Sabine Ludewig1709156713
-
Posts
44 -
Joined
-
Last visited
-
Days Won
1
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Sabine Ludewig1709156713
-
-
I might be a bit late to the party, but had the same problem.
Turned out you need to be local admin to remove the group you defined during installation.
I could add and remove any other group, but not the very first one, bc I was just RDP user with access to the PVS farm.
After adding my account to the local admin I was able to remove this group as well.
Hope this helps any future readers
-
I figured it out.
We had two DNS entries named 'Storefront' each pointing to one of our SF servers and representing the internal URL.
It was meant to be used as a failover/loadbalaning, but DNS does a round-robin which Sorefront doesn't like, aparently.
Removed one of the DNS entries and everything is fine now. Stupid mistake.....
-
1
-
-
On 5/6/2023 at 8:20 PM, Jeff Riechers1709152667 said:
What profile engine are you using? If FSLogix it could be locked so separate servers can't create one.
Citrix UPM, when apps are on different DGs they also have different profiles
Do you have any GPOs in place that are restricting users to a single session?
No
If you try connecting from a non IGEL machine does it work correctly?
Only Igel clients. But if I use an account with issues on MY Igel client it works perfectly. I'm not aware of any differences that may apply to my Igel account though.
-
Hi folks,
I have some pretty strange behaviour here.
This is a new setup:
- all servers Windows 2019, incl. VDAs, no Desktop OS- CVAD & PVS 2203 LTSR CU2
- Netscaler 13.42.47
- Clients connect from a hardend Thinclient with Igel OS, via browser (Workspace App is installed). Igel OS doesn't seem. We testet several versions with and without having issues.
Now here it goes:
After logon to Storefront and clicking the first application a seesion is created and the first app launches pretty fast.
When clicking another app (no matter if it's from the same Delivery group or a different one) nothing happens.
On the client you see a turning circle for like 3 seconds.
On the Delivery Controller I can see the app added to 'Apps in use'. But this disappears after about 30 seeconds
On the VDA no process is created for the new app.
No event log entries on VDA, DDC, SF that could giva a clue.
We are talking simple applications like Paint, Snipping Tool, Keepass, Explorer here, nothing fancy. No Path variables are being used like %Program Files% etc.
The even stranger thing is that, as far as I'm aware of, there's only two clients without this issue (one happens to be mine). All non-working accounts I've tried on this client don't have any issues.
And we are connecting to a 1912 farm from these clients,too (completely independent farm, different Netscaler) , and nobody has any issues like this.
Any clues are highly appreciated.
Thanks
-
On 1/27/2022 at 8:17 AM, Jochen Koch1709156562 said:
Hello, rather than creating a new topic i think i can post an upcoming question here. Following this approach i am not able to use different credentials to logon because of this error:
ICA Connection request denied because the current user is not the owner of the Session
And then the session is terminated. Is this some kind of security feature we can switch off to allow a different user to use the ICA connection? We don' want the user to enter his administrator credentials on the webinteface because we think this is not really safe. Therefore we tried to use the "normal" credentials for the webinterface and to start the shared server desktop and then the user should be able to logon with its administrator credentials.
Did you manage to get this work? We are facing a similar situation and want o use the same approach.
Thanks
-
Hi there
we would like o use Netscaler Gateway with Kerberos Authentication instead of LDAP and I'm looking for the right documentation.
I'm a bit confused by the variuos methods (Delegation, Impersonation, Contrained delegation).
Would this be the correct way https://support.citrix.com/article/CTX236593/how-to-configure-netscaler-gateway-for-kerberos-constrained-delegation ?
Thanks
-
Hello Guiseppe,
unfortunately no, but there weren't many complains so we didn't pursuit the problem.
-
Thanks Ghisoiu for the info.
Yet I'm wondering who this affects the authentication process when adding machines from PVS to studio.
-
It turned out to be a problem with the Igel release. A new fix will solve the issue
-
1
-
-
Hi all
I was wondering whether this is an expected behaviour or if I can do anything about it.
I'm trying to add a worker from a pvs collection to a machine catalog in Citrix Studio (looged in to the DDC).
But when my account is member of the AD- group Protcted Users, connecting to the PVS server fails.
Any ideas how to work around this issue wihout removing the account from the group?
Thanks
-
Hi all
I'm having a pretty strange behaviour in PVS.
We have an image attached to a testerver. The image consists of a base and two added versions, no load balancing.
