[Import applocker rules to WEM in DaaS]

Upload files | Workspace Environment Management service (citrix.com)

Found how do it here in the Legacy Console, had to click the hamburger menu at the very top and there's an upload file icon.

[Import applocker rules to WEM in DaaS]

How do you import an XML export from a local applocker into the WEM Legacy Portal in DaaS?  Looks like it's only letting you scan a cloud file and not pick a file locally on your machine?

[Onboarding On-Premises StoreFront to Citrix Analytics not working]

We're you able to get this working?  We're having the same issue with an on-prem storefront 2203 LTSR CU4 server.  Ran the powershell but nothing is happening on the DaaS portal for it.  Domains are all whitelisted.

[Igel Thin Client - 403 error with Imprivata PIE agent logging into storefront through a load balancer]

Quote

Does it work OK if you remove the load balancer and the client connects direcctly to StoreFront? If so then it's an issue with your load balancer configuration

 

Yes. if we update the Imprivata Policy to point logins directly to the storefront server machine names, logins works fine.

 

However if we remove the Imprivata PIE Agent from the Igels and set an Active Directory login that's pointed to the load balancers, it works fine.

 

Quote

What about if you set your load balancer to always direct traffic to a single StoreFront server? If that works then it's almost certainly due to load balancer session persistence not being configured correctly.

 

We tried this this as well, but even with just a single load balancer running, the issue still randomly occurs.  We've tried IP Persistence and Cookie persistence with the same results 

[Igel Thin Client - 403 error with Imprivata PIE agent logging into storefront through a load balancer]

Good morning,

 

I've been working on an issue with Citrix Support and Imprivata support over the last 6-7 months and recently was told by Citrix Support we that we should post about the issue here.  

 

We are using an Imprivata Embedded agent on igel thin clients.

 

If we configure the Imprivata agent to connect to our storefront server through 2 KEMP load balancers, we are randomly getting a desktop unavailable error.   If disable the Imprivata PIE Agent and use just a simple Igel Active Directory login, it works fine.  Imprivata however says it's a Citrix issue.

 

Here's the error in the Imprivata Agent Log:
 

2024-01-05 07:52:55,982 - Agent(_log,1613) - DEBUG: CitrixWebResponse: httpStatusCode = 403, dperrorId = None, contentLength = 1233, contentType = text/html; charset=utf-8
2024-01-05 07:52:55,982 - Agent - ERROR: Access is denied.
2024-01-05 07:52:55,983 - Agent - ERROR: You do not have permission to view this directory or page using the credentials that you supplied.
2024-01-05 07:52:55,983 - Agent(_log,1613) - DEBUG: Traceback (most recent call last):
  File "CitrixStoreFrontWebApiClient.py", line 220, in _authenticate
  File "CitrixStoreFrontWebApiClient.py", line 112, in send
  File "CitrixWebResponse.py", line 98, in Parse
packages.Vdi.CitrixBase.CitrixWebApi.CitrixWebApiError.AccessIsDenied: Your desktop is not currently available. Try again.

2024-01-05 07:52:55,983 - Agent - WARNING: Failed to connect to https://storefront.homebank.internal/citrix/desktopsweb/ citrix server. Error: Your desktop is not currently available. Try again.
2024-01-05 07:52:55,983 - Agent - ERROR: Citrix server is not available.
2024-01-05 07:52:55,983 - Agent - ERROR: Unable to connect to XenDesktop. Try again or contact your administrator for assistance.

 

Imprivata had been looking into the issue since July but they have asked us to engage with Citrix, which we have done twice.

 

Imprivata recently asked us to engage Citrix to have the information reviewed by engineering team to see why a 403 error is being returned.  Here's what Imprivata said in that request:

 

"I completed the review. At present, using the diagnostic PiE, there is no problem in the Imprivata workflow.
However, because the 403 error is presented by Citrix, we will need their technical support team to evaluate for reasons why the 403 error is returned.
Can you work with Citrix team, then let me know of your progress?"

 

diagnosis:

Logs still show that Citrix responses with error “403 - Forbidden: Access is denied.”
Logs show that when PiE ask for ICA data then Citrix responses 'reason="notoken" and PIE tries to reauthenticate.
- Reauthentication is successful.
 

Then PiE ask for ICA data once more and Citrix now responses with 403 error:"

 

After we opened our latest case we worked with Sr Escalation team to capture storefront traces when the issue occured.  Here's the feedback from that.

