Jump to content
Welcome to our new Citrix community!
  • 1

Access Denied on Session Launch with Citrix Cloud DaaS


Derek Loveless

Question

We recently moved our EMR (our largest used Citrix app by far) to Citrix Cloud DaaS.  Since doing so, we have been getting random (highly difficult to replicate) reports of users getting a basic "Access Denied" error when trying to launch an application.  This is happening internally with no ADC in the picture, other than to LB the SF servers.  We have checked licensing (as several CTX articles have noted) in Citrix Cloud and that doesn't appear to be hitting the ceiling.  We finally were able to capture as requested by Citrix Support, but while they are reviewing the logs, I'm curious if anyone else has encountered this with Citrix Cloud DaaS?

 

We are not seeing any obvious events in the event viewer logs of endpoint, CCC, SF, VDA, or LIC.  If the user restarts the endpoint or CWa, they can launch just fine. 

 

Versions:

Win10 endpoints running CWa 2203 CU2

Server 2019 VDA's running 1912 CU6

Storefront is 1912 CU6 running on Server 2012 R2 (migration to Server 2019 in the works)

On-prem License server is 11.17.2.0 build 42000, but we have configured the VDA's to use the DaaS licensing

Edited by Derek Loveless
Included a bit about checking licensing
Link to comment

5 answers to this question

Recommended Posts

  • 0

Derek is OOO right now, so will provide an update on his behalf.  We use Imprivata OneSign for badge tap into our EMR.  After correlating the "Access is denied" error to errors in Imprivata, we decided to test and then fully implement disabling of the Imprivata policy: "Obscure $EMR$ application windows when switching users".  This has mitigated the issue, but we still don't fully understand root cause.  Disabling caused no observable changes to login/logout/use of the EMR.  We're continuing to discuss with Imprivata.   

 

We are also on a path to disable Adaptive Transport as the UDP traffic over our SD-WAN environment may be causing issues.  This is currently in place on our test environment and we intend to pursue in production in the coming week.  

Link to comment
  • 0

Sorry for the delay in any updates here.

Here is where we stand. 

Disabling Adaptive Transport did not resolve the issue for us, but we have left this due to having it disabled is a best practice when in a SD-WAN environment.

We have a support case open with Citrix (Case# 82074732 if you want to reference it), and based on the logs, they see an error about fast connect.  They pointed us to Users Cannot Reconnect to Disconnected Sessions with Session Idle Timers Enabled (citrix.com).  We don't use the Session Idle Timer, so we tried the FastConnect registry value, and that did not resolve it.
We have also added processes we had missing to the LogoffCheckSysModules registry, and significantly reduced our sessions that were in an Application State of "Application not running", but that also didn't seem to have an impact.

As of right now, we have been asked to collect CDF from the VDA's, and I have yet to get that setup.

Link to comment
  • 0

This is still ongoing, but we are getting assistance from support.  Below was the response after collecting CDF from the server VDA and CWa trace logs.

"The issue is when the reconnect happened that the token response from ticketing is unknown."

2024/02/16 16:24:12.34286,7216,5040,1,BrokerController,,,,1,Information,"Activity stop: Citrix.Cds.Broker.TicketingService:TicketingService:Validate", span.name=TicketingService:Validate, span.kind=Internal, otel.status_code=ERROR, otel.status_description=″GetClientValidationData: Unknown launch token: [scrubbed launch token]″UnknownLaunchTokenException: GetClientValidationData: Unknown launch token: [scrubbed launch token]

Link to comment
  • 0

I have been chasing the same issue. We also disabled fast-reconnect, which seemed to help, but are still getting some users with access-denied. I am trying once again to collect more traces. What ever came out of the last traces, "The issue is when the reconnect happened that the token response from ticketing is unknown."

 

thx,

dave

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...