10.1.124.1308.e build for XenMobile support and compatibility. Results of troubleshooting methods above were:
- Bypassing the NetScaler Gateway allowed Worx Home 9.x to enroll without issue.
- XenMobile logs from Worx Home showed some authentication issues, not much was shown from the other logs.
- Users were hitting the proper NetScaler Gateway Session Policy for Worx apps.
- Authentication was not failing and users were authenticating fine.
- Issue was happening when trying to enroll directly with the App Controller.
- Network traces were showing proper traffic flow through the NetScaler to the App Controller.
Since we were seeing some authentication errors in the Worx Home logs, NetScaler Gateway Callback was turned off in the App Controller Deployment System Configuration for NetScaler Gateway. Once the Callback URL was removed and configuration was saved, iOS devices with Worx Home 9.x were able to enroll/re-enroll and work fine again.
App Controller Deployment System Configuration for NetScaler Gateway before change:
App Controller Deployment System Configuration for NetScaler Gateway after change:
Removing the Callback URL has fixed the issue. I am not sure what changed with Worx Home 9.x from earlier versions, but it seems authentication process has changed. Talking over the issue with Citrix support, the Callback URL is not needed and recommended to not use. Actually was told this is a best practice to leave the Callback URL empty/blank. Now I hope the XenMobile documentation is updated to show this since Citrix documentation and lab guides show this setting being used. Even XenMobile 9 documentation shows this.
If you have found this article interesting or if you have any insights, please feel free to contact me via email.