The best troubleshooting resources for Citrix Password Manager Service are the error messages encountered in the console, agent event log and XTE Service Error logs. The most common error messages have been typed in this document to allow for quick location and resolution. This document is organized into seven parts to provide easy access to the most common errors encountered.

1. Password Manager Service Frequently Asked Questions
   1. What is the XTE Service?
   2. Are the signing and validation certificates related to the SSL certificate?
   3. Do I have to use CtxCreateSigningCert?
   4. How do I enable Data Integrity on an environment that already has been established as a "non-Data Integrity" deployment?
2. Issues and Errors Encountered on the Service Machine
   1. Service configuration tool will not start
   2. Service configuration tool will not complete its configuration
   3. Shutting down/restarting the Citrix XTE Service
   4. Using the data signing tool
3. Issues and Errors Encountered on the Console Machine
   1. Configure and run discovery (Data Integrity)
   2. Console error messages – Data Integrity
   3. Console error messages – Provisioning
4. Issues and Errors Encountered on the Agent Machine
   1. Data Integrity related errors
   2. Automatic Key Recovery authentication failed, module could not be contacted
   3. Automatic Key Recovery post-password change
   4. Self-Service Password Reset registration failed
   5. Provisioning: Failure to consume queued commands
5. Troubleshooting the Connection
   1. Testing the connection
   2. Repairing the connection
6. Data Integrity – Recovering from Data Corruption
7. XTE Service Error Log
   1. SSL certificate/machine name mismatch
   2. SSL handshake failure
   3. User not authorized to access the page
   4. Require user/group line is invalid
   5. File not found or unable to stat
   6. Attempt to serve directory

Password Manager Service Frequently Asked Questions

What is the XTE Service? Is it the same as the Access Suite's XTE Service?

XTE stands for eXtensible Transformation Engine. XTE is a common infrastructure component used in multiple Citrix products. The XTE Service hosts the Password Manager web services. This service is the same XTE Service that XenApp Platinum Edition uses, however, it uses added modules with a different configuration. The added modules and configurations prevent the Password Manager Service from being installed on a machine with other Citrix applications that use the XTE Service. In addition, the security model recommends the Password Manager Service server be placed in a physically secure location with limited access.

Are the signing/validation certificates related to the SSL certificate?

No, the SSL certificate (supplied from your certificate authority) is a totally separate entity from the signing/validation certificates that are created by the Password Manager Service.

What is the purpose of the SSL certificate?

An SSL certificate is necessary to ensure encrypted communication from the Service to the clients such as Password Manager Agents console and third party provisioning clients, and to guarantee that the clients are talking to the correct Service machine. The SSL certificate name must exactly match the fully qualified name of the Password Manager Service machine to verify that the Password Manager Service machine is indeed the correct machine.

What is the purpose of the signing/validation certificates?

The signing and validation certificates are created by the Password Manager Service and have no relation to the SSL certificate. They are used by the Data Integrity Service to authenticate the information stored in the central store. Automatic Key Recovery and Self-Service Password Request also use the signing certificate to verify the user identity token. The signing certificate absolutely does not encrypt any data; it takes the data from the console, and generates a cryptographic signature which is appended to the data. If the data is changed without using the signing service to append a new signature, the agent will display a validation error when attempting to use the data, and discard the data.

Do I have to use CtxCreateSigningCert to create the signing/validation certificates?

In most cases, no. After a successful configuration of the Password Manager Service using the Service Configuration Tool, the signing and validation certificates are created automatically. The only case where you would create a new signing/validation certificate pair is when you wish to sign the data using a new certificate pair. You would need a new certificate pair if the certificate expires or is compromised.

How do I enable Data Integrity on an environment that already has been established as a "non-Data Integrity" deployment?

1. Sign the data with the signing tool from the Password Manager Service machine. More information on using the signing tool can be found in the Password Manager Administrator's Guide.
2. Configure and run discovery on the console. The console should automatically recognize that the data on the central store is signed, and will prompt the user to enter the Password Manager Service URI.
3. Modify the installation of the agent to enable Data Integrity by selecting the Data Integrity feature and entering the URI of the Password Manager Service machine.

