SharePoint CSOM and NetScaler

24 Sep 2015
September 24, 2015

I am currently preparing a test dataset for a SharePoint WebPart to see how it scales on a customer SharePoint 2010 environment. The problem I faced here was that the environment is protected by Citrix Netscaler and every CSOM call was ended with a lovely exception.

Problem 1: SSL

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The client uses https/SSL to secure the channel (good!), but the netscaler load balancer does not provide the correct certificate (I think that could be configured, but that’s not my job here…) and does a redirect to a different domain ( for authentication:

Netscaler Login Page

Netscaler Login Page

So CSOM correctly stops – oldy but goldy, right?

Solution 1

The following snipped accepts all certificates, valid or not. Dont use it in production code, for single use CSOM as in my case it is perfectly acceptable, right? 🙂

Problem 2: NetScaler Authentication

Once the SSL challenge is accepted, we have to take care of the authentication part. I have done something similar for ADFS were you emulate the authentication (basically you grab the cookie once the authentication happened and reuse it for the SharePoint CSOM).

Fiddler quickly confirmed my assumption – after login via the citrix interface, every call uses cookies for authentication:

Debugging Authentication Flow with Fiddler

On the left you can see the 302 redirect to a different domain. Once I provided the login credentials it sets 4 cookies.

Solution 2

Now lets try to convince the CSOM to use cookies for each request:

Once we have the event, we need to set the cookies (maybe you need different ones depending on the configuration):

This code is then executed when “ExecuteQuery” is called – and the cookies are set once. With fiddler you can verify the cookies are used then.

The approach above of course only works for a session lifetime – after expiration of the cookies, CSOM can’t connect. The code could be expanded to grab the cookies with the first call or after expiration – but for my test data single purpose code that’s apparently out of scope.


At first I thought – “well that takes me 10 Minutes to provision 1000 datasets” – took me longer 🙂

Hopefully this post saves somebody some time!

Max Melcher
Follow me!

Max Melcher

Maximilian Melcher (MCSE, MCPD) is a Principal Consultant working at Alegri International Services in Munich, Germany. Max is a specialist in SharePoint technologies focused on search, social computing, web content management and collaboration. Max has led SharePoint implementations for Dax 30 companies since 2009.
Max’s free time is spent on twitter (@maxmelcher) mostly with a good coffee in his hands.
Max Melcher
Follow me!
Tags: , , ,
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.