Getting @#$%ing Citrix to work on your Mac. Again.

Three-and-a-half years after I wrote this, this page is still getting scads of traffic. Citrix has been Not My Problem for a long time now. If you’re one of the many folks who’ve come here with an SSL error 61, scroll down to step 2 – I don’t actually know if the info is still current, but you don’t need to know about step 1

(back to original post)


Just had to re-trawl the web to get this godless peice of software working again on a new machine, and thought I’d gather it all together in the one spot for the benefit of someone (even if it’s just me in another coupla years).

Summary

(This guide is for those people whose corporations get them to connect via a web page, often called “MetaFrame Presentation Server”)To get Citrix to work you need to do just 2 simple things:

  • Convince citrix that you’re actually on a Mac.  (It does now believe that FireFox can be a Mac browser, but Safari? Never heard of it, can’t be a Mac browser)
  • Determine what kind of security certificate you organisation uses and, if necessary, add it

The Devillish Details:

1. Convince Citrix you’re on a Mac

Citrix uses a special Mac client and the metaframe server will only serve you up the kind of file their Mac client wants if it thinks you are on a Mac – and (until very recently) the only Mac web browser is IE, right?

If, when you first connect to the “presentation server” page, you see some messages at the lower-right which include a link for the Mac client, you do not have to do this step. Mac Firefox is finally recognised, but not Safari.

So, you could actually run MSIE if you want, but I find it much easier to stay in Safari. Safari has a handy hidden feature where it can pretend to be a range of other browsers, we just have to turn on the “Debug” menu. This is well documented right across the internet, you simlpy run the Terminal and type in:

defaults write com.apple.Safari IncludeDebugMenu 1

You can just copy & paste that. It’s that simple. Obviously you hit “enter” after that. Then quit and reopen Safari, Here’s what to do next:

  1. open a new blank page or tab
  2. Go to the new “Debug’ menu, go down to “User Agent” (it’s actually near the top in Safari 3 now) and tell it to be “Mac MSIE 5.22”
  3. Enter the URL for your organisation. You should see the telltale “If you do not have the ICA Client for Macintosh” message at the right which means Citrix has correctly determied your platform

You can also use the link provided to download a Mac client, if you don’t have one. These three steps are now all you’ll have to do to connect to your organisation via citrix. The next section deals with some stuff you’ll only have to do the first time.

2. Security Certificate

The Citrix client stores a selection of “CA”s (certificate authorities) in the “keystore” folder. Wherever you install the client, the keystore folder must go. If not, you’ll get the “keystore is unreadable” errorIf you get the “SSL error 61” message, that means your organisation is using a certificate that wasn’t provided by Citrix (the Mac client, it seems, doesn’t ship with that many). Safari wont tell you anything about the certificate being used by a page (that I could find) but Firefox can, so open your organisation’s page in firefox – it may, of course, assume that you’re on a non-Mac, so you can’t use firefox to actually connect, we’re just trying to find out the name of the certificate we’re using.Once you have the page up in Firefox:

  1. Go to Tools -> Page Info in the menus
  2. In the “Page info” dialog which opens, click on Security
  3. It should say “Web Site Identity Verified” and have a “view” button. Click it
  4. You should see, about halfway down, a field called “Common Name” – the vaue next to that is the one we care about

Now you need to get that and install it. Root CA’s can be downloaded from most providers, but they don’t always make them easy to find. Mine were from Thawte, and there is no sign of any CA download on their website. But Google “Thawte root CA’s” and bang, the Gbot finds them straightaway!Sticking with Thawte as an example, the root CA download gives you a zip file with well over 10 CA’s. Find the one you need based on the steps above and, if you’re using Leopard, add it using the “Keychain Access” application (which lives in the Utilities folder). Pre-Leopard, you should copy it to the keystore/cacerts folder (the one that you installed in the same folder as your ICA client). And, and this bit is critical, rename it from whatever.cer to whatever.crt. Without the .crt extension, mine wouldn’t work.And that should be that, a modern Citrix should work from a Mac browser every time

Advertisements
    • Erica Harris
    • March 14th, 2008

    Thank you, thank you, thank you for publishing this little gem. The first part re convincing Citrix that one’s client really is a Mac was exactly what I needed.

    • c1tr1xguru
    • May 6th, 2008

    Ok so I’m not perfect (read I don’t own a Mac, yet), but what version of the Mac OS are you running? Did you download the Mac OS client from the Citrix website, or did you get it from your support team? If from your support team did they have the right version of client? Did your support people help you with this?

    I’ve installed hundreds of Mac OS ICA clients with no issues, just curious as to why you had issues.