Service-side Issues and Resolutions

Service Configuration Tool will not start

The two most common reasons why the Service Configuration Tool will not start:

• The Service cannot find a valid SSL Web Server Certificate installed on the Password Manager Service machine.
  An SSL web server certificate from your certificate authority is required. Also, the root certificate authority must be trusted on every machine that contacts the Service: the agent, console, and Service.
• The user running the Service Configuration Tool must be a member of the ainain and a member of the local machine administrators group.

Service Configuration Tool will not complete its configuration

Depending on where it stops, the Applying [Configuration] Settings status dialog window will give clues as to what function of the Service Configuration failed. Shown below is an abbreviated successful completion of the Service Configuration Tool, with numbers showing where failures may occur. The numbers in the picture below correspond to the descriptions that follow:

1. Failure to configure the Data Proxy account:
   Error:
   The account credentials provided for the application are invalid.

Issue:
This usually occurs because the user credentials configured to run the Data Proxy were entered incorrectly. Go back to the 'Configure data proxy' page of the Service Configuration Tool, and re-enter the credentials.

1. Failure to configure the Self-Service Password Reset account:
   Error:
   The account credentials provided for the application are invalid.
   Issue:
   This usually occurs because the user credentials configured to run the Self-Service Password Reset account were entered incorrectly. Go back to the 'Provide password reset credentials' page of the Service Configuration Tool, and re-enter the credentials.
2. Failure to start the XTE Service.
   There are several issues that can cause this failure:
   1. The SSL Certificate name does not exactly match the fully qualified inin name of the Password Manager Service machine.
      Error:
      The server process could not be started. Make sure that the port is not in use. Refer to the Windows event log and Citrix XTE Server error log for more information
      Issue:
      The only way to verify that this is the problem is to look at the Citrix XTE Service error logs. Refer to the XTE Service error log section for more details on a resolution to an SSL server certificate/machine name mismatch.
   2. The Port is in use by another service (i.e. IIS Admin Service)
      Error:
      The server process could not be started. Make sure that the port is not in use. Refer to the Windows event log and Citrix XTE Server error log for more information
      Issue:
      If you are unsure which program is occupying the Password Manager Service default port 443, run port monitoring software to determine what is running on the port. The typical culprit is Internet Information Services. Uninstall the IIS Service (or other web service running on 443), or choose to run the Password Manager Service on a different port.
   3. Credentials are incorrect
      Error:
      The server process could not be started because the account name is invalid or does not exist, or the password is invalid for the account name specified.
      Issue:
      Go back to the 'Configure service' page of the Service Configuration Tool and re-enter the account credentials for the Citrix XTE Service.

Shutting down, restarting the Citrix XTE Service

Refer to Restart the XTE Service for steps to shutdown and start the Citrix XTE Service.

Using the Data Signing Tool

The data signing tool is a command line utility that is located on the Password Manager Service machine at C:\Program Files\Citrix\MetaFrame Password Manager\Service\SigningTool\. The data signing tool (CtxSignData.exe) should be used in the following situations:

• Enable/Disable Data Integrity in an existing deployment of Password Manager.
• Verify all of the signatures on a central store that has Data Integrity enabled.
• Resign all of the data on the central store with a newly created signing certificate after data corruption or after signing/validation certificate expiration.

Details and examples on using the data signing tool are located in the Password Manager Administrator's Guide.

Console-side Issues and Resolutions

Impact of Data Integrity on Configure and run discovery

When running Configure and run discovery on the console with a central store that has never been configured, the administrator is provided a choice to enable Data Integrity. When Configure and run discovery is activated on a central store that has previously been configured, either with Data Integrity on or off, the administrator is not allowed to change the Data Integrity setting from the console. See the Password Manager Administrator's Guide for more on disabling or enabling Data Integrity in an existing deployment.

When running Configure and run discovery, if Data Integrity is enabled, the user must fill in the Service URI and port number for the Citrix Password Manager Service machine. The following issues may be encountered:

• The Service URI is typed incorrectly or the console is unable to contact the Service
• The Service port is typed incorrectly
• SSL certificate trust failed
• An unexpected error occurred

Each of the specific errors are explained below.

Service URI Error: The underlying connection was closed: The remote hostname could not be resolved.
The Service URI is typed incorrectly, or the console is unable to contact the Password Manager Service machine.

