Jump to content
  • 0

CVAD 2203 CU1, MultiForest

Ken Z

Asked by Ken Z,

Question

Ken Z Proficient

Ken Z

Posted
Posted

Hi Everyone

 

I have an issue with a Citrix 2203 LTSR CU1 farm

The Citrix Farm is in "DomainA", which is at Server 2016 Domain/forest functional level. This has Windows VDI desktops that are in the same Domain as the Citrix DDCs

There is an "External" trust between DomainA and DomainB

DomainB has Server 2012 R2 domain controllers but the domain/forest functional level has been left at Server 2003

I've created a Windows 11 Gold image in DomainB

I've created the SupportMultipleForest registry keys on the DDCs and also the VDA in DomainB as per CTX277562

I've also created the ListOfSIDs registry key on the VDA.

If I log on as using a DomainB account onto the VDA, I can browse folders on both the DomainA  and DomainB file servers so all account resolution is working correctly.

BUT, the VDA will not successfully register with the DDC. I'm getting this error (removed names and IP addresses from the output below) in the Application Log on the VDA

 

---- Event 1002, Citrix Desktop Service ------

The Citrix Desktop Service cannot connect to the delivery controller 'http://DDCServer.fqdn:80/Citrix/CdsController/IRegistrar' (IP Address 'xx.xx.xx.xx') 
 
Check that the system clock is in sync between this machine and the delivery controller. If this does not resolve the problem, please refer to Citrix Knowledge Base article CTX117248 for further information. 
 
Error Details: 
Exception 'Error occurred when attempting to connect to endpoint at address http://DDCServer.fqdn:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://xx.xx.xx.xx/Citrix/CdsController/IRegistrar' for target 'http://xx.xx.xx.xx/Citrix/CdsController/IRegistrar' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.
   at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetOutgoingBlobProxy.GetOutgoingBlob(ChannelBinding channelBinding)
   at System.ServiceModel.Security.RequestSecurityToken.GetBinaryNegotiation()
   at System.ServiceModel.Security.WSTrust.Driver.WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
   at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.Message.OnWriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
   at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
   at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message, Boolean shouldRecycleBuffer)
   at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at System.ServiceModel.ICommunicationObject.Open()
   at Citrix.Cds.BrokerAgent.ControllerConnectionFactory.AttemptConnection[T](EndpointReference endpoint, Boolean throwOnError, Boolean allowNtlmAuthentication, String connectUsingIpThisIpAddress, Boolean cacheFactory)' of type 'Citrix.Cds.BrokerAgent.ConnectionFailedException'..

-------

 

Anyone else seen similar issues?

 

Regards

 

Ken Z

Link to comment

7 answers to this question

Recommended Posts

  • 0
Ken Z Proficient

Ken Z

Posted
  • Author
Posted

Hi Carl

 

root certificates for both domains are installed in the certificate store of the Windows 11 VDA

I've tried disabling the local firewalls on the DDCs and VDA but made no difference.

The VDA, DDCs, DomainA DCs and DomainB DCs are all in their own VLANs, and there is a firewall between the VLANs, but we've monitored the firewall logs and it does not appear to be that that's causing the issue.

The first error that appears is a SOAP security failure negotiation/SSPI negotiation failure. 

There is nothing in the Event Logs of the DDCs when this occurs, so it appears that the failure is occurring at a low level in the OS, meaning that the Desktop Broker service isn't even being notified that the VDA is trying to connect?

 

Regards

 

Ken Z

 

 

Link to comment
  • 0
Ken Z Proficient

Ken Z

Posted
  • Author
Posted

James you absolute genius!!!!

 

I'd previously done everything except make the change on the VDA for BrokerAgent.exe.config

 

Changing the AllowNtlm to true, restarting the Citrix Desktop Service, and the VDI appears as registered in the Delivery Controllers.

 

Regards

 

Ken Z

Link to comment
  • 0
James Kindon Mentor

James Kindon

Posted
Posted
15 hours ago, Ken Zygmunt said:

James you absolute genius!!!!

 

I'd previously done everything except make the change on the VDA for BrokerAgent.exe.config

 

Changing the AllowNtlm to true, restarting the Citrix Desktop Service, and the VDI appears as registered in the Delivery Controllers.

 

Regards

 

Ken Z

 

Kudos to Nick for posting it, I would have forgotten ?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to question listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...