 

"I see more instances of the error I mentioned in the previous email:

It looks similar to a cookie / persistence issue, but I think you would see this across the board instead of just with Linux machines. I unfortunately am not finding any errors in the Store or Authentication logs at the time of the error you documented. 

 

Can you confirm for me if there is an ADC between the SF server and the client? Also, are there any customizations on the SF server? I reached out to one of the product managers to see if there is any insight they could provide in regards to this scenario and she want to verify these questions. More than likely, this will need to go to the SDK forums I mentioned previously."

 

We have tried setting the load balancers to use cookie persistence instead of IP, but the issue still occurs.  

 

So as suggested we're posting the issue here in case anyone can help. If you need any more information, please let me know.

[Restrict external login access]

We implemented Azure AD and were able to control logins that way.

[Monitoring Premium Custom Reports - Remote users report?]

Anyone with Analytics able to see if this type of report is available?

 

Thanks

[Monitoring Premium Custom Reports - Remote users report?]

Hoping someone with a DaaS premium license can help answer this. 

 

With the Monitoring Premium you get a Custom Reports module.  We're trying to find out if with custom reports you can create a report that shows users who have remotely logged in via the Citrix Cloud Gateway Service within a set period of time (eg: last 24 hours, last 7 days, last 30 days, etc...)

 

Thanks.

[Storefront 2203 - Citrix XML Service Errors]

The last thing I have in my notes about this was a registry change suggested by support.  Seems after we did this it stopped:

Please do the following registry changes to all the Delivery controller or the affected ones in this case.
Note: Before doing any changes to the registry, Please take a snapshot of the VM
Reg edit : HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer
"XmlWpnbrRequestTimeoutMs" to 120000 to increase the timeout duration.
Please reboot the Delivery controller one by one to see if the issue gets fixed. Reboot is must to reflect changes on all Delivery controller

[Launch Session Error. Cannot Load policies]

Eh, spoke to soon.  As of this morning users are still randomly getting the same error.

[Launch Session Error. Cannot Load policies]

Thanks, this key seems to have resolved the issue.

[Launch Session Error. Cannot Load policies]

We've been seeing this error randomly popup after a user logs into VDI desktop (after the Windows welcome stuff, but right before a user's desktop and icons normally load).

 

 

Clicking ok disconnects the user and shutdowns the virtual machine.

 

Has anyone seen this before? I can't seem to find anything about it.

 

We're currently on 2203 LTSR

[PVS Database on Storefront server?]

Here's a bigger look at our scenario:

We're currently in the process of building out our migration to Citrix Cloud.  Our existing setup has 2 PVS servers, 2 storefront at our primary datacenter and 1 PVS at our secondary datacenter , both PVS sites are the same farm.  Secondary datacenter at this time is only used for DR situations.  The existing farm database is on a SQL server at our primary datacenter . If our primary datacenter goes down, everything is pretty much offline until we swing our servers/routing over to run off the Secondary datacenter .

In building our Citrix Cloud environment, we're looking at the idea of 2 almost independent datacenters.   Currently we have 2 resource locations setup with 2 connectors, 2 PVS and 1 storefront server and would have 200 VDI (plus some xen servers) in each datacenter.  We're trying to figure out the best approach for the PVS database though, such as using 2 farms so each datacenter's PVS database is independent. If 1 datacenter goes down, the other is still fully functionally.

We're just trying to see if we can safely utilize an existing server at our secondary datacenter, such as the Storefront or cloud connector, to host the PVS database so we're not spinning up another SQL server for what is currently a 230MB database.

Hope that gives a better picture of what we're thinking about.

Thanks yall.

[PVS Database on Storefront server?]

Understood.   Say we go with multiple PVS servers, what about putting the PVS database on the storefront server?  Putting HA aside, is there any potential issues for resource usage with the PVS database and Storefront on the same server?

Thanks,

[PVS Database on Storefront server?]

Is there any reason why the PVS Database shouldn't be installed on the PVS server itself or on a storefront server using SQL Express?   

Citrix documentation mentions for load balancing reasons you should separate PVS and the database but what if we only have 1 PVS server in the farm.

Has anyone done this?  We're trying to see if we can avoid spinning up another server just for this one database at a secondary datacenter.

[Restrict external login access]

Is there a way to restrict who can login externally at https://company.cloud.com via Active Directory user group? 