Service Port Error: The remote service point could not be contacted at the transport level.
The Password Manager Service port is typed incorrectly, or the Citrix XTE Service is not running on the Password Manager Service machine.

SSL Trust Error: SSL server certificate could not be validated.
The SSL server certificate is not trusted and a connection will not be made.

The XTE Service error log will also print the following if the SSL handshake failed (i.e. when the SSL certificate is not trusted): "SSL handshake from client failed." Please see the XTE Service Error Log section for more details on how to avoid this error.

An exception of unknown type has occurred during connection to the service host. Service may have encountered internal error or misconfiguration.

Issue:
This error typically appears when an unauthorized user is trying to Configure and run discovery on a central store that has Data Integrity enabled. Not only will the console user will require read/write access to the central store, but in the case of Data Integrity, the console user will also need access to the PrivateKeyCert.cert file on the Password Manager Service machine. If not activating Configure and run discovery as a Domain Administrator, it is required that special access be granted to the user or group of users that use the signing (PrivateKeyCert.cert) certificate on the Password Manager Service machine.

Note: This error can also occur when try to configure Data Integrity with a Password Manager Service machine that does not have the Data Integrity service component installed. You can only enable Data Integrity on the console with a Password Manager Service that is running the Data Integrity service.

Resolution:
Read the Citrix XTE Service error log in C:\Program Files\Common Files\Citrix\XTE\logs\ to verify that the issue is a "user not authorized" error. Proceed to the XTE Service Error Log section for more information to resolve this issue.

Console error messages - Data Integrity

Error:
One or more <CentralStoreRoot objects> could not be read from the central store. Your Windows Event Log contains additional error information.

Issue:
Check which object has been corrupted using the Event viewer. Refer to the _Password Manager Administrator's Guide_ and the 'Recovering from Data Corruption' section for more information.

Console error messages – Provisioning

Error:
Provisioning is disabled. Enable provisioning and provide the address to the Citrix Password Manager Service.

Issue:
This error is received after selecting a user configuration and attempting to run either "Generate provisioning template" or "Run Provisioning" tasks from the console. This is due to the fact that the selected user configuration does not have the provisioning module enabled or configured.

Resolution:
To resolve this issue, edit the user configuration and on the provisioning module enable the feature by checking the "Use Provisioning" option and then enter the service URL and port.

Error:
Batch, Failure, "The name resolver service could not resolve the host name."

Issue:
This error is received when running the "Run Provision" task from the console. This is due to the fact that the service URL specified in the selected user configuration is not able to be resolved.

Resolution:
To resolve this issue, edit the user configuration and on the provisioning module use the validate button to verify the service URL and port. Refer to Troubleshooting the Connection for more information on how to resolve this issue.

Error:
Error: "Data Integrity Status Mismatch"

Issue:
This error is received when running the "Run Provision" task from the console. If Data Integrity is enabled or disabled, it must have the same "on/off" setting throughout the Password Manager environment

Resolution:
Verify Data Integrity is consistently enabled or disabled in the following places.

1. The central store – the data must be signed or unsigned
2. The service configuration tool – Data Integrity must be on or off
3. The agent - Data Integrity must be on or off

Agent-side Issues and Resolutions

Data Integrity errors

The agent's most common Data Integrity error – "Data integrity failed..." – will occur on agent startup. When using the agent, if there is a Data Integrity failure, the agent will be unable to grab any settings that were applied with the console. On First Time Use of the agent, you will be unable to get a license. When you receive this error, verify the following:

• The root certificate authority is trusted on the certificate physical store of the agent machine.
• The Password Manager Service URI and port have been typed correctly on the agent installation. The registry key that holds this information is HKLM\Software\Citrix\Metaframe Password Manager\Extensions\Server\BaseURL
• Connect via Internet Explorer to the Password Manager Service machine from the agent machine. Refer to Troubleshooting the Connection for details on contacting the Password Manager Service via Internet Explorer.

All of the necessary checks can be performed by following the instructions in Troubleshooting the Connection.

Automatic Key Recovery: Authentication Failed or Key Management Module could not be contacted

Error:
Password Manager authentication failed.

Error:
The Password Manager Service Key Management Module could not be contacted. Contact your administrator. Password Manager agent will now shutdown.

