Gregory Moore

April 15, 2021

hey guys and gals...maybe someone can help my wrap my head around this issue.

I have two Netscalers, both have been upgraded to v13.x. They are:

* NS1 - 192.168.1.52

* NS2 - 192.168.1.62

I'm trying to put the pair into HA mode with the following command from cli: add ha node 1 192.168.1.62 -inc enabled

When I run this command via CLI or even if I do it via GUI, I get the error of "cannot log into 192.168.1.52" and the secondary node shows as UNKNOWN.

Here's what I've already done to make sure that communication is set:

the NSROOT password is the same for both boxes

The RPC secure node pw is the same as the NSROOT pw

Both boxes are on the same subnet and are literally next door neighbors so there should be no firewall issues

the ports for traffic are open

Secure access mode from the GUI is not enabled

Any suggestions would be helpful before I go charge the network team up and have them put in explicit firewall rules and/or call Citrix....

HARDWARE: MPX14030 devices

NOTE: the ip addresses are for conversation only; they are not real to my environment.

March 26, 2020

Good day everyone...I'm hoping someone can help me figure this out.

I have a terminal services environment that utilizes both Acrobat Reader DC and Acrobat Standard DC and since adding the Acrobat Standard DC users and their accounts to the enviornment, NOBODY is able to use the print to pdf function from either program. The error message they all get is this: Acrobat dc license has either expired or not been activated.

The overall user pool is 300 users but only 20 of these users USE Acrobat Standard DC and they all have cloud licenses.

The applications are both installed correctly in the enviornment and work as they should.

As a work around for the users, I installed a competing pdf creater app yesterday and when users select that print driver, everyone can print to pdf perfectly fine.

Anyone come across this type of issue before?

February 20, 2020

Evening all:

Wondering if anyone has ever had issues with Oracle Hyperion being published out via XenApp.

Needing to find a way to optimize it within the environment as users say that in previous experiences the application components ran slow.

Any high level guidance would be welcomed as the business is going to make this a mandate for the users whether they like or not.

Posted October 24, 2019 · October 24, 2019

Okay after playing around with it for a bit, for some printers I have to send the print job to the Citrix PDF Printer........

Since when was that the case?

Anywho.....it is what it is.

Posted October 24, 2019 · October 24, 2019

So i've ran another test where I mapped a copier to my workstation endpoint.

I launched my VDI session and the printer showed up but the job didn't print.

Will still test at home

Posted October 24, 2019 · October 24, 2019

Good day everyone,

So I have a group of users who need to print to just ONE printer in their office.

Before i lock the printing down to this one printer, I have had them try to print to the printer from XenDesktop. Here's what I've had them do:

1) Set the local network printer as the default printer on their computer before logging into their VDI

2) Once in XenDesktop, open up a word doc or whatever document to test printing

3) With the document opened, I had the print the number of pages they wanted to see if it printed

When they try to print with the session printer, nothing comes out of the printer. If they try to use the Citrix printer driver, they get the error of "printer in error state" and nothing comes out.

I've also tried to mimick the issue and here is what I get when I try the test:

1) in the office, I can print to any HP printer via the print server; I haven't tried a non HP printer yet (will after this post)

2) If I at home, which is something close the network that the client has, I cannot print to my lEpson printer even though I can see it in my session.

Keep in mind, there are no printing policies set of any sort.

TEST EQUIPMENT:

Endpoints are Windows 8 OS computers in Brazil

Network printer is a Ricoh SP printer also in Brazil

XenDesktop 7.15.300, VDA (7.17) running Windows 10 1903 OS

Anybody have any idea as why printing just wouldn't work if the policies are wide open?

Posted September 12, 2019 · September 12, 2019

Good day,

I'm configuring Wyse thin clients to the NS Gateway and so far everything looks good except for the following line error:

default SSLVPN Message 451479 0 : "USER_LOCKDOWN: user, User_len 7 "

when i look through the logs, everything looks good except for the last line above.

Anyone ever seen this and know if just a general policy expression would work or if it needs to be more selective.

As some background, this was working a few months ago but I had to make a configuration change of adding a domain dropdown which may have changed the default configuration.

Please advise...:)

July 28, 2019

Morning:

Just wondering if anyone out there has the Avaya One X softphone solution running in a Xendesktop 7.1x deployment for call centers.

