Jump to content
Welcome to our new Citrix community!
  • 1

Can't register vda machine in trusted domain


Manuel Kälin

Question

Hi everyone

 

I've got a problem with a citrix installation in separate domains.

 

About the infrastructure:

 

Domain A

Citrix XenDesktop 7.9

Citrix Virtual Delivery Agent 7.9

Citrix Storefront 

 

Domain B

Citrix Virtual Delivery Agent 7.9

 

In Domain A everything works as expected, the machines appears as registered on the delivery controller and I can access the applications.

The machine from domain B appears a unregistered.

 

There's a two way trust between domain A and domain B, DNS forward and reverse zones are created, ping and dns name resolutions works between both domains like it should. The needed Ports between these networks are opened on the firewall, at the moment all ports are allowed.

With the Domain A Administrator I can access the VDA Client in Domain B without user prompt, I can access every share on it.

 

The registry key HKLM\SOFTWARE\Citrix\DesktopServer\SupportMultipleForest is created on the Delivery Controller, the ListOfDDCs entry on the vda is correctly setup with the fqdn. On the configuration page of the vda I added the DDC and the green checkmark is there

 

Attached are the errors that I receive in the event log of the DDC and VDA

DDC

post-12684025-0-39924000-1502090971_thumb.png

Strange thing, the IP Address isn't listed, but when I ping the FQDN I receive it.

 

VDA

post-12684025-0-88350300-1502090979_thumb.png

 

 

Has anyone a clue that could lead me to the solution?

Link to comment

24 answers to this question

Recommended Posts

  • 1

#2 and #3

How to (for the ddc and vda, e.g. allow the vda on the ddc and vice versa): https://technet.microsoft.com/de-de/library/cc816733(v=ws.10).aspx

 

Please check on the ddc and vda the eventlog for error regarding authentication when you restart the brokerservice.

 

Oh and there is another thing i forgot:

 

When external trusts are in place, you will also need to make the following changes on the VDA:

  1. Locate the file <ProgramFiles>\Citrix\Virtual Desktop Agent\brokeragent.exe.config
  2. Make a backup copy of the file
  3. Open the file in a text editing program such as Notepad
  4. Locate the text allowNtlm="false" and change the text to allowNtlm="true"
  5. Save the file

Reboot DDC/VDA.

  • Like 1
Link to comment
  • 0

i've got the same issue in v7.11 with a Windows 10 VM that I'm using as a master. had the issue with a Windows 7 VM but i re-installed the OS image from SCCM and fixed that one.

 

On the Win10 machine, did the same thing to see if a new OS image and new AD computer name account would fix the issue; no dice.

 

I've attached a text file with my results from health check assistant. Everything is green EXCEPT for VDA registration as per the regkey entry.

 

When i take a look at it....it's "empty". I've attached the Windows 7 key entry and what the Win10 key entry looks like.

 

On the image that has data, that is the Win7 gold master. Notice that it's populated properly. The image that has just the default entry is the Win10 gold master. Any machine that is created in MCS from that master will not register.

 

what I am going to do is actually create a beta image from a Windows 10 OS disk that does not have all of the applications that the normal image would have to see if I can start duplicating the issue app by app.

 

What else has anyone found out?

post-12544776-0-23513700-1502220823_thumb.jpg

post-12544776-0-73842300-1502220836_thumb.jpg

win10 error log.txt

Link to comment
  • 0
Here is the output of the health assistant, it failed at "time sync with controller" and "vda registration status".

 

2017-08-10 10:36:15,410: 1 INFO  – 

2017-08-10 10:36:15,441: 1 INFO  – ***************

2017-08-10 10:36:15,457: 1 INFO  – 

2017-08-10 10:36:15,472: 1 INFO  – Citrix Health Assistant v1.3.0.17

2017-08-10 10:36:15,488: 1 INFO  – 

2017-08-10 10:36:15,504: 1 INFO  – ***************

2017-08-10 10:36:15,504: 1 INFO  – 

2017-08-10 10:36:37,005: 1 DEBUG – Ping host srv00127.DOMAIN-B.ch result is Success.

