Error: “Your apps are not available at this time. Please try again” When Receiver Connects Through NetScaler Gateway

Solution 1

To resolve this issue change the beacon entries in StoreFront. Add the NetScaler Gateway addresses to external beacon.

Reference: https://docs.citrix.com/en-us/storefront/3-11/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html

External Beacon

If you want to use ICA proxy from internal and external connections (all clients should only go through NetScaler), then add a fake address in the internal beacon of StoreFront.

Note: The internal beacon should only be resolvable inside the network, if the beacon is resolvable externally then Citrix Receiver will not be able to add the account.

Solution 2

The issue relates to compatibility of Receiver 4.x and Web Interface XenApp services site. Receiver 4.x supports services sites but when connecting thru NS, users may experience issues as described in CTX136828 – Error When Using Windows Receiver PNAgent through Access Gateway Enterprise Edition Appliance.

Also note Citrix Documentation – NetScaler to Web Interface XenApp Services site is not supported.

Related:

  • No Related Posts

Access to a Citrix Knowledge Center Article is Denied

Citrix has introduced Customer Success Services that allow customers to see privileged Knowledge Center content. Contact your local Citrix Solution Advisor or call 1-800-424-8749 and listen for the option to contact the Sales department; they can help determine which program is right for you.You will continue to have access to certain content as per the matrix below.

Software Updates

Product Type Readme Visible to Download Available to
XenApp 7.X or Higher

XenDesktop 7.X or Higher

Provisioning Services 7.x or Higher

XenMobile 10.X or Higher
Public or Limited or Superseded All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenApp 6.X or Earlier

XenDesktop 5.6 or Earlier

Provisioning Services 6.x or Earlier

XenMobile 9.X or Earlier

Application Streaming (all versions)

EdgeSight (all versions)

Single Sign-On (all versions)

Secure Gateway (all versions)

Smart Auditor (all versions)

User Profile Management (all versions)

Web Interface (all versions)

CloudPortal Services (all versions)

CloudPortal Business Manager (all versions)

CloudPlatform (all versions)

VDI-in-a-Box (all versions)
Public All All logged in users
Limited or Superseded All
  • Partners
  • Customers with a TRM agreement

XenServer 7.1 LTSR Cumulative Update 1

XenServer CR release earlier to the latest CR release

XenServer 7.0 hotfixes released after 1 December 2017 (XS70E050 and later)

Public All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenServer (Other versions) Public All All logged in users

Citrix Supportability Pack

Readme Visible to Download Available to
All
  • Customer Success Services customers
  • Partners


Premium Content

  • Available to Customer Success Services Customers and Partner designated technical contacts on customer’s support entitlement.


Other Content Type

Type Readme Visible to Download Available to
Technotes All All logged in users
Tools All All logged in users
Learning All All logged in users
Security Bulletins All All


Chat

  • Available only to Customer Success Services customers.


For Application Networking Group products (such as NetScaler, CloudBridge, NetScaler (Access) Gateway, Communication Gateway, and Application Gateway), consider subscribing to the Citrix Appliance Maintenance program.

Related:

  • No Related Posts

Citrix Desktop service is not running or installed on the VDA


VDA Registration fails due to the Citrix Desktop service is not running, properly installed, or the service permissions might not be set correctly. This issue can occur if the service is not started or the system Event Log has traces of service related issues.

Note: If the Citrix Desktop Service is not present or running, the VDA can’t register with the Site, preventing users from accessing their applications and desktops.

Related:

  • No Related Posts

VDA Cannot Communicate With Delivery Controllers

To resolve this issue:

1. If the communication between VDA and Delivery Controllers were set using

a) Policy or Manually/Registry-based:

  • Verify the ListOfDDCs is not empty, and that the hostnames are correctly entered and can be resolved. To do this, you can ping each host name or use nslookup from the command prompt.
  • Value will be stored in:
HKLMSoftwarePoliciesCitrixVirtualDesktopAgent (ListOfDDCs)

or

HKLMSoftwareWow6432NodeCitrixVirtualDesktopAgent (ListOfDDCs)

*For more information, see [Best Practices for XenDesktop Registry-based DDC Registration] (https://support.citrix.com/article/CTX133384) in the Citrix Knowledge Center.

b) Active Directory OU-based discovery:

  • Value will be stored in:
32 Bit: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentFarmGUID

64 Bit HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDeskto pAgentFarmGUID

*For more information, see [Active Directory OU-based Controller Discovery](https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-controller-intro/xad-controller-ou-dscvr.html)

c) Provisioned by MCS

  • The MCS process creates C:Personality.ini, containing a list of contactable DDCs in following format:

[VdaData] ListOfDDCs=<FQDN of the Controller>

2. Verify the VDA’s DNS settings are correctly configured so the Delivery Controller’s FQDN can be resolved from the VDA.

3. Verify the network communication by pinging VDA from the Controller and vice versa.

4. Verify the VDA and the Delivery Controller can communicate on the same port.

5. Verify that any Delivery Controller host names in the Windows Hosts file are correctly entered and can be resolved. To do this, you can ping each host name or use nslookup from the command prompt.