Over the past few months I've been testing One X without the communicator component with our Service Desk as they are all on the softphone and are now doing all of their job functions within the Citrix environment.

While the overall deployment seems to be a success, I still get reports from calls being choppy or "tin cannish" from time to time. I have created a custom policy setting just for the Avaya phone which has done its job but I'm looking to deploy this to over 500 users in various call centers now.

So has anyone had any luck with this softphone working with that many users in XenDesktop? Did you have to go to the Avaya connector implementation and shell out that $50 per seat license cost just to ensure a QOS that makes it seem seamless to the end user?

I look forward to your thoughts.....

Posted July 19, 2019 · July 19, 2019

Hi Rhonda, I'm answering your question under my personal Citrix forum account and not my work; which I didn't mean to use...:).

There's a lot of things that can affect what is going on here:

Is there one storefront being used for both domains, or separate storefronts for each? There are TWO storefront servers that are used in a storefront server group for propagation. This group is for ALL DOMAINS within the company (NA, CORP, etc).

Does storefront request info from multiple cvad sites or a single one? There is a SINGLE fqdn URL used (companyvdi.company.com). That URL is actually load balanced for two stores; an external store for external users and an internal store for internal users. That load balancing feat is handled with VIPs for the stores

Is the gateway passing the correct single sign on domain to storefront? There is no single sign on. Depending on how the user comes in from NS Gateway, they are directed to the proper authentication. External users are required to use MFA to authenticate; internal users utilize their username and password. Authentication is done on a two VIPs, one each for the two domains in the environment. The LDAP order of authentication is NA first then CORP for the user.

And how is the authentication on the domain handled: single domain selection via dropdown list or a policy cascade? It is a policy cascade....no domain drop down.

Now what I found during the course of the day is the following:

* The users in corp are allowed to SIYNC their passwords in both domains (I'm no fan of this because it can lead to issues like this one)

* for MFA, it appears that there are MULTIPLE domain accounts for these particular set of users

When I had John unsync his password to one of the accounts he had, he could authenticate properly to the appropriate resources without issue. Keep this in mind: I only wanted CORP users to access their resources; not authenticate to the NA resources/storefront page as they would not have anything there.

Once John was able to authenticate to his CORP resources internally with his new password, I then had him try to do so via a hotspot to test his MFA authentication. That is where we found out that because he and other users in the CORP domain had multiple accounts in the MFA portal, he would get an invalid credentials entry on the external netscalers that would say RADIUS: invalid credentials for RZK3DT.

Working with the MFA team, they found the issue of the multiple domains and they disabled the NA MFA account. Once that account was disabled, John was able to authenticate properly via MFA with his CORP\RZK3DT credentials.

The lesson learned from this were the following:

* In a multi-domain environment, users should NOT have multiple MFA accounts

* For accounts in the CORP domain, the AD team suggested using the CORP.COMPANY.COM\RZK3DT user name entry to help distinguish the synced accounts (Just not liking that syncing of passwords still)

In this scenario I also found that my environment wasn't the only one suffering from this issue; this is actually a known issue and many things that use AD have had issues with the MFA component.

Let's just say...it's been a long day.

Thanks for responding....

July 8, 2019

I've got an email out to the VMWare team to see if an upgrade has been done.

In the meantime, I'm wondering if I create a new "resource" and point the catalogs to that resources, would that solve my issues???

July 2, 2019

Good day everyone.

i know we've seen this question before but I hae an issue where I cannot add/update a machine catalog.

Below is the error message that I get via MCS....

Task Information:

Start Date: Tuesday, July 2, 2019

Start Time: 3:25 PM

Finish Date: Tuesday, July 2, 2019

Finish Time: 3:25 PM

State: Failed

Requested machine count: 1

AD account action: Create accounts

Successful accounts: 1

Successful machines: 0

Machine Failures: DOMAIN\COMPUTERNAME$: Failed to create the virtual machine; DOMAIN\COMPUTERNAME$. Inner Error: The object 'vim.Folder:group-v2500' has already been deleted or has not been completely created

ErrorID : PluginUtilities.Exceptions.ManagedMachineGeneralException

TaskErrorInformation : PluginUtilities.Exceptions.ManagedMachineGeneralException: The object 'vim.Folder:group-v2500' has already been deleted or has not been completely created ---> PluginUtilities.Exceptions.ManagedMachineGeneralException: The object 'vim.Folder:group-v2500' has already been deleted or has not been completely created ---> PluginUtilities.Exceptions.WrappedPluginException: The object 'vim.Folder:group-v2500' has already been deleted or has not been completely created

