Environment
Novell iChain 2.3
Novell iChain 2.3 Service Pack 4
Citrix Presentation Server Client for Java Version 9.3
iChain has been configured as documented in TID10098996
Novell iChain 2.3 Service Pack 4
Citrix Presentation Server Client for Java Version 9.3
iChain has been configured as documented in TID10098996
Situation
Citrix JAVA client cannot access applications through iChain on a
Citrix Metaframe server
Java Citrix Client returns:
iChain Form-fill rewrites the page calling the JAVA applet as expected to:
archive="JICAEngN.jar"
width="640" height="480">
cd08650e">
Taking a LAN trace between the Client and the iChain proxy server shows:
The result of taking further traces seems to be that the Citrix client for JAVA always truncates the password field in the outgoing auth header to 32 characters
Java Citrix Client returns:
Error tunneling though the
proxy.
Error connecting through the proxy - Protocol Error
java.net.Protocol exception
Please contact your Citrix Representative
Error connecting through the proxy - Protocol Error
java.net.Protocol exception
Please contact your Citrix Representative
iChain Form-fill rewrites the page calling the JAVA applet as expected to:
archive="JICAEngN.jar"
width="640" height="480">
cd08650e">
Taking a LAN trace between the Client and the iChain proxy server shows:
Hypertext Transfer Protocol
CONNECT 147.2.92.236:1494 HTTP/1.1\r\n
Accept-Charset: US-ASCII, ASCII, ANSI_X3.4-1968; q=0.9, ISO646-US; q=0.7, ANSI_X3.4-1986; q=0.6, us; q=0.4, IBM467; q=0.2, cp367; q=0.2, *; q=0.1\r\n
Accept-Encoding: identity, \r\n
Cache-Control: no-cache, no-store\r\n
Connection: close\r\n
Host: citrix.ichainsite.com:1494\r\n
Pragma: no-cache\r\n
User-Agent: Mozilla/4.0 (compatible; JICA/7.0)\r\n
Proxy-Authorization: Basic NThlMWM5MzFiZDNiMDIzZTNjNDE3MjE2OmI4NjNiODgxZDNiNDgyNzc0Mzg4MTRmZWE4MWI0NWY4\r\n
Credentials: 58e1c931bd3b023e3c417216:b863b881d3b48277438814fea81b45f8
that it looks like the Citrix JAVA Client truncates the base64
encoded password sent with the HTTP basic Proxy-Authorization
header in the CONNECT request by eight characters / bytes:CONNECT 147.2.92.236:1494 HTTP/1.1\r\n
Accept-Charset: US-ASCII, ASCII, ANSI_X3.4-1968; q=0.9, ISO646-US; q=0.7, ANSI_X3.4-1986; q=0.6, us; q=0.4, IBM467; q=0.2, cp367; q=0.2, *; q=0.1\r\n
Accept-Encoding: identity, \r\n
Cache-Control: no-cache, no-store\r\n
Connection: close\r\n
Host: citrix.ichainsite.com:1494\r\n
Pragma: no-cache\r\n
User-Agent: Mozilla/4.0 (compatible; JICA/7.0)\r\n
Proxy-Authorization: Basic NThlMWM5MzFiZDNiMDIzZTNjNDE3MjE2OmI4NjNiODgxZDNiNDgyNzc0Mzg4MTRmZWE4MWI0NWY4\r\n
Credentials: 58e1c931bd3b023e3c417216:b863b881d3b48277438814fea81b45f8
The result of taking further traces seems to be that the Citrix client for JAVA always truncates the password field in the outgoing auth header to 32 characters
Resolution
- The Citrix Presentation Server Client for Java 9.4 includes the
required a "Long User Password Authentication Failure" fix
- iChain 2.3 Support Pack 4 Interim Release 1a (ic23sp4ir1a.exe) is required to make use of the Presentation Server Client for Java 9.4 for JAVA
Additional Information
iChain
FormFill rewrites the page calling the JAVA applet as expected
to:
archive="JICAEngN.jar"
width="640" height="480">
cd08650e">
Taking a LAN trace between the Client and the iChain proxy server shows:
The result seems to be thst the Citrix java client always truncates the pwd field in the outgoing auth header to 32 characters
The problem is based on the fact:
Formerly known as TID# 10100486
archive="JICAEngN.jar"
width="640" height="480">
cd08650e">
Taking a LAN trace between the Client and the iChain proxy server shows:
Hypertext Transfer Protocol
CONNECT 147.2.92.236:1494 HTTP/1.1\r\n
Accept-Charset: US-ASCII, ASCII, ANSI_X3.4-1968; q=0.9, ISO646-US; q=0.7, ANSI_X3.4-1986; q=0.6, us; q=0.4, IBM467; q=0.2, cp367; q=0.2, *; q=0.1\r\n
Accept-Encoding: identity, \r\n
Cache-Control: no-cache, no-store\r\n
Connection: close\r\n
Host: citrix.ichainsite.com:1494\r\n
Pragma: no-cache\r\n
User-Agent: Mozilla/4.0 (compatible; JICA/7.0)\r\n
Proxy-Authorization: Basic NThlMWM5MzFiZDNiMDIzZTNjNDE3MjE2OmI4NjNiODgxZDNiNDgyNzc0Mzg4MTRmZWE4MWI0NWY4\r\n
Credentials: 58e1c931bd3b023e3c417216:b863b881d3b48277438814fea81b45f8
looke like the Citrix JAVA Client truncates the base64 encoded
password sent with the HTTP basic Proxy-Authorization header in the
CONNECT request by eight characters / bytes:CONNECT 147.2.92.236:1494 HTTP/1.1\r\n
Accept-Charset: US-ASCII, ASCII, ANSI_X3.4-1968; q=0.9, ISO646-US; q=0.7, ANSI_X3.4-1986; q=0.6, us; q=0.4, IBM467; q=0.2, cp367; q=0.2, *; q=0.1\r\n
Accept-Encoding: identity, \r\n
Cache-Control: no-cache, no-store\r\n
Connection: close\r\n
Host: citrix.ichainsite.com:1494\r\n
Pragma: no-cache\r\n
User-Agent: Mozilla/4.0 (compatible; JICA/7.0)\r\n
Proxy-Authorization: Basic NThlMWM5MzFiZDNiMDIzZTNjNDE3MjE2OmI4NjNiODgxZDNiNDgyNzc0Mzg4MTRmZWE4MWI0NWY4\r\n
Credentials: 58e1c931bd3b023e3c417216:b863b881d3b48277438814fea81b45f8
The result seems to be thst the Citrix java client always truncates the pwd field in the outgoing auth header to 32 characters
The problem is based on the fact:
- the Citrix Java Client makes use of the"sun.misc.Base64Encoder" class in order to encode the
authentication string [inBasicAuthHandler.java]. The class seems to
add automatically inserts "\r\n" after every 76th character. For
Base64 encoding this is correct, except when it's being used for
HTTP Basic authentication.
- iChain23 SP4 has a problem running a CONNECT request extracted from the Citrix Java Client Address Parameter based on the fact that the IP Address is surrounded with quotes
Formerly known as TID# 10100486