Related:

  • No Related Posts

Citrix XenApp/XenDesktop Site is unreachable by a FMA Service



Smart Check has detected that the XenApp/XenDesktop site is unreachable by one of the following services:

ADIdentity Service

Analytics Service

AppLibrary Service

Broker Service

Configuration Service

Delegated Admin Service

Environment Test Service

Host Availability Service

Machine Creation Service

Monitor Service

StoreFront Service

Trust Service

Orchestration Service

The database is compatible and the service group for the Controller Service is available for registration. The Controller Service can communicate with the database, but no endpoints are registered in the Central Configuration Service. This can occur when the Site setup or upgrade did not complete, resulting in a partially configured Site.

For more information about these services, refer to [CTX139415](http://support.citrix.com/article/CTX139415).

Related:

  • No Related Posts

StoreFront Loopback Feature

Citrix recommends that you modify the hosts file on your StoreFront servers to ensure that Receiver for Web always talks to the local StoreFront server instead of the load balancer. In StoreFront 3.0, we leverage a new feature in the .NET Framework 4.5 to implement loopback communication between Receiver for Web and the rest of StoreFront Services.

This is configurable using PowerShell cmdletSet-DSLoopback, which syntax is

Set-DSLoopback [-SiteId] <Int64> [-VirtualPath] <String> ` [-Loopback] <String>

[[-LoopbackPortUsingHttp] <Int32>]


User-added image

The valid values for Loopback are:

  • On – This is the default value for new Receiver for Web sites. Receiver for Web uses the schema (HTTPS or HTTP) and port number from the base URL but replace the host part with the loopback IP address to communicate with StoreFront Services. This works for a single server deployment and a deployments with a non SSL-terminating load balancer.

  • OnUsingHttp – Receiver for Web uses HTTP and the loopback IP address to communicate with StoreFront Services. If you are using an SSL-terminating load balancer, you should select this value. You have to also specify the HTTP port if it is not the default port 80.

  • Off – This turns off loopback and Receiver for Web uses the StoreFront base URL to communicate with StoreFront Services. If you perform an in-place upgrade this is the default value to avoid disruption to your existing deployment. For example, if you are using an SSL-terminating load balancer, your IIS is configured to use port 81 for HTTP and the path of your Receiver for Web site is /Citrix/StoreWeb, you can run the following command to configure the Receiver for Web site:

    Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb ` -Loopback OnUsingHttp -LoopbackPortUsingHttp 81


Switch off loopback if you want to use any web proxy tool like Fiddler to capture the network traffics between Receiver for Web and StoreFront Services. Delegating Authentication to the Backend Providers StoreFront 2.x always communicates with the Active Directory to authenticate users. This requires that the domain hosting StoreFront servers has at least one-way external trust to the domain hosting the backend XenApp/XenDesktop farms/sites. This may not be possible in some deployments. StoreFront 3.0 adds the capability to delegate authentication to the XenApp/XenDesktop farms/sites. This can be enabled by running the following PowerShell commands. Replace the store and authentication virtual paths appropriately.

## set some variables relevant to your deployment $SiteId = 1 $StoreVirtualPath = “/Citrix/Store” $AuthenticationVirtualPath = “/Citrix/Authentication” # change auth service to use XML Service auth instead of domain auth Set-DSXmlServiceAuthentication -SiteId $SiteId -VirtualPath $AuthenticationVirtualPath $fs = @(Get-DSFarmSets -IISSiteId $SiteId -VirtualPath $StoreVirtualPath) | where { $_.Name -eq “Default” } Update-DSFarmSet -IISSiteId $SiteId -VirtualPath $AuthenticationVirtualPath -Farmset $fs

Note: From StoreFront 3.5 and newer, you can enable loopback in the StoreFront Console.

Related:

  • No Related Posts

XenDesktop Database Transaction Log Growing Excessively

The XenDesktop database contains both configuration and state information, which must be updated often.

A single Virtual Desktop Agent (VDA) inactive for an hour generates approximately 62 kilobytes of transaction log data.

Following are the average transaction log calculations:

Number of Virtual Desktop Agents x 24 Hours x approximately 62 kilobytes of data.

Example 10 VDA Farm in idle state:

10 VDA x 24 x 62K = 14.8 megabytes

Note: This can be substantially higher in active environments.

Related:

  • No Related Posts

Site isolated for a Citrix XenApp/XenDesktop Controller Service



Smart Check has detected that the site has been isolated for one of the following XenApp/XenDesktop services:

ADIdentity Service

Analytics Service

AppLibrary Service

Broker Service

Configuration Service

Delegated Admin Service

Environment Test Service

Host Availability Service

Machine Creation Service

Monitor Service

StoreFront Service

Trust Service

Orchestration Service

The database is compatible and the service group for the Controller Service is available for registration. The Controller Service can communicate with the database, but no endpoints are registered in the Central Configuration Service. This can occur when the Site setup or upgrade did not complete, resulting in a partially configured Site.

For more information about these services, refer to [CTX139415](http://support.citrix.com/article/CTX139415).

