I've been working on an issue with Citrix Support and Imprivata support over the last 6-7 months and recently was told by Citrix Support we that we should post about the issue here.
We are using an Imprivata Embedded agent on igel thin clients.
If we configure the Imprivata agent to connect to our storefront server through 2 KEMP load balancers, we are randomly getting a desktop unavailable error. If disable the Imprivata PIE Agent and use just a simple Igel Active Directory login, it works fine. Imprivata however says it's a Citrix issue.
Here's the error in the Imprivata Agent Log:
2024-01-05 07:52:55,982 - Agent(_log,1613) - DEBUG: CitrixWebResponse: httpStatusCode = 403, dperrorId = None, contentLength = 1233, contentType = text/html; charset=utf-8
2024-01-05 07:52:55,982 - Agent - ERROR: Access is denied.
2024-01-05 07:52:55,983 - Agent - ERROR: You do not have permission to view this directory or page using the credentials that you supplied.
2024-01-05 07:52:55,983 - Agent(_log,1613) - DEBUG: Traceback (most recent call last):
File "CitrixStoreFrontWebApiClient.py", line 220, in _authenticate
File "CitrixStoreFrontWebApiClient.py", line 112, in send
File "CitrixWebResponse.py", line 98, in Parse
packages.Vdi.CitrixBase.CitrixWebApi.CitrixWebApiError.AccessIsDenied: Your desktop is not currently available. Try again.
2024-01-05 07:52:55,983 - Agent - WARNING: Failed to connect to https://storefront.homebank.internal/citrix/desktopsweb/ citrix server. Error: Your desktop is not currently available. Try again.
2024-01-05 07:52:55,983 - Agent - ERROR: Citrix server is not available.
2024-01-05 07:52:55,983 - Agent - ERROR: Unable to connect to XenDesktop. Try again or contact your administrator for assistance.
Imprivata had been looking into the issue since July but they have asked us to engage with Citrix, which we have done twice.
Imprivata recently asked us to engage Citrix to have the information reviewed by engineering team to see why a 403 error is being returned. Here's what Imprivata said in that request:
"I completed the review. At present, using the diagnostic PiE, there is no problem in the Imprivata workflow.
However, because the 403 error is presented by Citrix, we will need their technical support team to evaluate for reasons why the 403 error is returned.
Can you work with Citrix team, then let me know of your progress?"
diagnosis:
Logs still show that Citrix responses with error “403 - Forbidden: Access is denied.”
Logs show that when PiE ask for ICA data then Citrix responses 'reason="notoken" and PIE tries to reauthenticate.
- Reauthentication is successful.
Then PiE ask for ICA data once more and Citrix now responses with 403 error:"
After we opened our latest case we worked with Sr Escalation team to capture storefront traces when the issue occured. Here's the feedback from that.
"I see more instances of the error I mentioned in the previous email:
It looks similar to a cookie / persistence issue, but I think you would see this across the board instead of just with Linux machines. I unfortunately am not finding any errors in the Store or Authentication logs at the time of the error you documented.
Can you confirm for me if there is an ADC between the SF server and the client? Also, are there any customizations on the SF server? I reached out to one of the product managers to see if there is any insight they could provide in regards to this scenario and she want to verify these questions. More than likely, this will need to go to the SDK forums I mentioned previously."
We have tried setting the load balancers to use cookie persistence instead of IP, but the issue still occurs.
So as suggested we're posting the issue here in case anyone can help. If you need any more information, please let me know.
Question
sortola27
Good morning,
I've been working on an issue with Citrix Support and Imprivata support over the last 6-7 months and recently was told by Citrix Support we that we should post about the issue here.
We are using an Imprivata Embedded agent on igel thin clients.
If we configure the Imprivata agent to connect to our storefront server through 2 KEMP load balancers, we are randomly getting a desktop unavailable error. If disable the Imprivata PIE Agent and use just a simple Igel Active Directory login, it works fine. Imprivata however says it's a Citrix issue.
Here's the error in the Imprivata Agent Log:
2024-01-05 07:52:55,982 - Agent(_log,1613) - DEBUG: CitrixWebResponse: httpStatusCode = 403, dperrorId = None, contentLength = 1233, contentType = text/html; charset=utf-8
2024-01-05 07:52:55,982 - Agent - ERROR: Access is denied.
2024-01-05 07:52:55,983 - Agent - ERROR: You do not have permission to view this directory or page using the credentials that you supplied.
2024-01-05 07:52:55,983 - Agent(_log,1613) - DEBUG: Traceback (most recent call last):
File "CitrixStoreFrontWebApiClient.py", line 220, in _authenticate
File "CitrixStoreFrontWebApiClient.py", line 112, in send
File "CitrixWebResponse.py", line 98, in Parse
packages.Vdi.CitrixBase.CitrixWebApi.CitrixWebApiError.AccessIsDenied: Your desktop is not currently available. Try again.
2024-01-05 07:52:55,983 - Agent - WARNING: Failed to connect to https://storefront.homebank.internal/citrix/desktopsweb/ citrix server. Error: Your desktop is not currently available. Try again.
2024-01-05 07:52:55,983 - Agent - ERROR: Citrix server is not available.
2024-01-05 07:52:55,983 - Agent - ERROR: Unable to connect to XenDesktop. Try again or contact your administrator for assistance.
Imprivata had been looking into the issue since July but they have asked us to engage with Citrix, which we have done twice.
Imprivata recently asked us to engage Citrix to have the information reviewed by engineering team to see why a 403 error is being returned. Here's what Imprivata said in that request:
"I completed the review. At present, using the diagnostic PiE, there is no problem in the Imprivata workflow.
However, because the 403 error is presented by Citrix, we will need their technical support team to evaluate for reasons why the 403 error is returned.
Can you work with Citrix team, then let me know of your progress?"
diagnosis:
Logs still show that Citrix responses with error “403 - Forbidden: Access is denied.”
Logs show that when PiE ask for ICA data then Citrix responses 'reason="notoken" and PIE tries to reauthenticate.
- Reauthentication is successful.
Then PiE ask for ICA data once more and Citrix now responses with 403 error:"
After we opened our latest case we worked with Sr Escalation team to capture storefront traces when the issue occured. Here's the feedback from that.
"I see more instances of the error I mentioned in the previous email:
It looks similar to a cookie / persistence issue, but I think you would see this across the board instead of just with Linux machines. I unfortunately am not finding any errors in the Store or Authentication logs at the time of the error you documented.
Can you confirm for me if there is an ADC between the SF server and the client? Also, are there any customizations on the SF server? I reached out to one of the product managers to see if there is any insight they could provide in regards to this scenario and she want to verify these questions. More than likely, this will need to go to the SDK forums I mentioned previously."
We have tried setting the load balancers to use cookie persistence instead of IP, but the issue still occurs.
So as suggested we're posting the issue here in case anyone can help. If you need any more information, please let me know.
Link to comment
2 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now