The server rebootet fine every night. One day we had to detach the image and attach another testimage to the server. Then we re-atteched the previous vdisk and booting the server failed wih 'vdisk file no found'. Nothing else was changed, just detached and re-attached the image.
We do a vdsik export via powershell every night so i figured to just restore the xml and all vdisk files from a day when everything worked.
Needless to say, I can't import the vdisk into the pvs console, I get "Invalid vDisk file xxx. Cannot add vDisk.
I copied the base disk to a new name, which I can import and boot, but not if versions exist.
Any idea what happend or how I get out of this predicament? I Mean why do I create exports if I can't import them?
Thanks a lot
-
Hi folks,
this has been driving me nuts for weeks now without any clue o a solution.
Our environment: CVAD 1912 CU3, Windows Server 2019, Igel Secure Thinclient (SINA)
People in this enviornment usually work with two delivery groups at the same time and need to copy text between these two DGs back and forth. This used to work smoothly for year until a few weeks ago.
We can still copy text from each DG to the local client back and forth, but not directly into the other DG.
Clipboard redirection is enabled for RDP and ICA and there are not bandwith or extension restrictions in Citrix GPOs.
Any idea is highly appreciated. Thanks
-
15 minutes ago, Carl Stalhood1709151912 said:
If you putty (SSH), you can copy/paste from the session display.
If you go to System > Diagnostics > Running Configuration, you can download the config file and grep it for "add system user".
Thanks Carl
-
Hi there
I hope someone can give me an idea how to accomplish this task.
I need to export a list of system users from Netscaler ADC VPX v13.0.
Basically it's piping the command 'show system user' into a file, wich is not possible bc there is no filesystem access at this level;
or take it from an existing file, which I can't find (they're not in /etc/passwd).
Any suggestion is highly appreciated
Thanks a lot
-
Hi there
does anybody know how to find out which version of java and/or Log4j is installed on Netscaler 13.0.x VPX?
Citrix hasn't been very helpful yet
Thanks
-
Eventually received an answer from Citrix support
It seems if you don't have DoS Protection and AppQoE licensed, the DROP action is missing and cannot be created.
So Citrix provided us with a differend approach using a 'Forbidden' responder action:
add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap
bind policy patset patset_cve_2021_44228 http
bind policy patset patset_cve_2021_44228 https
bind policy patset patset_cve_2021_44228 ldaps
bind policy patset patset_cve_2021_44228 rmi
bind policy patset patset_cve_2021_44228 dns
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ respondwith403
bind responder global mitigate_exploit_cve_2021_44228 100
-
2 hours ago, Rhonda Rowland1709152125 said:
I ran it on a 13.0.58.x build, because it was what was in front of me (also vpx) and it had no issue. So it sounds version specific.
You could try it in the GUI and see if the GUI takes it and then compare the cli in case it is a firmware specific thing. The expression is written as q^<stuff>^ the q is quoting the start and end of the expression using a character not in the expression (^, carat). So in the GUI, you can omit the q^ and ^ and just use the <stuff> in between.
Thanks for the advice, but even in the GUI I receive "Action Does Not Exist", so I think it's a version thing
And it doesn't matter wether I change the Undefined result action to "Drop" or keep the default "Global Undefined result Action"
-
17 minutes ago, Oliver Schuhmacher1709158889 said:
I have the same behavior whe i want to create a Responder-Policy on my VPX. The message is "Action does not exist". Is the same error if i create the Responder-Policy in command line or in the GUI.
Mabey ist that a problem only on a VPX. I found that article from Citrix "Rewrite 'ACTION DROP' is not working as expexted on NetScaler VPX" (https://support.citrix.com/article/CTX204349).It says that the behavior is different on VPX, it should be possible to add the responder policy, though.
I have a case open with Citrix, but response yet
-
7 hours ago, Alex Coviello said:
Curious, if Citrix ADC is not affected:
Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway)
Not impacted (all platforms)
Why do we need to add this?
What Customers Should Do
Citrix has released configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. Citrix ADC Standard, Advanced or Premium edition customers may use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global).
add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP
Wondering the same here. The blog they are referring to below this statement talks about Web Application Firewall, which we don't use.
Yet, my custoner ran a security scan and found the system vulnerable to Log4j.
