Troubleshooting failures in the Citrix Secure Access client for Windows
Auto-login failure in the Citrix Secure Access client version 24.11.1.17 and above
Auto-login for classic authentication fails in the Citrix Secure Access client when Microsoft Edge WebView is enabled. Previously, versions prior to 24.11.1.17 supported auto-login for both classic and advanced authentication using Internet Explorer WebView.
Due to Microsoft’s deprecation of Internet Explorer, Citrix Secure Access clients versions 24.11.1.17 and later default to Microsoft Edge WebView, which does not support classic authentication. We recommend migrating to advanced (nFactor) authentication. If you must continue using classic authentication, disable Microsoft Edge WebView until the migration is complete.
The following table summarizes the compatibility matrix for different authentication modes and WebView components in various Citrix Secure Access client versions:
| Citrix Secure Access client version | Default WebView | Authentication mode | Auto-login support | Workaround required |
|---|---|---|---|---|
| 24.11.1.17 and lower | Internet Explorer WebView | Classic | Supported | Not required |
| 24.11.1.17 and lower | Internet Explorer WebView | Advanced (nFactor) | Supported | Not required |
| 24.11.1.17 and above | Microsoft Edge WebView | Advanced (nFactor) | Supported | Not required |
| 24.11.1.17 and above
|
Microsoft Edge WebView
|
Classic
|
Not Supported
|
|
To resolve auto-login failure
To enable auto-login for classic authentication in the Citrix Secure Access client version 24.11.1.17 and above, the default WebView in the Citrix Secure Access client must be reverted to Internet Explorer WebView using one of the following methods.
Option 1: Contact Citrix Support
Contact Citrix Support to disable Microsoft Edge WebView for the customer environment.
Option 2: Configure registry
To revert the default WebView to Internet Explorer WebView, apply the following registry configuration:
REG_NAME: EnableEdgeWebView
REG_PATH: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
REG_TYPE: REG_DWORD
REG_VALUE: 0
Login failure due to third-party software
You might encounter login failures in the Citrix Secure Access client if a third-party software performs Dynamic Link Library (DLL) injection from directories other than C:\\Windows or C:\\Program Files.
To troubleshoot the login failure, verify the log file at C:\Program Files\Citrix\Secure Access Client\logs\csa_nsverctl.txt. A “No External Signature matched” log suggests the problem lies with the third-party software. The following is an example of a failure log:
2025-05-27 14:15:24.398 | 17020 | DEBUG | D | NONE | Signer cert name to verify file: = ABC signername INC |
2025-05-27 14:15:24.398 | 17020 | ERROR | S | NONE | Verify file: No External Signature matched |
<!--NeedCopy-->
To resolve the login failure
The login failure due to a third-party software can be resolved using one of the following methods:
Option 1: Exclude the nsload.exe process
Configure the third-party software to exclude the nsload.exe process. This configuration ensures optimal compatibility with the third-party software that performs DLL injection from directories other than C:\Windows or C:\Program Files.
Option 2: Configure registry
Starting from the Citrix Secure Access client for Windows release 25.2.1.18, you can apply the following registry configuration if DLL injection is required:
REG_NAME: ExternalTrustedSigners
REG_PATH: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
REG_TYPE: REG_MULTI_SZ
REG_VALUE: Signer name of the DLL being injected
You can get the signer name from the log file at C:\Program Files\Citrix\Secure Access Client\logs\csa_nsverctl.txt. In the following example log, “ABC signername INC” is the signer name to be configured in the ExternalTrustedSigners registry.
2025-05-27 14:15:24.398 | 17020 | DEBUG | D | NONE | Signer cert name to verify file: = ABC signername INC |
2025-05-27 14:15:24.398 | 17020 | ERROR | S | NONE | Verify file: No External Signature matched |
<!--NeedCopy-->