How to disable ‘Delete account’ option within Secure Hub

-Configure ADS for the domain.

-Change “displayReenrollLink” to “false” for disabling the “Delete Account” option within Secure Hub. This can be done by the cloud team by modifying the Auto Discovery Services records.

-Customer need to share the Domain and the FQDN to the Citrix Support and request to disable the “Delete Account” option.

User-added image

> To confirm that if the “displayReenrollLink” is disabled from our cloud team, go to this link:{domain} (modify your domain)

– Check for “displayReenrollLink”, it should be set to false. By default this value is true.


  • No Related Posts

Cisco Aironet Access Points FlexConnect Multicast DNS Denial of Service Vulnerability

A vulnerability in the multicast DNS (mDNS) gateway feature of Cisco Aironet Series Access Points Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to insufficient input validation of incoming mDNS traffic. An attacker could exploit this vulnerability by sending a crafted mDNS packet to an affected device through a wireless network that is configured in FlexConnect local switching mode or through a wired network on a configured mDNS VLAN. A successful exploit could allow the attacker to cause the access point (AP) to reboot, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

Security Impact Rating: High

CVE: CVE-2021-1439


  • No Related Posts

“Missing Root Certificate” While Launching StoreFront Management Console In Versions 3.0.1000 & 3.0.2000

When launching the StoreFront management console released with LTSR 7.6 Cumulative Update 1 or 2, the following error is displayed in the console:

“The management console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate VeriSign class 3 Primary CA – G5”

StoreFront missing root certificate error


  • No Related Posts

VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

SeeManaging a Forward Lookup Zonefor information on managing Lookup Zones.

On theDesktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests:HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On theVirtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.


VDA Fails to Register: Cannot Communicate With Delivery Controllers

To resolve this issue:

1. If the communication between VDA and Delivery Controllers were set using

a) Policy or Manually/Registry-based:

  • Verify the ListOfDDCs is not empty, and that the hostnames are correctly entered and can be resolved. To do this, you can ping each host name or use nslookup from the command prompt.
  • Value will be stored in:
HKLMSoftwarePoliciesCitrixVirtualDesktopAgent (ListOfDDCs)


HKLMSoftwareWow6432NodeCitrixVirtualDesktopAgent (ListOfDDCs)

*For more information, see CTX133384 – Best Practices for XenDesktop Registry-based DDC Registration

b) Active Directory OU-based discovery:

  • Value will be stored in:
32 Bit: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentFarmGUID

64 Bit HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentFarmGUID

*For more information, see Active Directory OU-based Controller Discovery

c) Provisioned by MCS

  • The MCS process creates C:Personality.ini, containing a list of contactable DDCs in following format:

[VdaData] ListOfDDCs=<FQDN of the Controller>

2. Verify the VDA’s DNS settings are correctly configured so the Delivery Controller’s FQDN can be resolved from the VDA.

3. Verify the network communication by pinging VDA from the Controller and vice versa.

4. Verify the VDA and the Delivery Controller can communicate on the same port.

5. Verify that any Delivery Controller host names in the Windows Hosts file are correctly entered and can be resolved. To do this, you can ping each host name or use nslookup from the command prompt.


Error: 'Name server already exists' – Unable to add DNS servers in NetScaler

To resolve this issue:

  1. Check if you have DNS Load Balance Virtual Server already added on NetScaler or not.

  2. If yes, we need to remove DNS Load Balance Virtual Server and respective services.

  3. Try to add the nameserver again, you should be able to add it.

  4. On NetScaler we can add either dns nameserver or DNS LB VIP for same DNS server.

  5. You can traverse to System > Networks > IPs and check is there’s a VIP already existing with this IP.

Best way is to run, “sh run | grep <IP Address>” from CLI to find any matching configuration.

If that doesn’t work try warm restarting the NetScaler.