In the same context Citrix advices us to implement Apache patche as they come available. Sorry Citrix, but it's YOUR job to provide us with a working solution and not have us compiling linux libraries without (sorry for the vent)
-
16 hours ago, Krsh K. said:
Hi. When I run the last command I get a massage that says "Action not found". What gives? I have done it on a bunch of netscalers with same result
please help
Same here, pls keep me posted if you find a solution.
Do you have Web Application Firewall turned on? We don't, and my guess is that this a the reason, but not sure
-
14 hours ago, Rhonda Rowland1709152125 said:
It works fine on my instance. Be sure your source doesn't have any smartquotes or line breaks in it. However, I found one space in the original output that might trip up on a version if its being picky and removed it below. My version took it, but different versions might see it as an expression break. Which version of the firmware are you on?
There's a space between this one text_mode. and the set_text_mode in purple above. That *might* be where it interpreted it wrong. But my system took it no problem.
Here's a copy from a running config after import which converts a few characters to quotes but is still valid (without the space above). NOTE: This is a single line command (requiring all patternsets referenced to be created first).
add responder policy mitigate_exploit_cve_2021_44228 "HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${: }/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${: }/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\")" DROP
Thanks for you reply.
I fixed the spaces, but no luck. Sure my code doesn't have any line breaks, but what do you mean by smartquotes? I only use ", as copied from Citrix's website.
I'm wondering if I need a responder action, too, which isn't mentioned in the Citrix code. Sorry I'm not very familiar with these sort of things.
I'm on ADC 13.0.82.45 VPX
-
Hi there
We don't have Web Application Firewall activated, but Web Logging. And I think that's why a scan found our system to be vulnerable, although Citrix marks ADC as not affected.
So, I'm trying to implement mitigation steps on ADC VPX 13.0 as described in https://support.citrix.com/article/CTX335705.
add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap
bind policy patset patset_cve_2021_44228 http
bind policy patset patset_cve_2021_44228 https
bind policy patset patset_cve_2021_44228 ldaps
bind policy patset patset_cve_2021_44228 rmi
bind policy patset patset_cve_2021_44228 dns
add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP
bind responder global mitigate_exploit_cve_2021_44228 100
But when running the 'add responder policy' command, it returns with ERROR: Action does not exist
We don't have Web Application Firewall activated, is that the reason why? Or is there anything wrong with the command published by Citrix?Thanks a lot
-
Hi there
I'm trying to set up native outlook search on Windows 2019 / XenApp 1912 CU3 / Outlook 2019/64bit
-Windows search is enabled
-'search index roaming for Outlook' GPO is enabled
-Path to user store in GPO is in low letters only
- share permission is Everyone Full Controll + WorkerComputerAccount$ Full Controll
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\EnablePerUserCatalog = DWORD = 0
The template folder %ProfileShare%\UpmVhd is created on first user logon, but remains empty
The folder %Userprofile%\VHD\Win2019 is created, but remains empty
therefore no VHD is mounted
Strange thing is that there's no eventlog entry showing any error regarding SearchIndex or Profilemgmt.
Anything I'm missing?
Thanks for your help
-
I checked back with Citrix support and was told this:
It is expected behavior to see this event, however it does not mean that user’s credentials traverse in plain text in the network
As per https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
logon Type 8 means NetworkCleartext and implies the following:
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
The log that you sent only highlights that the password used was entered in a cleartext, format, NOT that it is actually being transmitted in cleartext between the servers. If HTTPS is configured on Storefront and the DDC, the traffic is encrypted and the actual credentials do not traverse the network in plaintext with HTTPS as HTTPS itself secures it.
Since you are using SSL communication between SF and DDC and ADC and SF, the communication is entirely secureSo the commuication leading o Logon Type 8 is only happening between local Citrix services in oder to enumerate your published applications and log you on
You can see similar events on the Storefront server.-
1
-
Tons of errors while running ngen.exe on MTD
in XenDesktop 7.x
Posted
Hi everybody
I'm wondering if this is normal.
We use Citrix Optimizer with .Net Optimization (ngen.exe /update) and it returns tons of error messages like
- Failed to load the runtime (Exception from HRESULT: 0x80131700). Assembly will be compiled once the correct runtime is installed.
- Warning: Syste,.IO.FileNotFoundException: Could not load file or assembly 'AssemblyName' or one of its dependencies. The system cannot find the file specified while resilving 0x100000f
No unusual software is installed, just Office, Notepad++, Keepass and such
Environment is Windows 2019, CVAD 2203 LTSR incl. PVS
Is there anything I can do about these messages or just ignore them?
Thanks for your opinion