Unable to Configure Citrix App Layering ELM PVS Connector

The App Layering Agent (PVS Agent) on the PVS server is registered with the App Layering ELM virtual appliance, and the PVS Server enumerates on the App Layering PVS connector screen. However, clicking “check credentials” an error is displayed stating that the ELM cannot use the credentials on the PVS server since it does not have the rights to execute remote PowerShell commands.

You may also see “Cannot communicate with PVS on server ‘ServerName’. Please ensure that the PVS Powershell Snapin has been registered”.

Related:

  • No Related Posts

How To Manually Join A New Controller To An Existing Site

Environment Details:

SQL server = sqlserver.training.lab

XenDesktop DB name = CitrixXenDesktopDB

New Controller = dc2.training.lab

Step 1: Create an instance Script for each service running on the new Controller (dc2.training.lab) and execute against the Site database (as usual, query’s must be run in SQLCMD mode):

XD5.x

Get-BrokerDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:brokerjoin.sql

Get-ConfigDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:configjoin.sql

Get-HypDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:hostjoin.sql

Get-ProvDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:provjoin.sql

Get-PvsVmDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:pvsvmjoin.sql

Get-AcctDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:adjoin.sql

XD7.x

Get-BrokerDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:brokerjoin.sql

Get-ConfigDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:configjoin.sql

Get-HypDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:hostjoin.sql

Get-ProvDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:provjoin.sql

Get-AcctDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:adjoin.sql

Get-AdminDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:adminjoin.sql

Get-LogDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:logjoin.sql

Get-EnvTestDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:envtestjoin.sql

Get-MonitorDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:monitorjoin.sql

Get-SfDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:sfjoin.sql

With the release of XenDesktop 7.6, an instance script must also be created for the Analytics service:

Get-AnalyticsDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:analyticsjoin.sql

With the release of XenDesktop 7.8, an instance script must also be created for the App Library service:

Get-AppLibDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:applibjoin.sql

With the release of XenDesktop 7.1x, an instance script must also be created for the Trust Service and Orchestration service:

Get-TrustDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:Trustjoin.sql

Get-OrchDBSchema -DatabaseName CitrixXenDesktopDB -ScriptType instance > c:Orchjoin.sql

Step 2: Set the DB connection string for each of the new controller services:

XD5.x

Set-BrokerDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security =True”

Set-ConfigDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-HypDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-ProvDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-PvsVmDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security =True”

Set-AcctDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

XD7.x

Set-AdminDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security =True”

Set-BrokerDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security =True”

Set-ConfigDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-HypDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-ProvDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-AcctDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-EnvTestDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security =True”

Set-MonitorDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-SfDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-LogDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

With the release of XenDesktop 7.6, a DB connection string must also be set for the Analytics service:

Set-AnalyticsDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

With the release of XenDesktop 7.8, a DB connection string must also be set for the App Library service:

Set-AppLibDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

With the release of XenDesktop 7.1x, a DB connection string must also be set for the Trust Service and Orchestration service:

Set-TrustDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Set-OrchDBConnection -DBConnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDB; Integrated Security = True”

Notes:

-If using
XenDesktop 7.x, The delegated administration service (alias=admin) must be the first service you set the DB connection string for. If not then all other strings above will fail/Timeout. This is expected behaviour as all services communicate with the the delegated administration service in order to validate the permissions to make changes to the site DB and this includes the action to set the DB connection string.

-Force switch was introduced in XenDesktop 7.1 and can be used to force the DBConnection strings even if the DBConnection for the delegated administration service has not been set. Using the -force switch allows you to order the services in the script above any way you like.