--- End of inner exception stack trace ---

at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.Intercept(Exception e)

at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.CreateCompleteVM(String name, IVMMetadata metadata, Int32 cpuCount, Int32 memory, String storageId, String dataCenterPath, ManagedObjectReference resourcePool, INetworkInterfaceDetails nics, Boolean enableNetwork, Boolean tagVms, IList`1 disks)

at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VMwareHypervisor.<>c__DisplayClass16.<BeginCreateCompleteVM>b__13(VmwareVmManager manager)

at Citrix.HypervisorCommunicationsLibrary.TaskRunItem`2.Run(T manager)

at HypervisorsCommon.HCL.TaskRunner`1.Run()

--- End of inner exception stack trace ---

Server stack trace:

at HypervisorsCommon.HCL.TaskScheduler`1.CompleteTask(IAsyncResult result)at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VMwareHypervisor.EndCreateCompleteVM(IHostingUnitDetails hostingUnit, IAsyncResult result)

at Citrix.HypervisorCommunicationsLibrary.AddInSideAdapter.IHypervisor_AddInViewToContractAdapter.EndCreateCompleteVM(IHostingUnitDetailsContract hostingUnit, IAsyncResult result)

at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)

at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at Citrix.HypervisorCommunicationsLibrary.Contracts.IHypervisorContract.EndCreateCompleteVM(IHostingUnitDetailsContract hostingUnit, IAsyncResult result)

at Citrix.HypervisorCommunicationsLibrary.HostSideAdapter.IHypervisor_ContractToHostViewAdapter.EndCreateCompleteVM(IHostingUnitDetails hostingUnit, IAsyncResult result)

at Citrix.MachineCreation.NewProvVMSupport.NewProvVMLogic.CreateVmCallback(IAsyncResult result)

Here's how the environment is set up:

* XD environment is a mixture of persistent and non-persistent machine catalogs

* On vSphere hypervisor, ALL golden images are created under a folder for each machine catalog; snapshots are removed after creation of VMs in Studio but the golden image remains with the created vms

* Hypervisor version is 6.54

* XD is 7.15 CU3

I can create a new catalog and machines without issue and once those catalogs are created, updating them are not a problem. The issue is with an EXISTING machine catalog; no matter what kind of vm is created.

Has anyone fixed this issue yet for THIS particular problem?

July 1, 2019

Couple of questions...

1) are you in a multi-forest environment or just a single trust domain environment?

2) Have you checked your firewall within your environment to see if the VLAN is allowed to communicate?

May 6, 2019

Been trying to finish an upgrade on my storefront servers and I am running into this issue:

Error Id: XDMI:EE53141A

Exception:
Citrix.MetaInstaller.Exceptions.MetaInstallerException 'CitrixStoreFront-x64.exe' component failed to install with error 0xFFFFFFFF.
at Citrix.MetaInstaller.Server.Components.StoreFrontComponent.Install(InstallationContext context)
at Citrix.MetaInstaller.InstallationManager.InstallComponent(IInstallableComponent component, InstallationContext installContext)

I've tried every uninstaller I could find and even ran msiexec /x commands on product guids I found from wmic.

After further investigation, an app, online helper, is allegedly on the server HOWEVER when i went to the appdata location for the folder, it doesn't exist.

Anybody know of an app or scrip tthat will literally just clean up a bad installation from the get go?

Posted March 18, 2019 · March 18, 2019

All, after working with my Load Balancing team, we were able to figure this out for OUR ENVIRONMENT.

What I ended up having to do what the following:

On the storefront server - for authentication I went ahead and added the necessary domains that were in the environment. At the configure store settings window, I unchecked Require token consistency box. Make sure you apply the settings, make the smae changes on any other stores and then propogate to your other servers if you have mor than one storefront server.

On the Netscaler appliance, the fillowing settings were made:

* At the LDAP server setting for the second domain, under server settings change the sAMAccountName entry under the SSO name attribute to userPrincipalName

* On the virtual gateway server, edit the session policies by going into the Published Applications tab of the session profile and UNCHECK the Single Sign-on Domain.

* Save the configuration and test

Once this was applied, I could sign in with any domain\user that has authorization.