2017-08-10 10:36:37,723: 1 INFO  – Test credential to machine srv00127.DOMAIN-B.ch successed!

2017-08-10 10:36:37,755: 18 INFO  – 

2017-08-10 10:36:37,770: 18 INFO  – Start VDA health remote check...

2017-08-10 10:36:37,833: 18 DEBUG – Copy file CitrixHealthAssistant.exe successfully.

2017-08-10 10:36:37,848: 18 DEBUG – Copy file CitrixHealthAssistant.exe.config successfully.

2017-08-10 10:36:37,848: 18 DEBUG – Copy file Interop.NetFwTypeLib.dll successfully.

2017-08-10 10:36:37,880: 18 DEBUG – Copy file log4net.dll successfully.

2017-08-10 10:36:37,895: 18 DEBUG – Copy file VDAAssistant.Backend.dll successfully.

2017-08-10 10:36:37,911: 18 DEBUG – Copy file VDAAssistant.CommonInterface.dll successfully.

2017-08-10 10:36:37,911: 18 DEBUG – Copy file VDAAssistant.UILibrary.dll successfully.

2017-08-10 10:36:37,926: 18 DEBUG – Copy file log4net.config successfully.

2017-08-10 10:36:53,177: 18 INFO  – Remote execution success.

2017-08-10 10:36:53,208: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\CitrixHealthAssistant.exe successfully.

2017-08-10 10:36:53,223: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\CitrixHealthAssistant.exe.config successfully.

2017-08-10 10:36:53,223: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\Interop.NetFwTypeLib.dll successfully.

2017-08-10 10:36:53,239: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\log4net.dll successfully.

2017-08-10 10:36:53,255: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\VDAAssistant.Backend.dll successfully.

2017-08-10 10:36:53,270: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\VDAAssistant.CommonInterface.dll successfully.

2017-08-10 10:36:53,286: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\VDAAssistant.UILibrary.dll successfully.

2017-08-10 10:36:53,302: 18 DEBUG – Remove file \\srv00127.DOMAIN-B.ch\Admin$\Temp\log4net.config successfully.

2017-08-10 10:36:53,317: 18 DEBUG – Remove file CitrixHealthAssistant.log successfully.

2017-08-10 10:36:53,364: 18 DEBUG – NetRemoteTOD query time failure reason: Access is denied

2017-08-10 10:36:53,380: 18 INFO  – One or more tests failed. Review the results and recommended actions for the failed test. Then run the health check again.

2017-08-10 10:36:53,552: 1 INFO  – Start uploading log to Citrix Insight Service...

2017-08-10 10:36:54,817: 1 DEBUG – Log data (866 of 866 bytes) successfully uploaded.

2017-08-10 10:36:54,833: 1 INFO  – Successfully uploaded log to Citrix Insight Service.

2017-08-10 10:36:54,833: 1 DEBUG – Citrix Insight Service upload id is 0a7e4082-3b99-41c6-bcfd-216ce71e255d.
Link to comment
  • 0

Okay on my issue it was a frigging GPO in the Windows 10 OU that my team controls. I am going through entries now to see what is different between windows 7 and windows 10 that would break.

 

Manuel.....check your time on the image and make sure that it is not off to the point to where you get that error message.

Link to comment
  • 0

Here is the newest event log error that I receive on the VDA Server:

 

The Citrix Desktop Service cannot connect to the delivery controller 'http://srv00126.DOMAIN-A:80/Citrix/CdsController/IRegistrar' (IP Address '10.10.10.50') 
 
Check that the system clock is in sync between this machine and the delivery controller. If this does not resolve the problem, please refer to Citrix Knowledge Base article CTX117248 for further information. 
 