Issue:
The most common Automatic Key Recovery error – "Password Manager authentication failed..." – occurs on agent startup. When using the agent for the first time, the Automatic Key Recovery Service is called immediately to generate a key that is used to decrypt credentials in the case of a future password change.

Several possible issues can cause these errors:

1. The Central Store Proxy account does not have adequate permissions. Try making the Central Store Proxy account a Domain Administrator, to verify that this is not the case. Also, the Central Store Proxy account must have access to AuthenticatedWS web service – refer to XTE Service Error Logs for more information. Regarding Central Store Proxy account permissions, please see the Advanced Concepts Guide article "Configuring Citrix Password Manager Administrative Access Without Being a Domain Administrator."
2. Data Integrity status mismatch: If Data Integrity is enabled or disabled; it must have the same "on/off" setting throughout the Password Manager environment. If Data Integrity is disabled, this setting must be present in three places:
   1. The administrator must verify that the central store remains unsigned.
   2. The service configuration tool must have Data Integrity disabled.
   3. The agent must have Data Integrity disabled.

The console must also remain consistent and the console administrator will automatically be prompted to Configure and run discovery if the central store Data Integrity setting has changed.

Automatic Key Recovery: post-password change

Error:
The Password Manager Service Key Management Module could not locate your keys. Contact your administrator. Password Manager agent will now shutdown.

Issue:
Three possible causes for this error exist.

1. The Central Store Proxy account does not have adequate permissions. Try making the Central Store Proxy account a Domain Administrator, to verify that this is not the case. Also, the Central Store Proxy account must have access to AuthenticatedWS web service – refer to XTE Service Error Logs for more information. Regarding Central Store. Proxy account permissions, please see the Advanced Concepts Guide article "Configuring Citrix Password Manager Administrative Access Without Being a Domain Administrator."
2. The AKR.dat Service key (V4) has changed on the Password Manager Service machine. This can occur if the Password Manager Service machine was moved without exporting AKR.dat using the CtxMoveKeyRecoveryData Tool. The V4 (AKR.dat) must remain static throughout a deployment when users have configured application credentials. For more information on migrating AKR.dat, see the Advanced Concepts Guide article, "Automatic Key Recovery."
3. The user's data has not replicated across multiple domain controllers.

First-Time-Use: Self-Service Password Reset registration failed

Error:
You cannot register for the password reset feature. Please contact your administrator.

Issue:
This error can appear both before and after a user encounters any Self-Service Password Reset questions. Listed below are reasons that the error appears both before and after Self-Service Password Reset questions are encountered:

1. Check that the Password Manager Service URI is correctly configured on the agent machine. The registry key that holds this information is HKLM\Software\Citrix\MetaFrame Password Manager\Extensions\Server\BaseURL. Copy this URI from the key and paste it into Internet Explorer, then add the required .asmx file name to the end of it. The .asmx files associated with this error are NTLMAuthSvc.asmx, EnrollmentSvc.asmx, and AuthSvc.asmx, in the order they are called. Refer to Troubleshooting the Connection for more information on testing the connection to these component service pages.
2. If using a central store proxy account that is not a Domain Administrator, check that the account has adequate permissions on the central store. Also, the central store proxy user, when not in the Domain Administrators group, must be added to the "require group" line of the XTE Service httpd.conf file. Refer to Citrix XTE Error logs for more information to resolve this issue. Also, to verify that this is indeed a permissions issue, try configuring the Password Manager Service with a Domain Administrator as the central store proxy account (using the Service Configuration Tool).
3. Check that the root certificate authority is trusted in the certificates physical store of the agent machine. Refer to Troubleshooting the Connection for more information on how to resolve this issue.
4. Data Integrity status mismatch: If Data Integrity is enabled or disabled, it must have the same "on/off" setting throughout the Password Manager environment. If Data Integrity is disabled, this setting must be present in three places:

1. The administrator must verify that the central store remains unsigned.
2. The service configuration tool must have Data Integrity disabled.
3. The agent must have Data Integrity disabled.

The console must also remain consistent and the console administrator will automatically be prompted to Configure and run discovery if the central store Data Integrity setting has changed.

Provisioning: Failure to consume queued commands

Error:
The agent does not consume a provisioning command for a user that has a provisioning command in their queue.

