Citrix Remote PowerShell SDK error: “Could not establish trust relationship for the SSL/TLS secure channel with authority ‘localhost’.”

If you see the following error when trying to run cmdlets from the Citrix Remote PowerShell SDK

Check and make sure you are running PowerShell in its 64-bit flavour, and not 32-bit (x86).

WTF?

I had this issue recently when automating some tasks with Jenkins talking to Citrix Cloud, using the Citrix Remote PowerShell SDK:

On the same host as Jenkins, if I ran a PowerShell shell, and ran the exact same script, it’d work fine.

If I ran it in Jenkins, it would fail with an error like this:

Root Cause

The root cause is there’s something up with 32-bit PowerShell and the Citrix Remote PowerShell SDK.

Jenkins runs the 32-bit version of PowerShell because Jenkins itself is 32-bit. The reason the script worked in a PowerShell shell on the Jenkins host, was because the default on Windows is 64-bit PowerShell. As soon as I forced PowerShell 32-bit, I could reproduce the problem.

The Fix

The fix is to force Jenkins to use PowerShell 64-bit. There’s two options I found:

  1. You can workaround it with some good tips here: https://adamtheautomator.com/jenkins-powershll-64bit/#method-3-using-the-sysnative-powershell
  2. Or you can fix it fully by making Jenkins run on 64-bit Java: https://stackoverflow.com/questions/28331924/jenkins-powershell-plugin-is-running-32-bit-powershell-and-i-need-64bit

A quick Citrix microapp hack to get notifications when there’s a Citrix Security Bulletin

Credit to Gabe Carrejo and the Patrick Quinlan for their work on this.

It’s possible to use the Citrix Support Security Bulletin RSS feed with Citrix microapps to notify you (or a group) when there’s a new Security Bulletin from Citrix

Rough Steps:

  1. Copy this RSS URL: https://support.citrix.com/feed/products/all/securitybulletins.rss
  2. If you want to narrow the feed down to a specific product or category, look for the category tags in the RSS feed and add them when you add the RSS integration in step 3
    • Some examples, in case they help:
  3. Follow the RSS microapp guide here and replace the blogs RSS URL with the Security Bulletin URL: https://kabri.uk/2019/12/18/building-a-simple-citrix-microapp-that-shows-blog-posts-from-a-wordpress-rss-feed/

Of course, you don’t need to use microapps to get Security Bulletins (you could just use an RSS reader) but it’s a very neat use case – and combined with Push Notification with Workspace, means you get a notification to your phone when there’s a new Bulletin. Great idea, Gabe!

A full list of feeds available from Citrix Support are here: https://support.citrix.com/feeds

How to force a Wi-Fi USB adapter on a Synology DiskStation to use 5GHz ac from 2.4GHz

Useful if your SSIDs are identical for 5GHz and 2.4GHz. Having your SSIDs setup like this seems to confuse Synology DSM, and for me it would always connect to the 2.4GHz network.

I had this particular issue where my TP-Link T4U ac wifi adapter for my Synology kept dropping down to using the 2.4GHz network, which slows it down dramatically.

To fix this, here’s what I did. Your mileage may vary, and you may end up disconnecting your Synology from the network, so make sure you have another way of getting to it (such as Ethernet) before proceeding with any of this!

SSH to the DiskStation, login as admin.

sudo -s to root account (same password as admin account)

Make a copy of your existing wifi config file inside /usr/syno/etc/wifi/

For me, I did:

Edit the original file with vi. If you don’t know how to use vi, do a web searhc (it’s not hard, but not easy either).

What you need to do is remove reference to the 2.4ghz network, which you can identify from the bssid, which is the MAC address of your router’s 2.4ghz radio. Once you’re done, the file should just contain details for the bssid that’s your 5ghz network. On my router, the MAC address for the 5GHz network was one hex number higher than the 2.4GHz network.

Next, make a copy of the wpa_supplicant file in /usr/syno/etc. For me, this was called: wpa_supplicant.conf.wlan0

Now edit the file, and change the bssid (which will be the 2.4ghz bssid MAC address) to the bssid MAC address of the 5ghz network.

Reboot the Synology diskstation, and when it comes back, it should be on the 5GHz network.