Error Details: 
Exception 'Error occurred when attempting to connect to endpoint at address http://srv00126.DOMAIN-A:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://10.10.10.50/Citrix/CdsController/IRegistrar' for target 'http://10.10.10.50/Citrix/CdsController/IRegistrar' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.
   at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetOutgoingBlobProxy.GetOutgoingBlob(ChannelBinding channelBinding)
   at System.ServiceModel.Security.RequestSecurityToken.GetBinaryNegotiation()
   at System.ServiceModel.Security.WSTrust.Driver.WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
   at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.Message.OnWriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
   at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
   at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message, Boolean shouldRecycleBuffer)
   at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   --- End of inner exception stack trace ---
 
Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
 
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at System.ServiceModel.ICommunicationObject.Open()
   at Citrix.Cds.BrokerAgent.ControllerConnectionFactory.AttemptConnection[T](EndpointReference endpoint, Boolean throwOnError, Boolean allowNtlmAuthentication, String connectUsingIpThisIpAddress, Boolean cacheFactory)' of type 'Citrix.Cds.BrokerAgent.ConnectionFailedException'..

 

 

 

 

When I try to open that mentioned URL .../Citrix/CdsController/IRegistrar there's a site error...can't find the site.

 

Should that site be reachable or what am I supposed to do there?

Link to comment
  • 0

I ran the Citrix Health Assistant again, now I only receive an error on VDA registration status and this is the output file:

 

