Tag: Microsoft

Posted on

Citrix – NetScaler VPN Portal Homepage – Storefront Refused Connection with X1 Theme

Summary

Your company uses SSL VPN via Citrix NetScaler to provide secure access for employees and customers. When users connect, they are presented with the VPN portal homepage, styled with the X1 theme.

From the portal menu, clicking the “Citrix Applications” link is intended to open the Citrix Receiver page, as defined in the session profile. However, when using Microsoft Edge (Chromium-based), the Citrix Receiver page fails to load or is refused.

Description

When accessing Citrix StoreFront through the Citrix NetScaler VPN portal homepage (configured with the X1 theme), the X-Frame-Options settings in StoreFront may block the HTTP request from the Microsoft Edge (Chromium)browser.

Even if you’ve followed the guidance in Citrix article CTX202890, the frame-ancestors directive provided in the article does not fully resolve the issue when used with Microsoft Edge Chromium in combination with the X1 theme.

To fix this, you need to supplement the frame-ancestors directive with the FQDN of the StoreFront server, or include the domain and top-level domain of your internal environment.
Using wildcards in the frame-ancestors value is also supported and, in most cases, provides the simplest and most flexible solution—without compromising the security of IIS or Edge.

To verify the issue, you can use the Developer Tools in Microsoft Edge Chromium to inspect the HTTP response and view the specific refused request error.

Configuring the

1
web.config

File in Citrix StoreFront

To resolve the frame blocking issue, open the web.config file for the affected StoreFront Web Store located at:
C:\inetpub\wwwroot\Citrix\StoreWeb\web.config

Search for the X-Frame-Options or Content-Security-Policy directive.

    1. Locate the frame-ancestors setting.
    2. Add your StoreFront FQDN or your top-level domain to the
    3. frame-ancestors value, as shown in the example or screenshot.

Example:
Content-Security-Policy: frame-ancestors ‘self’ https://storefront.yourdomain.com

You can also use wildcards for flexibility, depending on your environment and security requirements.

This configuration ensures proper loading of the StoreFront page within the Citrix NetScaler VPN portal—especially when using the X1 theme and Microsoft Edge Chromium.

frame-ancestors with Storefront FQDN configuration in the X-Frame-Options

frame-ancestors with wildcard domain and top level configuration in the X-Frame-Options

With the configured frame-ancestors in the X-Frame-Options, the Storefront Receiver page will be no longer refused.

Posted on

Citrix – Microsoft Edge Chromium Prompt To Run nglauncher.exe (Citrix NetScaler Plugin)

Summary

When logging in to Citrix NetScaler Gateway with Citrix VPN configured, Microsoft Edge prompts the user to run nglauncher.exe (Citrix NetScaler Plugin).
The following instructions provide a solution to properly configure Microsoft Edge Chromium to handle this prompt.

Description

To identify the required configuration values, you need to analyze the communication between Microsoft Edge Chromium and the Citrix NetScaler Gateway. In this example, the analysis was performed using Microsoft Edge Developer Tools.

During login, you can observe the nglauncher.exe call in the HTTP request headers of the Citrix NetScaler page.
The “Request URL:” field contains the key information needed for the configuration steps that follow.

You can apply this configuration either:

    • Globally via Group Policy (using the Microsoft Edge Chromium ADMX templates), or
    • Locally by modifying the Windows Registry on the user’s device.

GPO Configuration

The following Group Policy setting must be configured to suppress the Microsoft Edge Chromium prompt.

GPO Setting: Define a list of allowed URLs
GPO Setting Path: User Configuration\Policies\Administrative Templates\Microsoft Edge\
Value:citrixng://*


Registry Configuration

The following registry setting must be applied to bypass the Microsoft Edge Chromium prompt.

Registry Hive: HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path: Software\Policies\Microsoft\Edge\URLAllowlist
Registry Value Name: {number} **
Registry Value Type: REG_SZ
Registry Value: citrixng://*

** The Value consists of a number, if an value already exists, the entry to be configured must have a sequence number.

 

 

Posted on

SCORCH – System Center Orchestrator Error “Cannot invoke this function because the current host does not implement it”

Summary

When implementing PowerShell scripts within Microsoft System Center Orchestrator (SCORCH) runbooks, you may encounter the following error during execution:

“Cannot invoke this function because the current host does not implement it”

This issue typically arises due to certain PowerShell commands or functions being unsupported in the SCORCH runbook execution environment.

More Information

The error is triggered by a Write-Host statement executed outside of an Invoke-Command block or outside a second PowerShell session within the runbook.

In your case, Write-Host was included for testing purposes to view script output. However, when Write-Host runs, PowerShell attempts to write to the host console—which does not exist in the Orchestrator runtime environment—resulting in the following error:

“Cannot invoke this function because the current host does not implement it”

Solution

Comment out or remove all Write-Host statements that are:

    • Outside of Invoke-Command blocks
    • Outside of separate PowerShell sessions

Instead, use Write-Host or write to a log file if output tracking is needed during testing or debugging.