Step 3: Register the new controllers service instances with the existing Site Configuration Service:

XenDesktop 5.x

Get-BrokerServiceInstance | Register-ConfigServiceInstance

Get-ConfigServiceInstance | Register-ConfigServiceInstance

Get-HypServiceInstance | Register-ConfigServiceInstance

Get-ProvServiceInstance | Register-ConfigServiceInstance

Get-PvsVmServiceInstance | Register-ConfigServiceInstance

Get-AcctServiceInstance | Register-ConfigServiceInstance

XenDesktop 7.x

Get-BrokerServiceInstance | Register-ConfigServiceInstance

Get-ConfigServiceInstance | Register-ConfigServiceInstance

Get-HypServiceInstance | Register-ConfigServiceInstance

Get-ProvServiceInstance | Register-ConfigServiceInstance

Get-AcctServiceInstance | Register-ConfigServiceInstance

Get-AdminServiceInstance | Register-ConfigServiceInstance

Get-LogServiceInstance | Register-ConfigServiceInstance

Get-EnvTestServiceInstance | Register-ConfigServiceInstance

Get-MonitorServiceInstance | Register-ConfigServiceInstance

Get-SfServiceInstance | Register-ConfigServiceInstance

With the release of XenDesktop 7.6, the Analytics service must also be registered with the existing Site Configuration Service:

Get-AnalyticsServiceInstance | Register-ConfigServiceInstance

With the release of XenDesktop 7.8, the App Library service must also be registered with the existing Site Configuration Service:

Get-AppLibServiceInstance | Register-ConfigServiceInstance

With the release of XenDesktop 7.1x, the Trust service and Orchestration service must also be registered with the existing Site Configuration Service:

Get-TrustServiceInstance | Register-ConfigServiceInstance

Get-OrchServiceInstance | Register-ConfigServiceInstance

Step 4: Reset the service group membership call for each service group. This script forces each service group to record the updated set of configuration service endpoints in its own database area, as the set of config service endpoints now includes the new ones from the new controller just added to the site.

XenDesktop 5.x

get-ConfigServiceInstance | Reset-BrokerServiceGroupMembership

get-ConfigServiceInstance | Reset-ConfigServiceGroupMembership

get-ConfigServiceInstance | Reset-HypServiceGroupMembership

get-ConfigServiceInstance | Reset-ProvServiceGroupMembership

get-ConfigServiceInstance | Reset-PvsVmServiceGroupMembership

get-ConfigServiceInstance | Reset-AcctServiceGroupMembership

XenDesktop 7.x

get-ConfigServiceInstance | Reset-ConfigServiceGroupMembership

get-ConfigServiceInstance | Reset-AcctServiceGroupMembership

get-ConfigServiceInstance | Reset-AdminServiceGroupMembership

get-ConfigServiceInstance | Reset-BrokerServiceGroupMembership

get-ConfigServiceInstance | Reset-EnvTestServiceGroupMembership

get-ConfigServiceInstance | Reset-HypServiceGroupMembership

get-ConfigServiceInstance | Reset-LogServiceGroupMembership

get-ConfigServiceInstance | Reset-MonitorServiceGroupMembership

get-ConfigServiceInstance | Reset-ProvServiceGroupMembership

get-ConfigServiceInstance | Reset-SfServiceGroupMembership


With the release of XenDesktop 7.6, the group membership call must also be reset for the Analytics service group:

get-ConfigServiceInstance | Reset-AnalyticsServiceGroupMembership

With the release of XenDesktop 7.8, the group membership call must also be reset for the App Library service group:

get-ConfigServiceInstance | Reset-AppLibServiceGroupMembership

With the release of XenDesktop 7.1x, the group membership call must also be reset for the Trust service and Orchestration service group:

get-ConfigServiceInstance | Reset-TrustServiceGroupMembership

get-ConfigServiceInstance | Reset-OrchServiceGroupMembership

At last do not forget to set the secondary datastore connection string for Monitor and Log databases:-

Set-logdbconnection -datastore logging -dbconnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDBLogging; Integrated Security = True”

Set-Monitordbconnection -datastore monitor -dbconnection “Server=sqlserver.training.lab;Initial Catalog = CitrixXenDesktopDBMonitoring; Integrated Security = True”

Related:

“Access is denied” error while login to a Windows Server 2008 R2 SP1 with Citrix VDA7.15 CU installed

To fix this Access is denied error, add following registry and restart the server.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server

Name: IgnoreRegUserConfigErrors

Type: REG_DWORD

Value: 1

HKLMSystemCurrentControlSetControlLsaKerberosParameters

Name: MaxTokenSize

Type: REG_DWORD

Value: 48000 (Decimal)

Related:

Devices created with XDSW to Citrix Cloud Result in Devices being left in initial zone 

Short Term Mitigation:

Manually move the devices from the initial zone after creation with the Powershell SDK until upgrade to 1912+ PVS is completed.