Install Citrix Cloud Connector on Server Core 2016

Scope

This post will provide some quick notes on installing the Citrix Cloud Connector on Server Core 2016.

Conceptual overview

  • We’re going to take our domain-joined Server Core installation and install the Citrix Cloud Connector on to it.
  • You can’t simply run the installer from the Server Core UI, because Server Core doesn’t have all the bits required for the Connector wizard to work.
  • So to work around this we’ll get an API Access key from Citrix Cloud admin UI and use that to install the connector silently on the command line.

Pre-requisites and considerations

  • It’s assumed you have installed Server Core 2016 and joined it to the domain.
  • I believe you’ll need an API access secure client entry for each controller you’re setting up. Happy to be corrected on this, but it feels like that’s the best way to go about this.
  • The API access key is tied to the Citrix Administrator. If that Adminstrator account is later revoked access or permissions changed, the API keys will stop working. More on this here.
  • As of right now (September 2018) installing the Cloud Connector on Server Core is not supported – however, the team is aware of appetite for this, and have a workstream open to do some testing with all the components.

Steps

Create an API Access secure client entry for the connector

Go to https://citrix.cloud.com > Identity and Access Management > API Access tab

Enter a descriptive name of your Server Core VM in the “Name your Secure Client box” and click Create Client – I typically use the VM hostname so it’s easy to track which controllers are using which credentials. If you want to add more contextual info, do so. The field isn’t tied or reliant on the VM name at all.

Store the ID and the Secret given to you in a secure place. You’ll never be given the Secret again, so I’d recommend storing it securely.

Gather required information

To install the connector from the command line you’ll need the following information:

  • Citrix Cloud Customer ID
    • You’re told this just before you make the API access credentials, when entering a secure client name.
  • API Access secure client ID
    • You’re told this when you make the API access credentials
  • API Access secure client Secret
    • You’re told this when you make the API access credentials
  • The ID of the Resource Location you’re installing the connector into.
    • This is the UUID of the Resource Location, not its friendly name. You’ll find it in the Resource Locations – click on “ID” to view it.

Download the Connector onto the Server Core VM

Log in to the Server Core VM and run the following, replacing “yourcustomeridhere” with your Customer ID

Install the connector silently

Now, from the same command line, build your silent install command, replacing yourcustomeridhereyourclientidyourclientsecret, and yourresourcelocationid with the information you gathered earlier, and run it:

That’s it. You won’t get confirmation that it worked, so you’ll need to check via Citrix Cloud

Check your Resource Location to verify connectivity

Go back to the Citrix Cloud UI and check your Resource Locations to verify if the connector is being setup. It can take a few minutes to complete.

Uninstalling the Cloud Connector

Should you need to Uninstall the Cloud Connector from Server Core, you can run:

It looks like this isn’t documented (not mentioned if you use /?) but it does work.

Further reading

 

Base image automation – download the latest installers for common apps with PowerShell

Overview

Long overdue, and inspired by @xenappblog and @CIT_Bronson, I’m finally documenting this.

In the Citrix RTST environment, we are frequently updating our base images with the latest common apps. To help with this, I cobbled together some scripts that will grab the latest version of apps like Chrome Enterprise, Firefox, VLC, Visual Studio Code, NotePad++, and FileZilla.

PowerShell Scripts

Below is a list of super-basic PowerShell snippets that will get the latest versions of software commonly installed on base images in a Citrix XenApp-Virtual Apps and Desktops-type environment. They include the URLs used; useful if you just need the URLs for your own purposes.

The key to all of these is the URLs used – most installers have special URLs you can use to get the latest installer, but the challenge is finding them!

Some of the techniques used in these scripts may be useful to help build scripts for other apps you may need for your environment.

You’ll need to change $output or -OutFile location to match where you want the installer to be saved.

Get Latest Google Chrome Enterprise

This will get you the latest stable build of Enterprise Google Chrome:

Get Latest Firefox

Get Latest VLC

Get Latest Visual Studio Code

Get Latest NotePad++

Get Latest FileZilla

Other resources

The End-User Computer (EUC) community, including Citrix Technology Professionals (CTPs) are already sharing their techniques for getting other apps, including Adobe Reader DC, XenServer tools, and Firefox. If you’ve got something to share, let me know in the comments and I’ll get it added!