Unable to initiate Start-STFServerGroupJoin remotely

[Istvan Gyori]

I have a strange issue while I'm trying to make an automated installation and configuration of StoreFront in a lab environment.

 

Currently i'm at the point that I have a fully configured StoreFront SF01 and an empty SF02 and the next step would be to issue the following command on SF01:

 

Start-STFServerGroupJoin -IsAuthorizingServer -Confirm:$false

 

This command is running nicely when I log into the machine and issue it in PowerShell, however if I do it remotely it gives me a strange error:

 

System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/Citrix/ClusterService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.ServiceModel.AddressAccessDeniedException: The pipe name could not be obtained for net.pipe://localhost/Citrix/ClusterService. ---> System.IO.PipeException: The pipe name could not be obtained for the pipe URI: Unrecognized error 5 (0x5)

   --- End of inner exception stack trace ---

   at System.ServiceModel.Channels.PipeSharedMemory.Open(String sharedMemoryName, Uri pipeUri)

   at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)

   --- End of inner exception stack trace ---

 

 

As you can see from the screenshots the ClusterService is started and listening on it's "net.pipe" address, however if I issue the cmdlet remotely it just says it's not there.

 

I've been through a quite extensive troubleshooting where I've checked the following:

 

Facts:

-  Cmdlet works locally but not remotely with the same domain admin account

-  OS version: Windows Server 2016

-  Citrix version: 1912 CU4

-  Windows Firewall is Turned OFF on all machines

-  StoreFront 1912 SDK command reference: https://developer-docs.citrix.com/projects/storefront-powershell-sdk/en/latest/

 

 

NOTE: I'm only using a domain admin account for every step!

 

1.

If I run the cmdlet with Invoke-Command from another machine i get the same error.

 

2.

If I run the cmdlet from an ansible playbook where I'm using:

  - WinRM connection on 5869 SSL port to SF01 and SF02 machines

  - Tried with NTLM and CredSSP authentication methods (where CredSSP also have credential delegation)

i get the same error

 

3.

CitrixClusterService" is running and it's running under NetworkService, so

    - I've tried to instruct Ansible to use Become command to run my script with NetworkService account. When I do this, I get the following error:

 

System.InvalidOperationException: Cannot open CitrixClusterService service on computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied

   --- End of inner exception stack trace ---

   at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)

   at System.ServiceProcess.ServiceController.Stop()

   at Citrix.DeliveryServices.Framework.Deployment.Utilities.WindowsServiceExtensions.ShutDownService(ServiceController serviceController, TimeSpan timeOutPeriod)

 

4.

I've checked the Local Security Policies for my domain admin user to have all required privileges for delegation and impersonation - all there.

Based on this article:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege

 

 

Any ideas are welcome.

 

Thank you!

[Martin Siddall]

Hi Istvan, we also have the same problem, when using a WinRM connection.... locally on server its fine.

But for us to automate deployments, we also need to get this working, have you had any luck finding a solution ?

 

We can demonstrate it with:-

Start-DSClusterJoinService on the first store-front server.
Get-DSClusterServiceLocalPasscode which will return the passcode.

 

Using WinRM from another server connecting to the first store-front server.

Get-DSClusterServiceLocalPasscode : There was no endpoint listening at net.pipe://localhost/Citrix/ClusterService that could accept the message.

Thanks

Martin

Edited April 4, 2022 by Martin Siddall
Updated info

[Sattar Alamgeer]

Please make sure "CitrixConfigurationReplication" is running, I had similar issue, the service "CitrixConfigurationReplication"  was stopped, when is started it, the issue was resolved.