Resolution:

Upgrade pvs console and server to a version 1909+

Related:

StoreFront – Citrix Subscriptions Store service not starting up on one storefront server in server group

Export the subscription data using PS on the working server.

https://docs.citrix.com/en-us/storefront/current-release/configure-manage-stores/manage-subscription-data.html

Then remove contents of folder C:WindowsServiceProfilesNetworkServiceAppDataRoamingCitrixSubscriptionsStore on both Storefront Servers,

The follow the steps in the section “Restoring Data on a StoreFront Server Group”

Stop the Subscriptions Store service on working Storefront server..

Restore the data on non-working server using the Restore-STFStoreSubscriptions cmdlet.

Restart the Subscriptions Store service on servers StoreFront2.

It will then receive a copy of the data from StoreFront1.

Related:

Microsoft Exchange: 355000 Servers Lack Critical Patch

Governance & Risk Management , IT Risk Management , Patch Management

Fix Released in February Only Installed on 18 Percent of Servers, Rapid7 WarnsMathew J. Schwartz (euroinfosec) • April 8, 2020

Microsoft Exchange: 355,000 Servers Lack Critical Patch
Rapid7: Any attempts to exploit CVE-2020-0688 will leave artifacts in the Windows and IIS logs, including the name of the legitimate user account that was used.

Patch or perish alert: Less than than 20 percent of all Microsoft Exchange servers have received a fix for a serious flaw Microsoft first disclosed nearly two months ago, security firm Rapid7 warns.

See Also:Live Webinar | Can Medium-Sized Companies Automate Access to Critical Multi-Cloud IT Environments?

“As of March 24, there were over 350,000 Exchange servers exposing a version of the software that has this vulnerability,” writes Tom Sellers, a senior manager at Boston-based Rapid7 Labs, in a blog post.

The vulnerability could allow a remote attacker “to turn any stolen Exchange user account into a complete system compromise,” he says. “In many implementations, this could be used to completely compromise the entire Exchange environment – including all email – and potentially all of Active Directory” (see: Why Hackers Abuse Active Directory).

Microsoft addressed the remote-code-execution vulnerability – designated CVE-2020-0688 – via security updates it released on Feb. 11 for all supported versions of Microsoft Exchange. At least at that point, the flaw didn’t appear to have been targeted in the wild, the company said. The flaw was reported to Microsoft by an anonymous researcher via Trend Micro’s Zero Day Initiative.

“A remote-code-execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time,” Microsoft said in its security alert. “Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”

Security Updates Include Patch

To fix the flaw, Microsoft pushed security updates for four base versions of Exchange:

  • Exchange Server 2010 service pack 3 update rollup 30;
  • Exchange Server 2013 cumulative update 23;
  • Exchange Server 2016 cumulative update 14;
  • Exchange Server 2016 cumulative update 15;
  • Exchange Server 2019 cumulative update 3;
  • Exchange Server 2019 cumulative update 4.

But the vast majority of these servers remain unpatched, according to a survey conducted by Project Sonar, Rapid7’s in-house internet scanning project (see: Is COVID-19 Driving a Surge in Unsafe Remote Connectivity?).

“On March 24, we used Project Sonar to survey the internet for publicly facing Exchange Outlook Web App – OWA – services,” Sellers says. “What we found was that at least 357,629 (82.5 percent) of the 433,464 Exchange servers we observed were known to be vulnerable.”

Subsequently, Sellers added a caveat that 35,000 fewer servers might be vulnerable, owing to Microsoft’s fix for Exchange 2010 not updating the visible build information, meaning that scans alone could not tell if an Exchange 2010 system had been updated. Instead, organizations will need to manually verify that every such system has the update. Sellers says they should do the same for all Exchange 2013 and newer systems, noting that the build number alone should indicate if the relevant update is in place.

