Cause

TLS 1.2

SFConnect uses .NET Framework 4.5.2 which supports TLS 1.2 but not enabled by default unless explicitly specified in code. If a customer's Citrix environment only accepts TLS 1.2 connection, the user will receive an error messaging saying it could not establish an SSL connection or the underlying connection was closed.

Citrix Cloud support

Citrix Cloud supports TLS 1.2 only as of March 2019. https://support.citrix.com/article/CTX247067.

The CitrixAuth challenge and response from the Citrix Cloud-StoreFront may contain a CitrixAuth roothint URL that's different than the requested URL https://developer-docs.citrix.com/projects/storefront-authentication-sdk/en/latest/citrixauth-authentication-scheme/. There was logic in SFConnect to compare and ensure they were the same - if they were different, the Authorization header is not included when requesting a resource, leading to an unauthorized response. 

Resolution

1. Backup the existing file: \\{VSIserver Share}\{Login VSI Share}\_VSI_Binaries\Connectors\LoginVSI.Connectors.Model.dll by renaming it or moving it out of the Login VSI share
2. Extract the LoginVSI.Connectors.Model.dll file from the zip file and place it in the Connectors folder