Jump to content
Welcome to our new Citrix community!
  • 0

Workers from different forest domain do not register with delivery controllers


Question

Hello All!
Have a head-scratch since 4-5 days here which I am unable to figure out.

I have to add several new workers from different domain using MCS to our Xenapp 7.15 LTSR farm (image is preconfigured, provided by client) - no issues with that - there is an external two-way non-transitive trust between domain of the VDAs and the delivery controllers and I created the catalog, the machines and delivery group with no problem!

But I can't seem to get the VDAs on the provisioned workers registering with the controllers at all!

Followed all of the steps listed in https://support.citrix.com/article/CTX134971 that worked with my previous setup for workers from a different forest (but for which we have transitive forest trust).

Bit more info on the setup:

Lets call the domain that hosts the delivery controllers/farm - contoso.com and the one that has the workers - dom.fabrikam.com . There is an external two-way non-transitive trust between these two domains.

Workers and farm are in different subnets with all the necesary ports for communication open.

What I have checked:

1) Checked connectivity on port 80 between VDA and DC - two way communication is allowed - basically all connections I checked are allowed so 99.9% is not connectivity/firewall related.

2) DNS A records are properly registered and DC can resolve VDA properly using its FQDN.

3) Allowed specifically some ciphers in the local computer policy of the VDA (RC4/AE128/AES256) that could be missing and required for authentication with domain controllers.

4) Added the delivery controllers to the local computer policy of the VDA that "Allows access to this computer from the network".

5) Removed VDA using the VDA Cleanup utility and reinstalled again.

6) Checked and removed anti-virus software that can impact the successful connection on the VDA.

 

I see event 1002 on the VDAs after they report they can't connect to 'http://<deliverycontroller>:80/Citrix/CdsController/IRegistrar'

There is also a detail about the error:

Exception 'Fail to find SPN' of type 'System.ServiceModel.FaultException`1[Citrix.Cds.Protocol.Cbp.Fault]'

 

I can't see an issue with the SPN of the computer objects at all - HOSTS/<servername> and HOSTS/<servername fqdn> are there for every worker.

 

From all of the articles I red on the topic I can see only one thing not going forward -  and this is a connection from VDA to Global Catalog domain controller on port 3268 - as explained here - https://support.citrix.com/article/CTX133769

I can see connections going to GC on port 49668 but I am not really sure if its the same thing that is required.


If someone has an idea what else I can check - please be my guest! I am starting to feel the burn out on this one ?

 

Link to comment

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...