    On another note, not that this is important, but the web page that you see is the Web Interface for Presentation Server.

    Cheers
    Michael

      • Travis
      • February 16th, 2010

      Ok, so I’m having an issue getting the new Citrix 11.0 Dazzle Desktop client to work. I’m on a MacBook Air with the latest version 10.6.2 OSX. The Dazzle client opens, allows me to put in a server, but when I put in my username and password, the client shakes and doesn’t connect. Am I missing something. Shouldn’t this work if Citrix is publishing it.

      Also, I can log-in via the web client; however it will not allow me to launch any applications.

    • pdaddy
    • May 7th, 2008

    Hey guru, you may notice the post was a year ago, so it was on 10.4 “Tiger”, and my other recollections may be vague.

    I downloaded all the bits myself. The reality still is, in the late noughties, if you’re using a Mac in an enterprise that isn’t print or maybe video, you *are* the support team.

    PG

  1. Thanks so much for this… my problem was with convincing Citrix I had already downloaded the Thawte certificate and that I had them in the right directory AND on the keychain.

    Who would have thought a simple rename from .cer to .crt solved the problem?! Thanks again.

    • Guillaume
    • January 7th, 2009

    Thank a whole lot! Clear instructions that work, no chance to find that on the Citrix website…

    The issue doesn’t seem to be specific to a particular version of OS X: I am running 10.5.6.

    • Merci Guillaume,

      Man, Citrix should fricken pay me! 2735 views, if I had adwords I’d have a few cups of coffee by now.

      Just glad I can make a few Citrix users’ lives easier…

    • Paul
    • February 1st, 2009

    Your step one was all I need to get the latest Citrix client to work with Safari–you would think by know Citrix would have something on their support page or better yet, design their clients so that it knows Safari is a Mac.

    Now I can uninstall firefox, which was my workaround to getting it to work. 🙂

  2. Thanks a lot! I got it to work in Safari once, but could not make it work for a long time after getting a new Mac… Now I just need the Solaris environment, which I eventually end up in after having been redirected through 2 (sic!) windows systems, to recognise my Danish keyboard layout. Security really makes life hard…

    • hannah
    • April 30th, 2009

    Thank you so much for posting this (even if it was a couple of years ago) – it just sorted my citrix out (again…) perfectly. I’m sending happy thoughts in your direction.

    • Mac Lover
    • May 28th, 2009

    Hi,
    After following all the instructions, I still am getting the following error message.
    “SSL Error 16: The data supplied is not a valid, or expected, SSL packet.”

    Please help

    • That would lead me to believe that the SSL data is not getting to your machine in the proper form – and may, in fact, never have been in the proper form.

      Talk to whoever’s in charge of citrix!

    • Moe
    • July 1st, 2009

    Thanks so much! Your instructors were VERY helpful. I am running on Leopard, so for this operating system you need to add the certificate to the Keychain Access folder (this can be found in applications/utilities). Thanks again!

      • pdaddy
      • July 1st, 2009

      Thanks Moe,

      Guess I’ll have to update the page!

    • Azalea
    • October 18th, 2009

    I cant run citrix in my Mac, i have the error SSL 61 i followed the instructions but it doesnt work 😦

    1. i downloaded the citrix version 11.0 form. ICA Client – MacOS X

    2. i downloaded the TC TrustCenter SSL CA I and
    TC Trust Center Class 2 CA

    3. when i ran the citrix version, it created just a folder called Dazzle, i changed the name to Citrix ICA Client and i did a folfer called keystores, then i did a folder called cacerts where i added both certifications, i manually changed to ever trust to all.

    but when i try to run the SAP training it says SSL error 61 you have not choosen to trust “TC trustcenter SSL CA I” and at the end it says error number 183

    Can somebody help me??

    i actually trying with safari and firefox :S

    • It’s been a LONG time since I’ve had to worry about citrix, so I don’t think I’ll be too much help, but I do note Moe’s tip just before yours, that under Leopard you have to put the certificate in via the Keychain Access utility.

      Try that and see how you go.

    • hjhstaff
    • October 22nd, 2009

    pdaddy,

    Thanks so much. Interestingly enough I found the pre-Leopard trick works on 10.5.6 with Citrix ICA Client 10.0.603. I tried the Keychain approach first, but that did not work. I removed the certs from the Keychain and then remembered this old trick you had documented.

    I’ve not tried the 11 client yet. However, Dazzle seems to be something else. The relevant Citrix client folder seems to have shifted to /Library/Application Support/Citrix.

    Thanks again for providing this resource.