Remember, your environment may be different than what this solution solves.

Posted March 15, 2019 · March 15, 2019

Hi everyone:

running into an authentication issue with multiple domains and Storefront 3.12.

If a user logs in with their North America account, they can get to their Citrix resources in storefront without issue. However, if a user has multiple domains and he/she tries to access the environment with anything OTHER than the NA account, they get an error as below from Citrix Authentication on the storefront server:

Here is what the event log says on the storefront server:

o Citrix Receiver for Web error:

§ A CitrixAGBasic Login request has failed.

§ Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null

§ Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

§ System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

§ The remote server returned an error: (403) Forbidden.

§ Url: https://storefront-b.domain.com/Citrix/INT_STORE_NAAuth/CitrixAGBasic/Authenticate

§ ExceptionStatus: ProtocolError

§ ResponseStatus: Forbidden

§ at System.Net.HttpWebRequest.GetResponse()

§ at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

§ at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

o Citrix Authentication Service error:

§ CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

§ The credentials supplied were; user: GMOORE1SEC

§ domain: multi.domain.com - removed the real domain name for security reasons here.

From the storefront page, the user gets "Cannot Complete your Request" due to the error

On the Netscaler, the users authenticate just fine. Thee are two policies, one for each domain, and the NA policy is first. The non-NA account passes through that policy and hits the domain policy it is a member of and the netscaler passes creds.

On the storefront server, I have the authentication method set to ANY DOMAINS so that there is no restriction.

Anyone have any ideas or know of a way to resolve this? I'm thinking maybe there's a configuration I need to make int he config file for the store.

Please advise and thank you.

October 25, 2017

We've got CIS policies in place for user restrictions in Windows 10 and I'm thinking that is where the culprit lies...one of those policies.

yeah this is not going to be fun at all.

October 25, 2017

that's what i figured....

this is not going to be fun at all on the testing.

October 25, 2017

Wanted to get some thoughts from individuals who may have seen this issue.

I'm designing out the OU structure for a production environment and I've noticed that when I have machines residing in the Test\Citrix OU, they register to the DDC just fine.

When I have these machines created, or if I moved them to the Test\Win10\Computers\VMs OU, the machines lose their DDC registration.

On my gold image, the DDC information is entered on the VDA agent.

So here's my questions:

* how can I ensure that these machines stay registered to my Win10 OU as this is where I have CIS policies and other group policies in place for laptops and desktops?

* If I can't move them to the VMs OU, should I duplicate an OU in the Citrix OU or just link the Windows 10 policies to that OU in group policy?

* is there any other alternative to this besides leaving them in the Test\Citrix OU?

Any thoughts would be much appreciated guys and gals.

August 15, 2017

Manuel, I too had that issue.

Check the OU that the machines reside in. It's most likely a GPO.

the moment I moved my Win10 machines to the same OU as the server and Win7 machines, the image registered without issue.

August 10, 2017

Okay on my issue it was a frigging GPO in the Windows 10 OU that my team controls. I am going through entries now to see what is different between windows 7 and windows 10 that would break.

Manuel.....check your time on the image and make sure that it is not off to the point to where you get that error message.

August 8, 2017

i've got the same issue in v7.11 with a Windows 10 VM that I'm using as a master. had the issue with a Windows 7 VM but i re-installed the OS image from SCCM and fixed that one.

On the Win10 machine, did the same thing to see if a new OS image and new AD computer name account would fix the issue; no dice.

I've attached a text file with my results from health check assistant. Everything is green EXCEPT for VDA registration as per the regkey entry.

When i take a look at it....it's "empty". I've attached the Windows 7 key entry and what the Win10 key entry looks like.

On the image that has data, that is the Win7 gold master. Notice that it's populated properly. The image that has just the default entry is the Win10 gold master. Any machine that is created in MCS from that master will not register.

what I am going to do is actually create a beta image from a Windows 10 OS disk that does not have all of the applications that the normal image would have to see if I can start duplicating the issue app by app.

What else has anyone found out?

win10 error log.txt

February 21, 2017

A couple of years ago I implemented speechexec by philips.

https://www.dictation.philips.com/products/product/speechexec-enterprise-dictation-and-transcription-software-lfh7330/

Product worked great in a 6.0 environment and is citrix ready.

Forums

Articles

Labs

Videos

TechZone

Citrix Community Articles

Events

Profiles

Posts posted by Gregory Moore