Issue:
If the agent fails during the provisioning operation that occurs each time the agent is launched (when provisioning is enabled), the user will not receive an error but rather the agent will silently fail and continue on with normal operations. In order to determine what is causing the provisioning operation to fail, you should enable the agent's advanced logging capabilities (see the Advanced Concepts Guide article Enabling Advanced Logging for the Password Manager Agent). Once the logging has been enabled restart the agent to reproduce the failure. In the generated agent log, find the following line:

ProvisionAgent(), GetProvisioned() returned: X

In this example the X at the end of the line refers to the failure status code which can be determined from most commonly found codes in the list below. Once you have determined the reason for the failure, refer to Troubleshooting the Connection and XTE Service Error Log for more information on how to resolve this issue.

Troubleshooting the Connection

The two most common issues related to Password Manager Service configurations are SSL certificate and DNS issues. In the situation where the console or agent is unable to connect or interact with the Password Manager Service, the following series of steps may help determine whether the issue is related to DNS Configuration, SSL certificates, or both.

Testing the connection

Check 1 - Contact the Password Manager Service through Internet Explorer:
With a failure to connect to the Password Manager Service, the first most important step is to check whether it is accessible through the network. The Password Manager Service is a web service, therefore each of the web services is accessible through Internet Explorer. Nine component service pages are associated with the Automatic Key Recovery, Self-Service Password Request, Provisioning and Data Integrity modules of the Password Manager Service. Listed next to each component service are the services that use it. Any service that fails should be tested by visiting its corresponding component pages.

1. /MPMService/AuthenticatedWS.asmx Data Integrity, Automatic Key Recovery, Self-Service Password Reset (Only accessible to users in the "require group" line in httpd.conf)
2. /MPMService/AuthSvc.asmx Self-Service Password Request
3. /MPMService/DataIntegritySvc.asmx Data Integrity
4. /MPMService/EnrollmentSvc.asmx Automatic Key Recovery, Self-Service Password Request
5. /MPMService/KeyRecoverySvc.asmx Automatic Key Recovery
6. /MPMService/NTLMAuthSvc.asmx Automatic Key Recovery, Self-Service Password Request
7. /MPMService/PwdResetSvc.asmx Self-Service Password Request
8. /MPMService/ProvisionSvc.asmx Provisioning Request
9. /MPMService/ProvisionAgentSVC.asmx Provisioning Agent consumption

Each of these individual web services is accessible as web pages through Internet Explorer. The format to view these pages when the Password Manager Service is running is https://<FQDN of Service Machine>:<Port>/MPMService/<webservice>.asmx. For example, to test that the Data Integrity Service is running, go to https://<FQDN of Service Machine>:<port>/MPMService/DataIntegritySvc.asmx. Based on the possible results below, proceed to the next check or resolution indicated.

Result 1.1 – You were unable to reach the Password Manager Service page through Internet Explorer:
(Proceed to Check 2)
If you are unable to connect to the Password Manager Service through Internet Explorer, check that you typed the correct web address, including https and the port. Proceed to Check 2.

Result 1.2 – You were able to reach the Password Manager Service page, but Internet Explorer asked you if you trust the SSL certificate:
(Proceed to Resolution 1.1)
If you were able to view the Password Manager Service page, but only after you answered yes to trust the SSL certificate, proceed to Resolution 1.1.

Result 1.3 – The Password Manager Service page reports an 'Error in Application':
(Proceed to Resolution 1.3)
If an 'Error in Application' page is displayed when contacting one of the Password Manager Service component pages in Internet Explorer, go to Resolution 1.3 – Restart the XTE Service and COM+ Objects.

Check 2 - Ping the fully qualified domain name of Password Manager Service machine:
If you were unable to view the Password Manager Service page, the next step is to see if you are able to ping the fully qualified domain name of the Service. Ping the fully-qualified (as opposed to NetBIOS) name of the Password Manager Service machine from the client machine.

Result 2.1: FQDN ping request fails:
Now, ping the NetBIOS name of the service from the client machine. If you receive a reply, then do an NSLOOKUP of the service machine from the client machine. If you receive a different FQDN than expected, check that the Password Manager Service machine and the client machine have the DNS settings setup correctly. The Password Manager Service machine name should exactly match NSLOOKUP's reply of the fully qualified name of the Password Manager Service machine. If there is a mismatch between the NSLOOKUP reply and the actual FQDN of the Password Manager Service machine, proceed to Resolution 1.2 – Fix the DNS settings of the Password Manager environment.