 

Seems like out of the box, every single employee effectively has remote access to their desktop via this website and we don't want that.  We need to restrict external logins to certain users.

[Audio Devices disabled]

Neither I believe.

We're logging into the gateway and then starting an ICA session direct to a PC with the Virtual Delivery agent installed.

I've recently noticed this happens on my desktop PC, but it doesn't on my laptop.  Both have the same version of Receiver installed. 

[Audio Devices disabled]

When remoting in over our Netscaler, the remote session (terminal server or physical pc) shows all the output and input audio devices as disabled. We have to go manually enable our speakers and headsets to get them to work again.

 

Any ideas on how to get these to enable by default?

[Unable to change audio output on Terminal Server between speakers and a headset]

I have a HP T740 thin client setup with a USB Headset plugged in and a pair of speakers plugged into the  3.5mm headphones jack.  

After  logging into a Windows 2016 terminal server, clicking system tray volume icon, you're able to see the 2 audio devices in the menu but you can't change them.  It always reverts back to the one it defaulted to at login. If you open the Volume Mixer (right click volume icon), from there you're now able to change the output audio device.
 

However, we found though this only changes the output for Windows system sounds. For example, if we login and Windows defaults to the headset (which is seems to do everytime) and change the output device to the speakers, you hear windows alerts on the speakers but a Youtube video would continue to play audio through the headset.  

 

Currently the only way to get all audio to move between devices is to physically unplug one device or the other.

If we login to a Windows 10 VDI on the same T740, it works fine and we're able to change audio between devices no problem.  The Terminal Server and VDI are both running Workspace App 2203 and the thin client it getting the same Citrix Policies applied when logging into either one.

Anyone ever come across this before.

[Vmware VDI - Flashing black screens with DWM.exe crash and out of memory]

We've been testing out moving our Citrix non-persistent VDI to ESX host but have run into an issue.  

 

We rebuilt a new vdisk that's pretty much identical to the one current on Xencenter.

 

Users on the Vmware hosted VDI are running into flashing back screens where dwm.exe is crashing.  We've also have a few users run into Teams crashing giving OutofMemory exception errors. So far we haven't been able to find any potential causes.

 

Paging file is diisabled on C drive.

WEM had Memory Mgmt enabled.  Currently testing with it off.

We up'd the Video memory on the machines in Vcenter to 128MB.

 

I just want to put this out there to see if anyone else may have come across similar issue or have any suggestions to try.

 

 

[Citrix ADM Esx Agent won't boot after import]

We found downloading the ADM Agent ESX file from:
https://www.citrix.com/en-in/downloads/citrix-application-management/product-software/citrix-adm-13-1-build-33-47.html

worked fine rather than the file downloaded from the Cloud portal

[Citrix ADM Esx Agent won't boot after import]

Trying to get an ADM Agent setup on-premise in our VMWare environment but having boot issues.

 

From our Citrix Cloud site, we're download the agent and selecting "VMware ESXi" as the hypervisor.  This downloads a "MASAGENT-ESX.zip" file, containing MASAGENT-ESX-13.1-34.27 OVF, VMDK and .mf file.

We import the 3 files into Vmware (tried both through Vcenter and directly on host) but afterwards the VM won't boot, giving a ""No /boot/loader" error.  The farthest we get is this attached  screenshot.

 

Anyone run into this issue before or have suggestions on what as to why it's not booting?

 

[Storefront 2203 LTRS - Citrix XML Service Errors]

We're seeing multiple repeating errors in event viewer from the Citrix XML Service in our CVAD 2203 LTSR enviroment.  We have 2 storefront servers.  01 is not showing the errors, but 02 is. 
We're running into an issue were people are getting "no available desktops" at login and believe this is the cause, but we're running into walls trying to figure out why.

 

Quote

ERROR - The Citrix XML Service at address [UnknownRequest] does not support capability integrated-authentication.

ERROR - All the Citrix XML Services configured for farm KS-NewPool failed to respond to this XML Service transaction.

ERROR - The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address http://ks-ctxdc02.DOMAIN.internal/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

ERROR - All the Citrix XML Services configured for farm KS-NewPool failed to respond to this XML Service transaction.

ERROR - The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address http://ks-ctxdc01.DOMAIN.internal/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Then will see these two information entries and then the XML errors repeat about a few minutes later.

 

Quote

The Citrix XML Service at address ks-ctxdc02.DOMAIN.internal:80 has passed the background health check and has been restored to the list of active services.
The Citrix XML Service at address ks-ctxdc01.DOMAIN.internal:80 has passed the background health check and has been restored to the list of active services.

I believe this update was also already installed:
https://support.citrix.com/article/CTX457757/hotfix-receiver-storefront-3231-for-citrix-virtual-apps-and-desktops-2203-english

Citrix Storefront installed version shows as: 2203.0.1.2

We've also look at these KB fixes, but did not help:
https://support.citrix.com/article/CTX233424/users-unable-to-launch-the-published-desktops-and-applications-xml-errors-on-storefront-servers
https://support.citrix.com/article/CTX399424/gateway-callback-and-or-xml-communication-fails-after-upgrade-to-storefront-2203
https://support.citrix.com/article/CTX133320/citrix-broker-service-fails-to-initialize-xml-services-with-the-error-input-string-was-not-in-a-correct-format

While we're at CVAD 2203 LTSR now, we do still have a lot of PC's running Citrix Receiver 4.7 if that could be a part of this as I noticed this bit of info from
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/2203-ltsr/removed-features.html

Quote

StoreFront support for TLS 1.0, and TLS 1.1 protocols between Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) and Citrix Receiver, and Workspace Hub.
Removed in 2203
Upgrade Citrix Receivers to a Citrix Workspace app that supports the TLS 1.2 protocol. For more information on Citrix Workspace app, see https://docs.citrix.com/en-us/citrix-workspace-app.

Thanks.

[Storefront 2203 - Citrix XML Service Errors]

We're seeing multiple repeating errors in event viewer from the Citrix XML Service in our CVAD 2203 LTSR enviroment.  We have 2 storefront servers.  01 is not showing the errors, but 02 is. 
We're running into an issue were people are getting "no available desktops" at login and believe this is the cause, but we're running into walls trying to figure out why.

 

Quote

ERROR - The Citrix XML Service at address [UnknownRequest] does not support capability integrated-authentication.

ERROR - All the Citrix XML Services configured for farm KS-NewPool failed to respond to this XML Service transaction.

ERROR - The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address http://ks-ctxdc02.DOMAIN.internal/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

ERROR - All the Citrix XML Services configured for farm KS-NewPool failed to respond to this XML Service transaction.

ERROR - The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address http://ks-ctxdc01.DOMAIN.internal/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Then will see these two information entries and then the XML errors repeat about a few minutes later.

 

Quote

The Citrix XML Service at address ks-ctxdc02.DOMAIN.internal:80 has passed the background health check and has been restored to the list of active services.
The Citrix XML Service at address ks-ctxdc01.DOMAIN.internal:80 has passed the background health check and has been restored to the list of active services.

I believe this update was also already installed:
https://support.citrix.com/article/CTX457757/hotfix-receiver-storefront-3231-for-citrix-virtual-apps-and-desktops-2203-english

Citrix Storefront installed version shows as: 2203.0.1.2

We've also look at these KB fixes, but did not help:
https://support.citrix.com/article/CTX233424/users-unable-to-launch-the-published-desktops-and-applications-xml-errors-on-storefront-servers
https://support.citrix.com/article/CTX399424/gateway-callback-and-or-xml-communication-fails-after-upgrade-to-storefront-2203
https://support.citrix.com/article/CTX133320/citrix-broker-service-fails-to-initialize-xml-services-with-the-error-input-string-was-not-in-a-correct-format

While we're at CVAD 2203 LTSR now, we do still have a lot of PC's running Citrix Receiver 4.7 if that could be a part of this as I noticed this bit of info from
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/2203-ltsr/removed-features.html

Quote

StoreFront support for TLS 1.0, and TLS 1.1 protocols between Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) and Citrix Receiver, and Workspace Hub.
Removed in 2203
Upgrade Citrix Receivers to a Citrix Workspace app that supports the TLS 1.2 protocol. For more information on Citrix Workspace app, see https://docs.citrix.com/en-us/citrix-workspace-app.

Thanks.

[Workspace SSO and Kerberos]

Ok, so with Kerberos no longer supported in 7.x it sounds like we should be ok to disable that Kerberos Delegation on the store and install Workspace without Kerberos enabed?  Citrix support made it sound like we had to use Kerberos_enabled=Yes when installing workspace to get SSO to work.

 

So we've just been getting confused with all the different information we're finding and getting on how to make this work properly.