2017-08-14 13:59:29,322: 1 INFO  – 
2017-08-14 13:59:29,353: 1 INFO  – ***************
2017-08-14 13:59:29,557: 1 INFO  – 
2017-08-14 13:59:29,853: 1 INFO  – Citrix Health Assistant v1.3.0.17
2017-08-14 13:59:29,853: 1 INFO  – 
2017-08-14 13:59:29,869: 1 INFO  – ***************
2017-08-14 13:59:29,885: 1 INFO  – 
2017-08-14 13:59:35,506: 9 INFO  – 
2017-08-14 13:59:35,522: 9 INFO  – Start VDA health check...
2017-08-14 13:59:35,538: 9 INFO  – >>>>Step 1: (VDA software installation)  Begin. <<<<
2017-08-14 13:59:35,569: 9 INFO  – VDA image path is C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe.
2017-08-14 13:59:35,600: 9 INFO  – VDA version number is 7.9.0.5.
2017-08-14 13:59:35,631: 9 INFO  – Registry path at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent is fine.
2017-08-14 13:59:35,663: 9 INFO  – Registry path at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\InstallData\Location is fine.
2017-08-14 13:59:35,694: 9 INFO  – [uI Message] VDA software installation verified.
2017-08-14 13:59:35,694: 9 INFO  – <<<< Step 1: VDA software installation End. Test Success. >>>>
2017-08-14 13:59:35,710: 9 INFO  – >>>>Step 2: (VDA machine domain membership)  Begin. <<<<
2017-08-14 13:59:35,741: 9 DEBUG – DNS Lookup():
2017-08-14 13:59:35,756: 9 DEBUG – Host Name  = srv00127.DOMAIN-B
2017-08-14 13:59:35,772: 9 INFO  – VDA Machine:
2017-08-14 13:59:35,772: 9 DEBUG – NetBIOS Name = SRV00127
2017-08-14 13:59:35,788: 9 INFO  – OS Version = Microsoft Windows NT 6.2.9200.0
2017-08-14 13:59:35,803: 9 INFO  – Platform = X64 Platform
2017-08-14 13:59:35,835: 9 DEBUG – Computer Domain: DOMAIN-B
2017-08-14 13:59:35,835: 9 DEBUG – Role = Member Server
2017-08-14 13:59:35,897: 9 DEBUG – Membership is Verified, SID:S-1-5-21-1324371568-1395723169-410157918-1147
2017-08-14 13:59:35,913: 9 DEBUG – Machine domain membership and DNS resolution verified.Machine SID retrieved.
2017-08-14 13:59:35,913: 9 INFO  – [uI Message] Machine domain membership and DNS resolution verified.Machine SID retrieved successfully.
2017-08-14 13:59:35,944: 9 INFO  – <<<< Step 2: VDA machine domain membership End. Test Success. >>>>
2017-08-14 13:59:35,960: 9 INFO  – >>>>Step 3: (VDA communication port availability)  Begin. <<<<
2017-08-14 13:59:36,116: 9 INFO  – [uI Message] Required port access verified.
2017-08-14 13:59:36,131: 9 INFO  – <<<< Step 3: VDA communication port availability End. Test Success. >>>>
2017-08-14 13:59:36,147: 9 INFO  – >>>>Step 4: (VDA services status)  Begin. <<<<
2017-08-14 13:59:36,163: 9 INFO  – OS VDA related services check.
2017-08-14 13:59:36,178: 9 DEBUG – Service : BrokerAgent ("Citrix Desktopdienst")
2017-08-14 13:59:36,194: 9 DEBUG – Status = Win32OwnProcess, Running
2017-08-14 13:59:36,194: 9 INFO  – Prereq =
2017-08-14 13:59:36,225: 9 DEBUG – LanmanWorkstation (Win32ShareProcess), Running
2017-08-14 13:59:36,241: 9 INFO  – Service : BrokerAgent is running
2017-08-14 13:59:36,256: 9 INFO  – VDA machine region time is 14.08.2017 13:59:36
2017-08-14 13:59:36,506: 9 INFO  – A number of importent errors/warning(4) have been logged into the event log in the last -5 minutes, please check the logs for more details.
2017-08-14 13:59:36,569: 9 INFO  – [uI Message] All VDA services are running No VDA service errors were found in the event log for the past five minutes.
2017-08-14 13:59:36,600: 9 INFO  – <<<< Step 4: VDA services status End. Test Success. >>>>
2017-08-14 13:59:36,616: 9 INFO  – >>>>Step 5: (Windows firewall configuration)  Begin. <<<<
2017-08-14 13:59:36,694: 9 INFO  – Status : Disabled
2017-08-14 13:59:36,710: 9 INFO  – [uI Message] The Windows Firewall Service allows communication between the VDA and the Controller.
2017-08-14 13:59:36,725: 9 INFO  – <<<< Step 5: Windows firewall configuration End. Test Success. >>>>
2017-08-14 13:59:36,741: 9 INFO  – >>>>Step 6: (Communication with Controller)  Begin. <<<<
2017-08-14 13:59:36,756: 9 INFO  – Found 0 hosts in hosts file.
2017-08-14 13:59:36,772: 9 DEBUG – Farm GUID (local) : NOT SET
2017-08-14 13:59:36,772: 9 DEBUG – Farm GUID In Use : NOT SET
2017-08-14 13:59:36,788: 9 INFO  – Find farm Guid doesn't Exist.
2017-08-14 13:59:36,803: 9 INFO  – not find any Controller in [VdaData].
2017-08-14 13:59:36,819: 9 INFO  – Registry based Controller list (ListOfDDCs) :
2017-08-14 13:59:36,835: 9 DEBUG – Controller : citrixintern.DOMAIN-A:80
2017-08-14 13:59:36,850: 9 DEBUG – DNS Lookup(Local Machine):
2017-08-14 13:59:36,850: 9 DEBUG – Host Name  = citrixintern.DOMAIN-A
2017-08-14 13:59:36,881: 9 INFO  – Ping Service: /Citrix/CdsController/IRegistrar
2017-08-14 13:59:36,913: 9 DEBUG – Connect = Tcp to 10.10.10.50:80
2017-08-14 13:59:36,913: 9 INFO  – Service = Listening
2017-08-14 13:59:36,928: 9 DEBUG – Controller : srv00126.DOMAIN-A:80
2017-08-14 13:59:36,944: 9 DEBUG – DNS Lookup(Local Machine):
2017-08-14 13:59:36,944: 9 DEBUG – Host Name  = srv00126.DOMAIN-A