Check for Compromise

Rapid7 also recommends all organizations that use Exchange search for any signs that they have been compromised via this flaw.

“The exploit code that we tested with left log artifacts in the Windows Event Log and the IIS [Internet Information Services] logs on both patched and unpatched servers,” Sellers says, noting that the log error message will also name the compromised user account.

“You will see the username of the compromised account name at the end of the log entry,” according to Rapid7’s Tom Sellers

Because the attack requires a valid Exchange user account to succeed, “any user accounts seen in these exploitation attempts should be considered compromised,” Sellers says.

But Wait, There’s More

Unfortunately, the Project Sonar scans revealed more widespread problems than a lack of CVE-2020-0688 patching. Notably, Rapid7 researchers found 31,000 Exchange 2010 servers online that had received no updates since 2012, as well as 800 Exchange 2010 servers that have never been updated. It also saw 10,371 Exchange 2007 servers.

“In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers,” Sellers says, although he notes that Exchange 2007 is not vulnerable to CVE-2020-0688. Even so, the unsupported operating system long ago stopped receiving security updates, and now has a raft of critical flaws that attackers could exploit. “Exchange 2007 transitioned to ‘end of support’ status nearly three years ago, on April 11, 2017,” he says. “No security updates, bug fixes, time zone updates, etc., are provided after that date.”

Exchange 2010 was scheduled to reach end of support on Jan. 14, although that’s now been postponed until Oct. 13, 2020. “There are over 166,000 of these servers connected to the internet,” Sellers says. “That’s a staggering number of enterprise-class mail systems that will be unsupported in a few months.”

Related:

Storefront 3.12 CU5 Error: Propagation failed on one or more Servers

PROBLEM:

When administrator launches Storefront Management Console and attempts to perform “Propagate Changes” on Servers , the process fails with the following error:

Error: Propagation failed on one or more Servers


Event logs on Primary Server shows the following event:

Event ID 31

An error has occurred during the all server configuration update process.

Citrix.DeliveryServices.ConfigurationReplication.Exceptions.ServerUpdateConfigurationException, Citrix.DeliveryServices.ConfigurationReplication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

Could not find an X509Certificate2 certificate with the specified thumbprint.

RemoteEndpoint: net.tcp://fantailwillow02/Citrix/ConfigurationReplication

On the Secondary Server the following events are seen:

Event ID 19

Failed to get the end status of the sever configuration update.

System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Could not find an X509Certificate2 certificate with the specified thumbprint.

at Citrix.DeliveryServices.ConfigurationReplication.WCF.ConfigurationReplication.EndUpdateConfiguration(IAsyncResult asyncResult)

AND Event ID 12

Failure to notify of configuration update.

Citrix.DeliveryServices.ConfigurationReplication.Exceptions.ClusterMemberCertificateNotFound, Citrix.DeliveryServices.ConfigurationReplication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

Could not find an X509Certificate2 certificate with the specified thumbprint.

CertificateThumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Related:

  • No Related Posts

Xenapp 7.15 Getting multiple sessions on studio for single user

Prior to installing the 7.15 VDA session sharing was enabled, ie, one user launching multiple apps would have all applications running on the same server. After installing the 7.15 VDA on one server the user started noticing sessions across different VDA’s. Now all servers are exhibiting this behavior and resources are running low.

Related:

Few of the SEP clients are out of date /not getting virus definitions

I need a solution

Hello ,

We use SEPM 14 version to manage our clients. Most of the time 99% SEP clients are up to date with virus definitions. But every time we get an email stating few of the client are out of date and those clients are random .Even though those clients are showing connected to SEPM with green icon .We usually use  smc -stop and -start for some case it may work else we need to reboot the server .In order to avoid reboot we use the Intelligent Updater files  and resolve the problem .Do you have any idea why  few  of the clients failing to  download the virus definitions.Those clients were  downloading /updating definitions from SEPM without any problem .Can anyone share your experiences .

Thanks

Sujith

0

Related: