Known issues

The Citrix Secure Private Access for on-premises solution has the following known issues that are planned to be addressed in the future releases.

Domain Controller configurations

  • The one-way or two-way trust with trust type as “Forest” between domains across different AD forests isn’t supported.

    For example, if and domains are in two different AD forests, and SPA is installed on a machine where the domain is joined to /, then other domain users cannot access SPA published apps.

  • If the machine’s domain where Secure Private Access for on-premises is installed is different than the domain of the administrator logged in to Secure Private Access, then you must do the following:

    • Add a different domain service account as identify in the IIS Application pool for both the Secure Private Access Admin and Runtime service.
  • The alternate UPN suffix is not supported by Secure Private Access for Intranet (StoreFront) login and Internet/Extranet (gateway) app enumeration.
  • Distributed groups are not supported in Secure Private Access. Therefore, policies cannot search for distributed groups to add user and group conditions.
  • Secure Private Access does not capture the domain details in the admin console or service. Hence, it relies completely on the domain that the user provided. Therefore, if the corresponding domain is not accessible or if the domain name is not a valid name, then that domain is not supported.

NetScaler Gateway

The SSL virtual server with SSL profile configuration isn’t supported in the following scenario.

  • The customer is using NetScaler Gateway 13.1–48.47 and later or 14.1–4.42 and later.
  • The ns_vpn_enable_spa_onprem toggle is enabled.


Bind the SSL parameters configured in the SSL profile directly to the SSL virtual server or disable the ns_vpn_enable_spa_onprem toggle.

For details on the toggle, see Support for smart access tags.

RfWeb / Workspace for web

RfWeb / Workspace for web isn’t supported. Though the apps are enumerated, the app launch might fail.

Application icons

Only the ICO icon format is supported. The PNG, JPEG and other formats aren’t supported.

Admin management

Administrator’s RBAC role changes are reflected only after the current session is invalidated (by sign out or token expiry).


Build-to-build upgrade isn’t supported. Secure Private Access for on-premises prompts you to remove the existing installation and reinstall in build-to-build upgrade.


  • In Stores > Configure Unified Experience, the default receiver for Website must be configured to /Citrix/<StoreName>Web. In earlier versions of StoreFront, the default receiver for Website is set to a blank value and that does not work for Secure Private Access. Also, the earlier version of the Receiver UI is displayed on the client.

  • If you are using the StoreFront versions 2308 or earlier, the Stores > Manage Delivery Controllers page displays the Secure Private Access plug-in type as XenMobile. This doesn’t impact the functionality.


  • Support bundle generation for the cluster isn’t supported.
  • The logs folders for admin and runtime services must not be deleted. Secure Private Access can’t recreate if these folders are deleted.

Admin account requirements to install Secure Private Access

  • To install Secure Private Access, you must be logged in with a local machine administrator account.
  • To set up Secure Private Access, you must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
  • After the setup is complete, that user becomes the first Secure Private Access administrator and can then add other administrators.
  • To manage Secure Private Access after the setup, you must sign into the Secure Private Access admin console with a Secure Private Access administrator account.

Security restrictions

Security restrictions associated with an app fail to work if a related domain that is initially published is replaced with a different domain.

For example, you create an app with a related domain as and enforce print restrictions and watermark on the application. The security restrictions are enforced when the application URL is accessed. However, if you edit the same application and replace the related domain with *, then the security restrictions are not enforced when the new application URL is accessed.

Admin console

The Edit App page (**Secure Private Access  > Applications > Edit Application) of a published application does not close after a related domain entry is modified.

For example, if the related domain you entered while creating an app was After the app is published, you replace the related domain with, and click Save. The Edit App page does not close, though the app is updated successfully.

Installer display in Uninstall or change a program page

When you upgrade Secure Private Access from 2308 to 2311 by using the ISO file, the Uninstall or change a program page ( Control Panel > Programs > Programs and Features) displays two entries for the Secure Private Access installer instead of replacing the initial entry.

  • Citrix virtual apps and desktops 7 2311
  • Citrix virtual apps and desktops 7 2308 - Secure private access

You can uninstall the preview build installer by selecting Citrix virtual apps and desktops 7 2308 - Secure private access.


This issue is not observed when the Secure Private Access 2308 standalone installer is upgraded using the 2311 standalone installer.