Result 2.2: FQDN ping succeeds
Go to the Service machine and check that the Citrix XTE Service is running. On the Service machine, use Internet Explorer to contact the web services (Check 1, above). Verify that you tried contacting the service machine on the correct port.

Repairing the connection

Resolution 1.1 – Add the Certificate to the trusted root certificates
This step is encountered when you are able to view the Password Manager Service page, but you are unable to proceed without first trusting the SSL certificate. If your certificate authority is located within the same domain which uses the Password Manager Service, then you should automatically have trust established. To check that your root certificate authority is trusted, you will have to open the certificates component of the Windows Management console (Run: mmc). Choose the certificates (Local Computer) snap-in, and view Trusted Root Certificates. The root certificate authority must be trusted on the Physical Store of each of the client machines (not the registry (per user)).

Resolution 1.2 – Fix the DNS settings of the Password Manager environment
DNS settings can cause some machines to 'resolve' differently within different places in an environment. DNS must be setup consistently throughout an environment. The DNS configuration is especially important regarding connections to the Password Manager Service because of the SSL security involved with verifying the identity of the Password Manager Service machine.

Resolution 1.3 – Restart the XTE Service and COM+ objects
The Citrix XTE Service runs in the Services console in Windows. To shutdown the XTE Service, go to Administrative Tools\Services (or Run: Services.msc), and look for Citrix XTE Server. Use the Services console GUI to restart the service.

Note: When changes are applied with the Service Configuration Tool, the XTE Service and COM+ objects are restarted.

If you go to the Properties page for the Citrix XTE Server, you will see the user that was entered in the Service Configuration Tool. WARNING: Do not 'manually' change users here! Use the Service Configuration Tool, because there are several directories in the Password Manager Service machine where permissions are set for the XTE Service user account, in addition to the various other hidden configurations made by the Service Configuration Tool.

Data Integrity – Recovering from Data Corruption

If the Data Integrity service detects an inconsistency between data on the central store and its associated signature, an error will occur in the console when trying to make changes to the central store. These errors will prevent the console administrator from making changes to a central store deployment. To recover, unsign the data on the central store and then sign the data with a new signing certificate (for maximum security). The re-sign option from the signing tool cannot be used because the re-sign operation verifies the data first, and in the case of corrupted data, re-sign will fail.

Because you want to ensure that you do not sign bad data, you should first get an idea of which data is corrupted. Five basic areas exist where data corruption could occur: CentralStoreRoot, ADMINOVERRIDES, ENTLIST, FTULIST, SYNCSTATE. If data corruption occurs on an object within the CentralStoreRoot, the console administrator is notified of it when a change is attempted on the object. The exact object can be manually deleted using Explorer or ADSIEdit on the central store. If data corruption occurs on one of the ADMINOVERRIDES, ENTLIST, FTULIST, or SYNCSTATE objects, the following steps must be performed to ensure proper security.

1. For maximum security, close access to the central store.
2. Using the signing tool, unsign all of the data on the central store.
3. Use the signing certificate creation tool, CtxCreateSigningCert.exe to create a new signing certificate.
4. Sign the central store with the new signing certificate.
5. Open the console.
6. At this point, all settings in ADMINOVERRIDES, ENTLIST, FTULIST, and SYNCSTATE must be reset for all deployments. The only way to guarantee an update of these four objects is to make changes to the CentralStoreRoot that will force the objects to be redeployed to all user configurations.
   1. ADMINOVERRIDES: A change in client settings, such as 'show computer name' will force an update of ADMINOVERRIDES on a 'per User Configuration' basis.
   2. ENTLIST: A change in policies, applications, and sharing groups will force an update of ENTLIST on a 'per User Configuration' basis.
   3. FTULIST: A change in Identity Verification Questions, initial credential setup applications, or key recovery type will force an update of FTULIST on a 'per User Configuration' basis.
   4. SYNCSTATE: This object is updated for all deployments when any change is made to the CentralStoreRoot.

Re-open access to the central store.

All future agent logins following these changes will receive the new settings and verify the integrity of the information on the central store using the new validation certificate (PublicKeyCert.cert).