2017-08-14 13:59:36,944: 9 INFO  – Ping Service: /Citrix/CdsController/IRegistrar
2017-08-14 13:59:37,147: 9 DEBUG – Connect = Tcp to 10.10.10.50:80
2017-08-14 13:59:37,163: 9 INFO  – Service = Listening
2017-08-14 13:59:37,163: 9 INFO  – [uI Message] VDA and Controller communication verified.
2017-08-14 13:59:37,178: 9 INFO  – <<<< Step 6: Communication with Controller End. Test Success. >>>>
2017-08-14 13:59:37,194: 9 INFO  – >>>>Step 7: (Time sync with Controller)  Begin. <<<<
2017-08-14 13:59:37,210: 9 DEBUG – Controller:citrixintern.DOMAIN-A
2017-08-14 13:59:37,272: 9 DEBUG – Current VDA time is 08/14/2017 11:59:37
2017-08-14 13:59:37,288: 9 DEBUG – Controller citrixintern.DOMAIN-A time is 08/14/2017 11:59:37
2017-08-14 13:59:37,303: 9 DEBUG – Controller:srv00126.DOMAIN-A
2017-08-14 13:59:37,319: 9 DEBUG – Current VDA time is 08/14/2017 11:59:37
2017-08-14 13:59:37,335: 9 DEBUG – Controller srv00126.DOMAIN-A time is 08/14/2017 11:59:37
2017-08-14 13:59:37,335: 9 INFO  – [uI Message] The time difference between Controller and VDA is less than five minutes.
2017-08-14 13:59:37,350: 9 INFO  – <<<< Step 7: Time sync with Controller End. Test Success. >>>>
2017-08-14 13:59:37,366: 9 INFO  – >>>>Step 8: (VDA registration status)  Begin. <<<<
2017-08-14 13:59:37,397: 9 DEBUG – Registration key path at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\State\Registered is not correct.
2017-08-14 13:59:37,413: 9 INFO  – [uI Message] VDA is not registered.If all previous checks were successful, please contact Citrix Technical Support for help.
2017-08-14 13:59:37,413: 9 INFO  – <<<< Step 8: VDA registration status End. Test Error. >>>>
2017-08-14 13:59:37,428: 9 INFO  – >>>>Step 9: (Session launch communication port availability)  Begin. <<<<
2017-08-14 13:59:37,772: 9 INFO  – [uI Message] Required port access verified.
2017-08-14 13:59:37,788: 9 INFO  – <<<< Step 9: Session launch communication port availability End. Test Success. >>>>
2017-08-14 13:59:37,803: 9 INFO  – >>>>Step 10: (Session launch services status)  Begin. <<<<
2017-08-14 13:59:37,835: 9 INFO  – OS VDA session launch related services check.
2017-08-14 13:59:37,850: 9 DEBUG – Service : Citrix Encryption Service ("Citrix Encryption Service")
2017-08-14 13:59:37,850: 9 DEBUG – Status = Win32OwnProcess, Running
2017-08-14 13:59:37,866: 9 INFO  – Service : Citrix Encryption Service is running
2017-08-14 13:59:37,881: 9 DEBUG – Service : cpsvc ("Citrix Print Manager Service")
2017-08-14 13:59:37,881: 9 DEBUG – Status = Win32OwnProcess, Running
2017-08-14 13:59:37,897: 9 INFO  – Prereq =
2017-08-14 13:59:37,913: 9 DEBUG – RpcSs (Win32ShareProcess), Running
2017-08-14 13:59:37,913: 9 DEBUG – Spooler (Win32OwnProcess, InteractiveProcess), Running
2017-08-14 13:59:37,928: 9 INFO  – Service : cpsvc is running
2017-08-14 13:59:38,006: 9 INFO  – VDA ProvisioningType is not MCS.
2017-08-14 13:59:38,022: 9 INFO  – OS VDA session launch related services check.
2017-08-14 13:59:38,038: 9 DEBUG – Service : CtxFlashSvc ("Citrix HDX MediaStream für Flash-Dienst")
2017-08-14 13:59:38,038: 9 DEBUG – Status = Win32OwnProcess, Running
2017-08-14 13:59:38,053: 9 INFO  – Service : CtxFlashSvc is running
2017-08-14 13:59:38,069: 9 DEBUG – Service : CitrixCseEngine ("Citrix Gruppenrichtlinienengine")
2017-08-14 13:59:38,069: 9 DEBUG – Status = Win32OwnProcess, Running
2017-08-14 13:59:38,085: 9 INFO  – Prereq =
2017-08-14 13:59:38,116: 9 DEBUG – RpcSs (Win32ShareProcess), Running
2017-08-14 13:59:38,116: 9 INFO  – Service : CitrixCseEngine is running
2017-08-14 13:59:38,131: 9 INFO  – VDA machine region time is 14.08.2017 13:59:38
2017-08-14 13:59:38,194: 9 INFO  – [uI Message] All session launch related services are verified on VDA. No service errors were found in the event log for the past five minutes.
2017-08-14 13:59:38,210: 9 INFO  – <<<< Step 10: Session launch services status End. Test Success. >>>>
2017-08-14 13:59:38,225: 9 INFO  – >>>>Step 11: (Session launch windows firewall configuration)  Begin. <<<<
2017-08-14 13:59:38,272: 9 INFO  – Status : Disabled
2017-08-14 13:59:38,319: 9 INFO  – Status : Disabled
2017-08-14 13:59:38,319: 9 INFO  – [uI Message] The Windows Firewall Service allows communication between the VDA and the Controller.
2017-08-14 13:59:38,335: 9 INFO  – <<<< Step 11: Session launch windows firewall configuration End. Test Success. >>>>
2017-08-14 13:59:38,350: 9 INFO  – One or more tests failed. Review the results and recommended actions for the failed test. Then run the health check again.
2017-08-14 13:59:38,585: 1 INFO  – Start uploading log to Citrix Insight Service...
2017-08-14 14:00:48,465: 1 DEBUG – Log data (6868 of 6868 bytes) successfully uploaded.
2017-08-14 14:00:48,480: 1 INFO  – Successfully uploaded log to Citrix Insight Service.
2017-08-14 14:00:48,496: 1 DEBUG – Citrix Insight Service upload id is d8dbf933-57fc-4744-a5cc-4818949b56a6.
 

 

 

 

When I check the registry at the error "DEBUG – Registration key path at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\State\Registered is not correct." there is no "Registered" key inside that State, it's empty, I guess the key only appeas when the machine is registered.

Link to comment
  • 0

Hi Falko

#0

The registry key is set on the VDA 

 

#1

The ListOfSIDs is set too

post-12684025-0-94507700-1502869288_thumb.png

 

#2 + #3

How can I test the authentication? I added the computeraccount to the local administrators on both servers, when I try to access the C$-share from on server on the other, it opens without authentication prompt.

Link to comment
  • 0

#2 and #3

How to (for the ddc and vda, e.g. allow the vda on the ddc and vice versa): https://technet.microsoft.com/de-de/library/cc816733(v=ws.10).aspx

 

Please check on the ddc and vda the eventlog for error regarding authentication when you restart the brokerservice.

 

Oh and there is another thing i forgot:

 

When external trusts are in place, you will also need to make the following changes on the VDA:

  1. Locate the file <ProgramFiles>\Citrix\Virtual Desktop Agent\brokeragent.exe.config
  2. Make a backup copy of the file
  3. Open the file in a text editing program such as Notepad
  4. Locate the text allowNtlm="false" and change the text to allowNtlm="true"
  5. Save the file

Reboot DDC/VDA.

 

Looks like we are a step further, I receive the following errors on the VDA machine

 

post-12684025-0-04964600-1502884141_thumb.png

post-12684025-0-72970500-1502884146_thumb.png

 

I checked the internet and there is something about a controllers security group mentioned, but I can't find such a group in the active directory, should that group be there?

Link to comment
  • 0

This is directly related to #2 and #3, in my testenvironment i receive the same error (just reproduced) if the DDC(s) dont have the right to authenticate on the VDA(s).

 

Check again https://support.citrix.com/article/CTX134971 - the picture above the last picture show you the setting. Create group on domain a for the ddc and use this group on the vdas from domain b in security settings. Additionally create a group on domain b for all vdas and use this group on domain a security settings for the ddcs om domain a.

 

Dont forget to reboot after the changes.

Link to comment
  • 0

Okay, I hope I understand you correctly.

 

I set the security settings this morning on the DDC (srv00126) computer object in Domain A, added the VDA Server (srv00127) and set fullcontrol, the same vice versa for the VDA computer object in Domain B, is that right or am I doing it completely wrong?

 

post-12684025-0-54432900-1502887200_thumb.png

Link to comment
  • 0

Tried to get the servers into the security tab with the whole fqdn, but no luck...

