Jump to content
Welcome to our new Citrix community!
  • 0

WEM 4.4, XAS7.15, srv 2016


Question

Good Day
I hope you can shine a light for me on WEM 4.4 on XAS 7.15 / SRV 2016.
Two forests with external trust. Forest A (xyz.dom.com)WEM infrastructure servers and Forest B (abc.com) has a few users to access apps on Forest A CTX Env.
All was working with configs as is, then a few months ago just stopped for Domain B users.
Initially thought it might be related to some MS update that could have caused the issue, but none of the updates applied had anything to do with what we are using on app or OS side.
Event ID: 1058 gets logged in security logs, unable to process policy. I checked on the 4 DCs and DNS resolves and the path to the GPO is on all 4 servers.
We have a another child domain of dom.com, set as a Forest trust and those users are working 100%. Yes both xyz.dom.com and aaa.dom.com are child domains of dom.com and abc.com is a separate forest from dom.com.
I checked in WEM and the processing will start if you are part of a specific domain local grp and i have verified that the abc.com users are added to our domain local grp.
GPO is set to apply onto authenticated users.
Both domain support guys are, like usual, saying they did not change anything...
So
the shares that gets used for the default profile and roaming profile for UPM side of things are a DFS share, everyone read&execute permissions...

I know too little about WEM so far to know that WEM might be issue, but them aaa.dom.com users would have had issues as well and they are working and applying GPO settings correctly.

Link to comment

2 answers to this question

Recommended Posts

  • 0

I'm a bit confused by which forest/domain is which in your description but a few notes below, also not quite sure what your problem actually is... Is it wem not applying or policy?

 

- wem doesn't officially support external trusts 

- wem 4.4 is old. You should upgrade to 1909 as there are a large number of active directory handling changes

- whilst external trusts aren't supported, IF your trusts and AD are healthy, users in a forest via an external trust can be processed by wem successfully

Link to comment
  • 0

Hi

 

I do not have WEM agents in different domains or forests, so external trusts according to docs is not in play here? Unless it applies to normal users as well not just the agent trying to communicate with main WEM server / DB? I can be wrong.

 

I have users in 2 x different domains (B and C, for now) and in the 3rd domain (A) is all the Citrix servers with WEM configured instead of GPOs. All was setup and working by previous support engineers, then stopped working, reason why I am systematically going through as much as I can to check my side of things.

 

When users from domain C launch an application, WEM should kick off the profile creation steps. Will get to that just now. Actually why not now, I am still thinking that on domain C something related to the trust has been changed but AD support has there usual reply of.... Nothing changed... Sooooo, I need to gather as much as possible to prove that it is not because of WEM, but on AD / trusts side.

We tried changing the trust (Which according to all did not go from forest to external) from external to a forest trust and we could not access either domain, so reverted back to external trust.

I get event ids 40960 (LSA (LSASRV)) and 1058 (GroupPolicy), 40960 twice and once on the DFS server handling the current session for the profile creation.

 

Currently waiting for both AD teams to come back and say something, unfortunately I do not have access in AD, the ones I want of course...

 

 

1058.JPG

40960.JPG

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...