[German]Small addendum from last week. Since the October patchday (October 11, 2022), administrators of Citrix installations have noticed that connections no longer work for Citrix clients once Windows update KB5018410 has been installed. This update for Windows 10 version 20H2-21H2 is likely where the TLS 1.0/1.1 issue struck. Addendum: It seems that an out-of-band update from Microsoft has fixed this issue.
Advertising
I became aware of the issue the other day via the following tweet from Carl Stalhood. The message is simple: If you install the Windows update KB5018410, you should not be surprised about broken connections from Citrix clients.
In the Citrix forum there is a discussion CITRIX WORKSPACE NO CONNECT AFTER MICROSOFT OCTOBER 2022 UPDATE about this. The thread starter writes:
Hi,
After my Workstations was installed the Microsotf Security Update October 2022 KB5018410, the Citrix Workspace Client can´t connect with Netscaler server, the error for new connections is "can't add account with provided url". The clients that have Citrix open, can´t open any application. If uninstall it the Microsoft KB, Citrix work fine. We try with differents Citrix version and the problem persist. Any idea?
The Windows OS version is Windows 21H2
There, the Citrix clients can no longer connect to the server as soon as the update KB5018410 for Windows 10 version 20H2-21H2 has been installed. A user then confirms that it was probably due to the TLS problem outlined below.
@Martin Berthiaume, I found the solution for our environment in Citric ADC (aka Netcaler). The Load balancing virtual server object for our Storefront missed settings for TLSv11 and TLSv12 in SSL parameters. I also tested with the delfault Ciphers, but had to remove them again because then the Session from HP Linux thin clients stopped working. In my searching for answers I also fixed an outdated certificate in IIS on the StoreFront servers. But it wasnt until I checked the LSv11 and TLSv12 the receiver started to work again. It seems like KB5018410 unchecks these the older ones Internet Options just leaving TLSv12 .
In the forum thread, a user describes how he enabled TLS 1.2 in his environment to get the connections working again. Maybe free Nartac tool for testing TLS configuration is also quite helpful.
Advertising
Update KB5018410 and the TLS problem
I had pointed out the problem of TLS 1.0/1.1 being disabled by Microsoft for Windows 10 version 20H2-21H2 with the October 11, 2022 security update in the run-up to the October 2022 patchday in the post Windows 10: Beware of a possible TLS disaster on October 2022 patchday. This was not voodoo, as Microsoft already documented exactly this in the September 2022 preview update (see Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)). And on Patchday, October 11, 2022, the TLS 1.0/1.1 shutdown was then distributed more broadly (see Patchday: Windows 10-Updates (October 11, 2022)).
Also just got a message on Facebook that someone at a customer has experienced Outlook connection problems, probably due to the October update and TLS. The tips from my article Bug: Outlook no longer connects to the mail server (October 2022) may help there.
Out-of-band for Windows as a fix
Addendum: It has been mentioned within the comments below and within my German blog – Microsoft has confirmed a bug in Windows, that's causing SSL and TLS connection issues. I covered this update within the blog post Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022 eine Übersicht der verfügbaren Updates aufgelistet.
Out-of-band #update for #Windows fixes SSL / TLS connection issues – also for Citrix clients
Similar articles:
Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)
Patchday: Windows 10-Updates (October 11, 2022)
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Advertising
SSL/TLS connection problems fixed with recently released out-of-band updates mentioned by Bleeping Computer:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-tls-handshake-failures-in-out-of-band-updates/
Citrix users who have installed KB5018410 should try installing the out-of-band KB5020435 update and reboot
note: these out-of-band updates are usually available only thru the MS Update Catalog site and will NOT be offered thru Windows Update & WSUS
Thanks for your comment – see my addendum at the articles end (took me to long time, to write the blog post, before the 1st comment arrived).