 

I ran the xdping again on both servers

 

on the DDC it's runs without any problem, on the VDA I got an error on

 

It is not possible to enurmerate DDC list from VDA [ERROR]

 

is there another test that I can run to get a clue what else could be wrong?

Link to comment
  • 0

And one error is strange in the event log of the VDA

 

post-12684025-0-82048000-1502895838_thumb.png

 

Why does it say "Fail worker callback using SPN HOST/srv00127.Domain-B and IP address 10.10.10.254

 

that's the IP address of the 10.10.10.xx-network gateway, not of the srv00127 VDA server...

is that error right or is there some dns resolution problem?

 

I even added the hosts vice versa in the hosts file of each server with no luck

Link to comment
  • 0
On 17/08/2017 at 1:06 AM, Manuel Kälin said:

And one error is strange in the event log of the VDA

 

post-12684025-0-82048000-1502895838_thumb.png

 

Why does it say "Fail worker callback using SPN HOST/srv00127.Domain-B and IP address 10.10.10.254

 

that's the IP address of the 10.10.10.xx-network gateway, not of the srv00127 VDA server...

is that error right or is there some dns resolution problem?

 

I even added the hosts vice versa in the hosts file of each server with no luck

 

 

I've the same problem ?

Did you resolve this ? Any leads would be appreciated!

Link to comment
  • 0

It's a new build of XenDesktop 7.15 LTSR CU4

Single domain

 

About the infrastructure:

 

Citrix XenDesktop 7.15

Citrix Virtual Delivery Agent 7.15

 

I've turned off Firewall for testing...

 

 

 

Please See the logs from  XDPing:

Controllers (manually specified)::

  Controller: XenDesktop1.domain.local:0

    DNS Lookup(XenDesktop1.domain.local):

      Host Name  = XenDesktop1.domain.local

      Address #0 = 10.88.11.11 (rDNS: XenDesktop1.domain.local) [OK]

    Ping Service: /Citrix/CdsController/IRegistrar

      Connect = Unable to open connection to XenDesktop1.domain.local:0

 [ERROR]

  ListOfDDC is set in the registry to enurmerate DDC list [OK]

--------------------------------------------------------------------

Summary::

    Checking version : You are using the latest version. [OK]

    A number of importent errors/warning(3) have been logged into the event log in the last hour, please check the logs for more details [WARNING]

    Connect = Unable to open connection to XenDesktop1.domain.local:0 [ERROR]

 

 

Citrix Health Assistant Log:

2019-07-01 10:11:24,399: 10 INFO  – >>>>Step 8: (VDA Registration Status)  Begin. <<<<

2019-07-01 10:11:24,415: 10 DEBUG – Registration key path at  HKEY_domain.local_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\State\Registered is not correct.

2019-07-01 10:11:24,555: 10 INFO  – Get VDA Functional Level fromXenDesktop1.domain.local for VDA1.domain.local

2019-07-01 10:11:25,956: 10 INFO  – GetApplications: PowerShell Succeeded

2019-07-01 10:11:25,977: 10 ERROR – Exception details : Object reference not set to an instance of an object.

2019-07-01 10:11:25,993: 10 INFO  – [UI Message] Exception details : Object reference not set to an instance of an object..

2019-07-01 10:11:26,009: 10 INFO  – <<<< Step 8: VDA Registration Status End. Test Error. >>>>

 

 

 

 

 

Link to comment
  • 0

For me the issue was a missing firewall policy. In a trust scenario where VDA is in Domain A and Delivery Controller is in Domain B, the VDA's in Domain A actually need access to the Domain controllers in Domain B (though the error isn't very helpful for figuring that out). Its not necessarily that time is out of sync, but rather that it cannot validate it either way. We have a service group on our firewall that has all of the ports normally required for a healthy domain member to domain controller relationship, which i used in a policy that resolved this issue

 

image.thumb.png.2781f0846e3aa0adca39215d613c6901.png

 

If you're facing this issue, i'd suggest opening up all ports from "VDA in domain A" to "Domain Controllers in Domain B" temporarily. Then peel back the ports as required.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...