Home » KBArticles

Citrix Cloud MCS Connection to Azure Unable to See Image or Template vhd files

Situation

The Citrix cloud MCS connection to Microsoft Azure is unable to provision any Machien Catalog as its unable to find any images, disks, vhds or servers to base its Machine Catalog on.

  1. Citrix Cloud setup with Hosting connected direct to Microsoft Azure RM (and working as it can connect and see resources etc)
  2. 1 x DC, 2 x Citrix Cloud Connectors and 1 Windows server template with VDA installed as ‘master image’
  3. All Windows 2016
  4. All servers built with Azure managed disks (where the servers are not placed into any storage account)

Hosting Connection

Machine Catalog Creation

CC sees the Resource Group and storage, but its basically looking in the wrong areas and not finding the image or VHD files.

A)

B)

C)

Solution

The VDA template must be created within a storage account and not built with azure managed disks.

 change to 

 

Azure Managed disks is now available in preview (apparently) but only if you are deploying machines via your Machine Catalog. It seems you still need to have a vhd and storage account for your base image / template when you are creating your Machine Catalog, but can then enable azure managed disks for your new MCS managed VMs (see below screenshot during Machine Catalog creation)

 

Online NetScaler Course Update and Discount

Hey Everyone, Our “Masters of Cloud – Citrix NetScaler Introduction” course has recently been updated with a series of new videos, check it out now and as an added bonus there is a 50% discount link if you sign up before end of September!

https://www.udemy.com/citrix-netscaler-introduction/?couponCode=SEPTLINKEDIN

We hope you enjoy the updates and all the best on your learning journey!

JS Consulting and Masters of Cloud

Citrix Storefront 3.9 passthrough authentication issues

Situation:

After a customer recently upgraded to Storefront 3.9 some users complained of having to authenticate twice when using various browsers. Once in Storefront and once again in a Windows Login prompt when they launch their selected application.

This seems to be related to the way Storefront runs the receiver detection, if a compatible receiver is detected the users are prompted and asked if they want to ‘Log On’ with their local computer credentials. (see screenshot from Workaround 1 below).

Previously we have only ever used ‘username and password’ authentication, but this process seems to negate / bypass the authentication configured in Storefront.

Workaround #1:

The users should be prompted each time to ‘passthrough’ their windows local windows credentials by clicking ‘Log On’.

The users can skip the passthrough and simply click ‘switch to user name and password’

To use the account you used to sign on the computer, click Log On.

Workaround #2

If you have more than one Store in Storefront separate the authentication methods in Storefront so they are not shared between the stores (as pass through detection continued to happen regardless of the authentication method selected when shared between stores)

(note the storename has been obscured for customer anonymity)

Resolution:

In relation to the references section for setting up a good receiver configuration this customer had broken the majority of the rules for good reason. So there was no adhering to the Citrix best practises, so workaround 2 became their resolution based on other requirements (like not all users are domain joined, not all devices that connect are manager by the customer, rather 3rd parties to which they have no control, the users have no / little access locally to upgrade or install or modify receiver configurations – the list goes on)

Post the upgrade the Authentication method between two different stores were merged, and shared authentication was enabled. Regardless of the settings we were selecting / applying in the Browser, the pass through continued to haunt users and attempt to log them in with their local credentials.

Once we split the authentication, so it could be controlled separately between the two stores, the issues went away and we had more granular control.

There were are number of things the customer was not doing like configuring the receiver clients locally, and configuring the local receivers to support http:// as they have a large number of non domain joined users and this prevented a ‘one size fits all’ approach to deploying receiver and Storefront internally. Our final suggestion was to look to replace this entirely with NetScaler and HTML5 instead.

References

https://docs.citrix.com/en-us/receiver/windows/4-7/secure-connections/receiver-windows-configure-passthrough.html

Deploying to AWS with Citrix Smart Deploy – no NAT instance was detected

Situation:

During the deployment of a blueprint via Citrix Smart Tools > Smart Deploy we came across the following error when attempting to deploy to our AWS Resource Location

The following problems were detected with your configuration
Please re-configure as no NAT instance was detected in this AWS Resource location

Solution:

The blueprint / Citrix tools don’t seem to (yet) support AWS NAT Gateways. This also certainly wont work with the default VPC. To solve this we spun up a new NAT Instance in our own VPC with the servers in separate private subnets in order for the wizard to proceed / succeed. Also note If you deploy to the public subnet you need to provide an elastic IP address.