    HJS

    • Daniel
    • December 12th, 2009

    Sorry I am an idiot when it comes to computers, what does it mean to “run the terminal”? I do not know where to type in that debug deal?

    simply run the Terminal and type in:

      • pdaddy
      • December 12th, 2009

      Hmmm, being “an idiot when it comes to computers” and trying to run Citrix on a Mac .. well, that’s a disadvantage!

      Terminal is a program inside the “Utilities” folder, which is inside the “Applications” folder which is on your boot disk (called “Macintosh HD” unless someone changed it).

      You launch it, copy & paste in the text below and hit return. It should just return to the prompt without saying anything like “error” and you’re done.

    • Travis
    • February 16th, 2010

    Ok, so I’m having an issue getting the new Citrix 11.0 Dazzle Desktop client to work. I’m on a MacBook Air with the latest version 10.6.2 OSX. The Dazzle client opens, allows me to put in a server, but when I put in my username and password, the client shakes and doesn’t connect. Am I missing something. Shouldn’t this work if Citrix is publishing it.

    Also, I can log-in via the web client; however it will not allow me to launch any applications.

      • Sara
      • April 10th, 2010

      My company uses an additional passcode field in addition to a username and password, so Dazzle wouldn’t work for us since it only passed the latter two credentials forward. Does your company use something similar? My best advice would be to uninstall Dazzle and try using the ICA client only for your OS version along with the instructions above on how to import the certificate. This has been a lifesaver for me! 🙂

    • Sara
    • April 10th, 2010

    Oh my goodness! THANK YOU for putting this out there. I have tried for weeks to get connected to my company’s site through Citrix and received SSL error after SSL error. I even asked our IT department for assistance to export the file in a “.crt” format and they were unable to assist me. The portion of your article about going to my company’s site and getting the info about the certificate’s “common” name was exactly what I needed to know. On the Citrix site, they had this long drawn out process listed for getting the certificate that involved using the DOS menu from my company’s PC. Unfortunately, this method returned the WRONG certificate name! Your instructions were SO much easier to follow and completely accurate. Again, thank you!

    • Martin
    • May 18th, 2010

    Ok, so I’m having an issue getting the new Citrix 11.0 Dazzle Desktop client to work. I’m on a MacBook Air with the latest version 10.6.2 OSX. The Dazzle client opens, allows me to put in a server, but when I put in my username and password, the client shakes and doesn’t connect. Am I missing something. Shouldn’t this work if Citrix is publishing it.

    Also, I can log-in via the web client; however it will not allow me to launch any applications.

    • Huub
    • August 18th, 2010

    To logon with Dazzle, instead of just your username type your User Principal Name (generally something like @domain.com. That worked for me.

    • Rebekah Bernard
    • January 11th, 2011

    thank you a million times! I’ve been trying to do my documentation for NextGen on my new Mac Book Air, and was about to give up. Thanks again!

    • P.O
    • February 18th, 2011

    Thanks so much this – totally saved me after 2 hours of frustration!

    • Richard
    • May 16th, 2011

    Sorry, everybody, but I am totally at my wit’s end. The certificate I’m missing seems to be Verisign Class 3 Interntional Server CA – G3, and I cannot find it for download anywhere. Not a website in the world knows where to find it. Any clues?

    • Jennifer
    • November 19th, 2011

    what a hassle! I’m not nearly as computer savvy as you are and couldn’t get this to work, so I finally downloaded this and it worked. For anyone in the same boat, see link.

    http://www.macupdate.com/app/mac/9610/citrix-ica-client

  3. This is the reason I keep coming back to this blog.
    I can not believe all the new content since my last
    visit!

  4. I’m very happy to find this page. I wanted to thank you for your time for this particularly fantastic read!! I definitely really liked every part of it and I have you bookmarked to look at new things in your blog.

  5. Excellent notable synthetic eyesight with regard
    to fine detail and may anticipate troubles prior to these people happen.

  6. It is perfect time to make some plans for the long run and it’s time to be happy. I have read this post and if I may just I want to suggest you few fascinating things or advice. Maybe you can write next articles referring to this article. I want to learn even more issues approximately it!

  7. After I initially left a comment I appear to
    have clicked on the -Notify me when new comments are added- checkbox and from now
    on every time a comment is added I recieve 4 emails
    with the same comment. There has to be a way you are able to remove me
    from that service? Many thanks!

  8. I have read some excellent stuff here. Certainly worth
    bookmarking for revisiting. I wonder how a lot attempt
    you place too create this type of wonderful informative website.

  1. October 2nd, 2008
  2. October 21st, 2009

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: