[Studio Reboot VDA after skipped Schedule because Host Connection lost at night.]

Thank you both for this info !

I will take a look at this.  Maybe i build a automatic script that runs every morning shortly before office time to prevent rerun missed or abandoned.

[Studio Reboot VDA after skipped Schedule because Host Connection lost at night.]

Hallo,

 

i have a question. I think i already read something about that but i can't find anything related to it with google.

 

Today we had a big problem.

Tonight our Hypervisor Management Server breaks down and Citrix lost the Hypervisor connection (all Mashin on state "unknown".

As so far all Citrix System run good and people were working on work start this morning.

 

After an hour today morning my colleges were able to fix the Hypervisor Server and boot it up.

On the Citrix Studio the Mashin Status get an refresh an show the current state again (on or off etc)

But after some Minutes the first Citrix VDA started to suddenly reboot on they own.

The Hypervisor shows that the command was send by the Studio.

 

So bad happend people lost the current work... anyway my question:

Do the studio catch up missed Reboots when connection get lost and restored ?
If yes is there anyway to pretend that issue for next time ?

 

best regards

Patrick

[Publishing SQL Server 2018 Management Studio for XenApp]

Same Problem here under 1912LTSR with WinSrv 2016 and SSMS 18.X

Programm runs over Desktop like charm but Published App will not start.

 

Has anybody solve this ?

 

edit:
Ok solved this on my own.
I was only able to Published the App when i take the original generated Link from the Startmenu.

If i enter the Path Manually it didn´t work.

+

Found out that you need to took the complete path over "C:\Programm Files (x86)\xyz\..." instead of "%Programm files (x86)\xyz\..."

[Trouble with creatig a MFA Authentification Profil Rule]

Thank you for your fast response.

 

17 minutes ago, Rhonda Rowland1709152125 said:

Group Extaction:

[,,,]

I checked the "Group Attribute" on LDAP Action. I have set "memberOf".

I will take a look at aaad.debug.

 

17 minutes ago, Rhonda Rowland said:

Regarding your schema interface presentation:

[quoted from you] The only different from your Picture at the end to this/my senario:

I don´t want to enter Username -> Button -> Password -> Button -> Optional 2nd Faktor

I want: Username + Password -> Button -> Optional 2nd Faktor.

 

I would still try to get the original example to work first, because that will mean it is completing and all the elements work.

If you want to have users prompted in step 1) username/password, then you might as well do ldap authentication first and not group extraction with a delayed interface.

The problem, this makes prompting for the radius token on its own a little more complicated as you will likely need a custom schema and you need to carry the username from part 1 forwards.

 

This would be a different policy/schema flow than what the examples are showing you.  

 

Yeah ok. I have the feeling this will not work too but however maybe there is a way to find the error.

If i manage to setup tomorrow i will give you a feedback on this.

[Trouble with creatig a MFA Authentification Profil Rule]

# AAA Global Settings
# -------------------
# *** AAA feature is not enabled


# LDAP Actions
# ------------
add authentication ldapAction LDAP_033_RemoteAccess -serverName NSC-LB-LDAP.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1,DC=net" -ldapBindDn srv@Betreiber1.net -ldapBindDnPassword  -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=CTX001003ADC-GW_dev01,OU=Groups,OU=Betreiber1,DC=Betreiber1,DC=net" -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -passwdChange ENABLED

# *** LDAP certificate verification Root certificates are in /nsconfig/truststore


# RADIUS Actions
# --------------
add authentication radiusAction Auth_Radius_Imprivata -serverName NSC-LB-RADIUS-IMP.Betreiber1.net -serverPort 1812 -radKey XYZ -encrypted -encryptmethod ENCMTHD_3 -radNASid NSC-DEV01-Auth


# Advanced Authentication Policies
# --------------------------------
add authentication Policy Auth_Pol_033_RemoteAccess -rule true -action LDAP_033_RemoteAccess
add authentication Policy Auth_Pol_033Kunde_SkipMFA -rule "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")" -action NO_AUTHN
add authentication Policy Auth_Pol_033Kunde_toToken -rule true -action NO_AUTHN
add authentication Policy Auth_Pol_033Kunde_Radius_Token -rule true -action Auth_Radius_Imprivata

# Login Schemas
# -------------
add authentication loginSchema Auth_LoginSchema_033_MFASwitch_noSchema -authenticationSchema noschema
add authentication loginSchema Auth_Login_Schema_Kunde_2ndFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde_2ndFaktor.xml"
add authentication loginSchema Auth_Login_Schema_Kunde_1stFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde_1stFaktor_letzterTest.xml" -userCredentialIndex 1 -passwordCredentialIndex 2 -SSOCredentials YES

# Login Schema Policies
# ---------------------
add authentication loginSchemaPolicy Auth_Login_Schema_POL_Kunde -rule true -action Auth_Login_Schema_Kunde_1stFaktor

# Authentication Policy Labels
# ----------------------------
add authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -loginSchema Auth_LoginSchema_033_MFASwitch_noSchema
bind authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -policyName Auth_Pol_033Kunde_SkipMFA -priority 100 -gotoPriorityExpression END
bind authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -policyName Auth_Pol_033Kunde_toToken -priority 110 -gotoPriorityExpression NEXT -nextFactor Auth_PolLabel_033Kunde_2ndFaktor_Token

add authentication policylabel Auth_PolLabel_033Kunde_2ndFaktor_Token -loginSchema Auth_Login_Schema_Kunde_2ndFaktor
bind authentication policylabel Auth_PolLabel_033Kunde_2ndFaktor_Token -policyName Auth_Pol_033Kunde_Radius_Token -priority 100 -gotoPriorityExpression END

# Authentication Virtual Servers
# ------------------------------
add authentication vserver Auth_VS_Kunde_Imprivata SSL 0.0.0.0
bind authentication vserver Auth_VS_Kunde_Imprivata -policy Auth_Login_Schema_POL_Kunde -priority 100 -gotoPriorityExpression END
bind authentication vserver Auth_VS_Kunde_Imprivata -policy Auth_Pol_033_RemoteAccess -priority 100 -nextFactor Auth_PolLabel_033Kunde_SwitchMFA -gotoPriorityExpression NEXT

# ** nFactor Visualizer 
# ** ------------------ 
# ** AAA vserver: Auth_VS_Kunde_Imprivata
# **    Login Schema Policy = Auth_Login_Schema_POL_Kunde
# **       Priority = 100
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde_1stFaktor_letzterTest.xml"
# **    Adv Authn Policy = Auth_Pol_033_RemoteAccess
# **       Priority = 100
# **       Rule = true
# **       Action = ldapAction named LDAP_033_RemoteAccess
# **       Goto if failed = NEXT
# **       Next Factor if Success = Auth_PolLabel_033Kunde_SwitchMFA
# **          Login Schema Profile = Auth_LoginSchema_033_MFASwitch_noSchema
# **          Login Schema XML = noschema
# **          Adv Authn Policy = Auth_Pol_033Kunde_SkipMFA
# **             Priority = 100
# **             Rule = "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")"
# **             Action = NO_AUTHN
# **             Goto if failed = END
# **          Adv Authn Policy = Auth_Pol_033Kunde_toToken
# **             Priority = 110
# **             Rule = true
# **             Action = NO_AUTHN
# **             Goto if failed = NEXT
# **             Next Factor if Success = Auth_PolLabel_033Kunde_2ndFaktor_Token
# **                Login Schema Profile = Auth_Login_Schema_Kunde_2ndFaktor
# **                Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde_2ndFaktor.xml"
# **                Adv Authn Policy = Auth_Pol_033Kunde_Radius_Token
# **                   Priority = 100
# **                   Rule = true
# **                   Action = radiusAction named Auth_Radius_Imprivata
# **                   Goto if failed = END

 

At first @ Carl Stalhood:

Sadly nothing of it helped. But Thanks a lot for your Answer !

Maybe you can answer me a other Question ?

Why the Extractor shows me "# *** AAA feature is not enabled" ? "AAA - Application Traffic" is enabled and there is no Yellow ! .

And why is ist called "Goto if failed = NEXT" ? Did i miss understand something ?

 

Second @ Rhonda Rowland:

Thank you for your explanations.

Now Some Parts are a little bit clearer.

In the beginning I testet every Single Part of my Setup and I can say: Every Part works on it own. If i try Only LDAP OR Only Radius. It works immediately

So I am thinking its all about my nFactor steps and decision Policies

 

One Part is actually unclear. Maybe i understand your explanation wrong.

If i Create a Authentication Policy. (Complete stand alone no other Policy is set)

I can set a Action Type, Action and Expression.

When this Policy is used. How Netscaler is working on it ?

1. Netscaler looks at Expression. If merge. Action will be execute ? (So if my expression has a LDAP Group Netscaler has no Information about the Users Group at this Point)

2. Netscaler take Action after this Netscaler look at Expression if User merge ?

 

 

I found different Citrix Knowledgebase article but i give a try on https://support.citrix.com/article/CTX220793 as you mention.

Case two of this article is exactly what i need.

The only different from your Picture at the end to this/my senario:

I don´t want to enter Username -> Button -> Password -> Button -> Optional 2nd Faktor

I want: Username + Password -> Button -> Optional 2nd Faktor.

 

Back to Citrix article - I delete all my old Config and rebuild it like suggested in the article.

After all i think the Setup looks absolute likely to my initial Version i build. But ok maybe i have done a failure....

But even here. Skipping the 2nd factor don´t work. My both Test user are forced to enter Tokencode while one of my Test user are allowed to Skip this via LDAP Group.

So i think there is only one Problem.

My "Member of" Policy don´t work. I don´t know why.

Only for my own i tested AAA.User.Is_member_of AND HTTP.REQ.USER.IS_MEMBER_OF. But no Different.

Based on Carl Stahlhood. I tested HTTP.REQ.USER.IS_MEMBER_OF().NOT if there is a chance but sadly no.

 

I don´t know what to do.

Maybe its easier to drop down this ***** and create a dedicated login Gateway for Single Faktor User.

[Trouble with creatig a MFA Authentification Profil Rule]

Hello,

 

days passed by searching a solution. Maybe someone can help me.

English is not my nativ Language. feel free to Answer in German.

 

I have a Gateway Login for Virtuell Apps and Desktop

I implement a Imprivata Token solution. So User get only Access via One Time Tokencode.

In first try with DualAuth Loginschema it works great. The User enters LDAP User and Passwort + Tokencode.

Now i wanted to implement a step-by-step Login (for better User experience) with the Possibility to skip MFA (For Debuging or special Users from a special Subnet)

But my "switch" don´t work as i except. User can access with Token but User who are allowed to skip MFA are forced to enter the Tokencode too.

 

As found on carlstalhood.com i extracted may last try.

At first i do a Group extraction ("Authentication" on LDAP Server is NOT Marked)  because i don´t know if i can create a Policy with "Member of" without this.

Can somebody explain me: When creating a Authentication Policy, will the Expression will take User information befor or after Action ?

I don´t understand at what Point i can work with LDAP Groups and at what Point Netscaler has or has not this information.

 

After this i check if the User is in "CTX001003ADC-GW_dev01" the LDAP Server here has "Authentication" marked and i have a searchfilter on it.

At least i chef if User is in "OhneMFA" Group to skip MFA but it does not Work. If not goto Token Authentication.

 

Sadly i have testet so many things I am absolute Confused.

# ** nFactor Visualizer 
# ** ------------------ 
# ** AAA vserver: Auth_VS_Kunde1_Imprivata
# **    Login Schema Policy = Auth_Login_Schema_POL_Kunde1
# **       Priority = 100
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_1stFaktor_letzterTest.xml"
# **    Adv Authn Policy = DEV_AuthPol
# **       Priority = 100
# **       Rule = true
# **       Action = ldapAction named DEV_LDAP_groupextration
# **       Goto if failed = NEXT
# **       Next Factor if Success = DEV_AuthLabel_1_usergrant
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = DEV_AuthPol_UserauthwithGroup
# **             Priority = 100
# **             Rule = true
# **             Action = ldapAction named NSC-LB-LDAP.Betreiber1.net_Kunde1
# **             Goto if failed = NEXT
# **             Next Factor if Success = DEV_SwitchskipMFA
# **                Login Schema Profile = LSCHEMA_INT
# **                Adv Authn Policy = DEV_noauth_onlyexpression
# **                   Priority = 90
# **                   Rule = "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")"
# **                   Action = NO_AUTHN
# **                   Goto if failed = NEXT
# **                Adv Authn Policy = Auth_POL_Kunde1_MFA_1stFaktor
# **                   Priority = 110
# **                   Rule = true
# **                   Action = ldapAction named NSC-LB-LDAP.Betreiber1.net_Kunde1
# **                   Goto if failed = NEXT
# **                   Next Factor if Success = Auth_POLLABEL_Kunde1_MFA
# **                      Login Schema Profile = Auth_Login_Schema_Kunde1_2ndFaktor
# **                      Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_2ndFaktor.xml"
# **                      Adv Authn Policy = Auth_POL_Kunde1_MFA_2ndFaktor
# **                         Priority = 100
# **                         Rule = true
# **                         Action = radiusAction named Auth_Radius_Imprivata
# **                         Goto if failed = NEXT

add authentication ldapAction DEV_LDAP_groupextration -serverName nsc-lb-ldap.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1;DC=net" -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -authentication DISABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberof -groupSearchSubAttribute CN
add authentication ldapAction NSC-LB-LDAP.Betreiber1.net_Kunde1 -serverName NSC-LB-LDAP.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1,DC=net"  -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=CTX001003ADC-GW_dev01,OU=Groups,OU=Betreiber1-it,DC=Betreiber1,DC=net" -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -authentication DISABLED -passwdChange ENABLED
add authentication policylabel DEV_AuthLabel_1_usergrant -loginSchema LSCHEMA_INT
bind authentication policylabel DEV_AuthLabel_1_usergrant -policyName DEV_AuthPol_UserauthwithGroup -priority 100 -gotoPriorityExpression NEXT -nextFactor DEV_SwitchskipMFA
add authentication policylabel DEV_SwitchskipMFA -loginSchema LSCHEMA_INT
bind authentication policylabel DEV_SwitchskipMFA -policyName DEV_noauth_onlyexpression -priority 90 -gotoPriorityExpression NEXT
bind authentication policylabel DEV_SwitchskipMFA -policyName Auth_POL_Kunde1_MFA_1stFaktor -priority 110 -gotoPriorityExpression NEXT -nextFactor Auth_POLLABEL_Kunde1_MFA
add authentication policylabel Auth_POLLABEL_Kunde1_MFA -loginSchema Auth_Login_Schema_Kunde1_2ndFaktor
bind authentication policylabel Auth_POLLABEL_Kunde1_MFA -policyName Auth_POL_Kunde1_MFA_2ndFaktor -priority 100 -gotoPriorityExpression NEXT
add authentication loginSchema Auth_Login_Schema_Kunde1_2ndFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_2ndFaktor.xml"
add authentication loginSchema Auth_Login_Schema_Kunde1_1stFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_1stFaktor_letzterTest.xml" -userCredentialIndex 1 -passwordCredentialIndex 2 -SSOCredentials YES
add authentication Policy DEV_AuthPol -rule true -action DEV_LDAP_groupextration
add authentication Policy DEV_AuthPol_UserauthwithGroup -rule true -action NSC-LB-LDAP.Betreiber1.net_Kunde1
add authentication Policy Auth_POL_Kunde1_MFA_1stFaktor -rule true -action NSC-LB-LDAP.Betreiber1.net_Kunde1
add authentication Policy DEV_noauth_onlyexpression -rule "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")" -action NO_AUTHN
add authentication Policy Auth_POL_Kunde1_MFA_2ndFaktor -rule true -action Auth_Radius_Imprivata
add authentication radiusAction Auth_Radius_Imprivata -serverName x.Betreiber1.net

 

[NS.CONF Language File for Notepad++ [Download]]

Great work !

[NetScaler HA and HeartBeat messages]

Unfortunately, no. I have checked some Settings like yours but nothing helped.

[NetScaler HA and HeartBeat messages]

My VPX 12.1 (running on SDX) are running round about 100 Days currently.

Every 1-7 Days i get the same Warningmessage like yours.

[How to prevent crossside Streaming between two Datacenter?]

Thanks for your response,

 

Your idea is nice but i think with your Setup i would have the same issue because my worker can migrate to the other Datacenter while the wrong PVS streams the Golden Image.

I talk to some Citrix Consultant last week at a Customer Circle and they told me that my kind of question ist hard to answer because the PVS Server to not talk with the Hypervisor about this kind of information.

So i am thinking at my next redesign i migrate to MCS or Maybe build Subnet Scopes for every Datacenter this will be easyer.

[How to prevent crossside Streaming between two Datacenter?]

Thanks for your response !

 

I'm thinking about your design but in isn't there a Administration Problem with the VDA´s ?

If I choose the way to split the current IP Scope, i need to overthinking every change on the VDA

if there is a Loadbalance Missmatch because I have to add one new Maschine in Scope A an after this the next Maschine is going to Scope B. -Manually

 

Actually my Virtualisation Layer decide on witch Host (and Emergency Datacenter) the VDA run.

I only add new Maschine via Wizard to the "Host-cluster" not an explizit Host in my Cluster.

 

And there are VDA's of the Same Use-Case splittet over booth Datacenter.

 

But maybe I'am thinking to much about it ? Do you choose you "static" assignment witch VDA runs on Datacenter A or B by Design ?

[How to prevent crossside Streaming between two Datacenter?]

Is there nobody who has the same issue or the same setting ?

[How to prevent crossside Streaming between two Datacenter?]

Hello,

 

I have a Design Question about Provisioning Server,

 

Currently i administrate a Citrix 1906 enviroment with 2 Provisioning Server witch are Hardware Devices with Local Storage.

Basend on Redundance reason the Device are split into 2 separete Datacenter.

All my Workers are Virtuell on one big Hyper-V workgroup span over both Datacenter. Worker can migrate between Datacenter in emergency case.

 

My Question ist: How to Prevent streaming the Golden Image from one PVS Server across "WAN" into the Second Datacenter?

 

I found out there is a flag on the Golden Image vdisk Properties to choose "Best Affort" but if i see correctly this only based on Subnet Adress.

All my Worker are in the same Subnet as my PVS Server. So this does not help ! ?...

 

How do you encounter this design question ?

 

PS: Reply in German also possible