XTE Service Error Log

The following is a list of possible errors encountered in the Citrix XTE Service error logs, ranked in order from most common to least common. The XTE Service error log is located at C:\Program Files\Common Files\Citrix\XTE\logs\error.log.

SSL certificate/machine name mismatch

Error received:
The certificate with identifier <ID> for virtual server <FQDN of Service Machine>:<Port> has subject common name (CN) <Not FQDN>. The subject common name must match the server name of the virtual host.

Issue:
Though the service configuration tool will start when it finds an SSL server certificate, the XTE Service will later be unable to start unless the name on the SSL server certificate exactly matches the name of the Service machine.

Resolution:
The Service machine name must be referred to by its fully qualified domain name (FQDN); therefore, when creating the SSL server certificate, the name on the certificate must be the fully qualified domain name of the service machine.

SSL handshake failure

Error received: SSL handshake from client failed

Issue: Handshake errors usually occur when the client does not have the root certificate authority in the 'Trusted Root Certificates' bin in its physical computer certificate store (as opposed to registry store).

Resolution: The root certificate authority must be trusted in the physical certificate store of the Service machine and all clients (agent and console).

User not authorized to access the page

Error received:
[client x.x.x.x] Overlapped I/O operation is in progress. : mod_auth_ntlm: User is not authorized to access the page

Issue:
The user on machine with IP Address x.x.x.x wasn't able to use AuthenticatedWS web service. This issue typically appears when using Data Integrity with a Password Manager console administrator account that has not been added to the Citrix XTE Service configuration file (httpd.conf); also, it can occur if the central store proxy account has not been added to the XTE configuration file.

The AuthenticatedWS web service provides access to the PrivateKeyCert.cert file which is needed by the console to sign and verify data (and is also used by the C.S. proxy to encrypt the AKR data on the central store). This error is received when a user tries to access this web service, but is not permitted to use the key. Typically, a Password Manager administrator that is running the console will receive this error because they have not been added to the group that is allowed to use the PrivateKeyCert.cert file to sign data. This error also occurs when the C.S. proxy account has not been added to the group.

By default, the group that is permitted to use this signing service is the Domain Admins group.

Resolution
To remedy this issue and add a user or group of users to those permitted to use the signing certificate, the XTE Service configuration file, httpd.conf, must be modified. The configuration file is found at C:\Program Files\Common Files\Citrix\XTE\conf\. Open it in a text editor and add the following lines for each user or group within the AuthenticatedWS tag:

require user "<Domain>\\<User>"

require group "<Domain>\\<Group>"

The line,

require group "<Domain>\\Domain Admins"

The require User/Group line (in httpd.conf file) is invalid

Error received:
No mapping between account names and security IDs was done. : mod_auth_ntlm: Failed to lookup for a group name - <BadDomain>\<Group> [or <Domain>\<BadGroupName>]

Issue:
This error occurs on more rare occasions, but occurs when the Password Manager Administrator modifies the httpd.conf file by adding a "require user/group" line that is invalid.

Resolution:
To remedy this issue, open the httpd.conf file and modify the require user/group line that was in the error log.

File not found or unable to stat

Error received:
Mod_aspdotnet: File not found or unable to stat: .../Service/WebService/DataIntegritySvc.asmx

Issue:
If running Configure and run discovery on the console, you point to a Password Manager Service machine that does not have Data Integrity installed, this error is received.
Note: This error is also received when trying to contact the Password Manager Service via Internet Explorer, and the file name is typed incorrectly.

Resolution:
Install Data Integrity on the service machine that you are pointing to, or point to a Password Manager Service machine that has Data Integrity service installed.

Attempt to serve directory

Error received:
Attempt to serve directory .../Service/WebService/

Issue:
When trying to connect to the Password Manager Service machine using the address "https://<FQDNofServiceMachine>:<Port>/MPMService/," the index file will not be found.

Resolution:
There is not an index page for the Password Manager web services. To contact each individual web service, refer to Check 1 of Troubleshooting the Connection.

Event 7024 on XTE Server

Error received in Event Log:
The Citrix XTE Server service terminated with service specific error 1 (0x1)

Issue:
Certificate is not properly created and installed.

Resolution:
Create a proper certificate and make sure to check "Use local machine store" while generating server certificate.