Related:

  • No Related Posts

Windows Login Prompt When Launching Published Resources

On StoreFront

1. At a command prompt, type the following command to configure the user authentication method for users accessing the store through the XenApp Services URL.

& “installationlocationScriptsEnablePnaForStore.ps1” –SiteId iisid

–ResourcesVirtualPath storepath –LogonMethod {prompt | sson | smartcard_sson}


Where installationlocation is the directory in which StoreFront is installed, typically C:Program FilesCitrixReceiver StoreFront. For iisid, specify the numerical ID of the Microsoft Internet Information Services (IIS) site hosting StoreFront, which can be obtained from the Internet Information Services (IIS) Manager console. Replace storepath with the relative path to the store in IIS, for example, /Citrix/Store. To enable explicit authentication, set the -LogonMethod argument to prompt. For domain pass-through, use sson and for pass-through with smart card authentication, set the argument to smartcard_sson.

See the following screen shot for reference :

User-added image

2. Go To C:inetpubwwwrootCitrix<Storename>ViewsPnaConfigconfig.aspx and add <LogonMethod>sson</LogonMethod> to the top from where the <LogonMethod> starts.

<Logon>

<LogonMethod>sson</LogonMethod>

<LogonMethod>prompt</LogonMethod>

<EnableSavePassword>false</EnableSavePassword>

<EnableKerberos>false</EnableKerberos>

<SupportNDS>false</SupportNDS>

<NDS_Settings>

<DefaultTree></DefaultTree>

</NDS_Settings>

</Logon>

3. On the StoreFront Server and select Authentication->Add /Remove Methods. Select Domain pass-through.

User-added image

Web Interface configuration

To configure SSON on Web Interface, select Citrix Web Interface Management-> XenApp Sevices Sites-> Authentication Methods and enable Pass-through.

User-added image

IIS Settings

1. Open IIS Manager and navigate to the level you want to manage (storefront site).

2. In Features View, double-click Authentication.

3. On the Authentication page, select Windows Authentication.

4. In the Actions pane, click Enable to use Windows authentication.

Endpoint settings

1. Install CitrixReceiver.exe /includeSSON Enable_SSON=YES

2. Start regedit HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrix

In Dazzle, set AllowAddStore value to A

Set AllowSavePwd value to A

Create the following value :

Name: ConnectionSecurityMode

Value Type: REG_SZ

Value: Any

3. Exit and restart receiver.

4. Add the storefront site to the Trusted Sites list on endpoint.

5. Open IE-> Tools-> Internet Options->Trusted sites-> Security-> Custom level, then choose “Automatic logon with current user name and password” in “User Authentication”.

6. Load group policy files. For installations using Citrix Receiver 4.3 and later, use Receiver.ADMX or Receiver.ADML located in the %SystemDrive%Program Files (x86)CitrixICA ClientConfiguration folder.

7. Open gpedit.msc, right-click Computer Configuration > Administrative Templates – > Citrix Component-> Citrix Receiver->User Authentication.

8. Enable the following local computer GPO settings (on the user’s local machine and/or in the VDA desktop golden image):

a. Choose the local user name and password.

b. Select Enabled.

c. Select Enable pass-through authentication.

Reference :

User-added image

9. Reboot the end point (on which Citrix Receiver is installed) or the VDA desktop golden image.

Endpoint installation of Receiver

If the above installation does not work , try installing receiver as per the following article :

https://support.citrix.com/article/CTX132447

Once installation is done , reboot the machine and check the following in task manager of endpoint :

Go to processes–>select columns–>check command line and see if the command line for ssonsvr.exe shows /HTC:random number. If it shows something like C:Program Files….ssonsvr.exe /HTC:<Number> then passthrough is configured properly on the endpoint , we need to troubleshoot other components.

Also, Right-click the Citrix Receiver icon in the notification area and select Advanced Preferences > Configuration Checker.

The Configuration Checker window appears. Verify if it says everything is configured correctly or not.

Changes on the Delivery Controller

Use the following procedure to configure SSON on StoreFront and Web Interface : (These settings might lead to failures of app launch if the XML port is not trusted by the environment’s firewalls of if there are any issues related to XML ports , kindly enable this if you are certain that there are no port related issues. Disable these settings if the app launch fails)

1. Log onto the Delivery Controller(s) as an administrator.

2. Open Windows PowerShell (with administrative privileges). Using PowerShell, you’ll issue commands to enable the Delivery Controller to trust XML requests sent from StoreFront.

3. If not already loaded, load the Citrix cmdlets by typing Add-PSSapin Citrix*, and press Enter.

4. Press Enter.

5. Type Add-PSSnapin citrix.broker.admin.v2, and press Enter.

6. Tpe Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True, and press Enter.

7. Close PowerShell.

For server OS VDAs

1. Go to Gpedit.msc on server OS VDA –>Administrative templates –>windows components –>remote desktop services –>remote desktop connection client –>prompt for credentials on the client computer –>disabled.

User-added image


2. Go to Remote desktop services in same tree–>remote desktop session host–>security–>always prompt for password upon connections–>disabled.

User-added image

Related:

  • No Related Posts