Citrix Storefront Upgrade Failure 2.x to 3.9

Situation:

When trying to Upgrade our Citrix storefront servers from a 2.x version to 3.9 of storefront we encountered the following error: This meant the installation failed with the previous storefront version removed completely, and all configuration lost, and we were then unable to install any further version of Citrix Storefront.

Application Log Error, Source: Citrix Extensible Meta-Installer EVENTID: 0
Timestamp: 05/07/2017 19:04:43
Category:Error, WinError
Message:Unexpected exception. Message: Exception has been thrown by the target of an invocation.. Stack Trace =    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
  at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Citrix.Cxmi.CustomSandbox.ManagedDllLoader.CallStaticMethod(String typeName, String methodName, Dictionary`2 methodParams)
   at Citrix.Cxmi.Workflow.ExecuteTask.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowExtension.Run()
   at Citrix.Cxmi.Core.Engine.Run()
   at Citrix.Cxmi.Core.Program.Main(String[] args).

Things Tried:

Deletion of all local temp files – Failed

Complete uninstall and reinstall of Storefront versions – Failed

Reinstall of old version 2.x – Failed

Install of new 3.x  version as different user – failed

We had no choice but to revert the VM snapshot to recover the production Web server.

Solution:

Upgrade to Storefront 3.0 First, then attempt to upgrade to a higher version.

Azure Active Directory synchronisation attempts failing

Unhealth identity synchronization notification.

Azure Active Directory did not register a synchronization attempt from the identity synchronization tool in the last 24 hours for <Company>

Solution

There are a large number of reasons why this might be affecting you, however in this specific instance we needed to ensure the Microsoft Azure Active Directory Connect was not stuck at ‘required to upgrade’ screen.

Connect to the AD where you have installed the Sync tool and confirm.

Perform the upgrade as necessary

I then had to spend nearly as hour trying to discover what username / password was configured on this damned account as it was not working with my Azure portal login (portal.azure.com).

As this was a partner subscription from the Microsoft Action pack the original configuration was setup under portal.office.com, also as password synchronisation was setup as part of the AD sync, the previously updated on prem passwords had not synced with Office – so no one could log in with their new passwords.

So

  1. I ran password recovery for the @xxx.onmicrosoft.com account
  2. Accessed the portal.office.com and confirmed all else was ok with the subscription

  3. Setup On Prem AD Sync again with the recently reset user and password.

  4. Finally we can complete the upgrade.
  5. Upgrade completed

 

Azure Source Anchor Upgrade from objectGUID

Post setup (or reconfiguration) of Azure AD Synchronization there is a prompt

Azure Active Directory is configured to use AD attribute objectGUID as the source anchor attribute. Its strongly recommended that you let Azure manage the source anchor for you. Please run the wizard again and select Configure Source Anchor.

Why should we do this?

Upgrading this from objectGUID to ms-DS-ConsistencyGUID is best practise and allows for easy recover of accidentally deleted on-premise user accounts.

Walk Through Steps

  1. Run the Azure AD Connector Wizard and select the Source Anchor option
  2. Select Configure Source Anchor

  3. Click ‘Configure’ to commit the settings appropriately

  4. Success

 

Microsoft Azure Virtual Network Gateway Deletion Failing

You may be frustrated at Microsoft Azure’s lack of ability to power off the Network gateways especially when they are chewing up resources and $. Unfortunately Azure provides no current way to power the gateways down so the only current solution is to delete them, however you need to delete them in the right order to remove the service pre-requisites.

Example:

Failed to delete virtual Network Gateway

Failed to delete virtual network gateway 'UKSouthGateway'.
Error: Gateway /subscriptions/xxxxx-xxxx-xxx-xxxx-xxxxxxx/resourceGroups/

Solution

The gateway devices must be deleted in a specific order

  1. Connections (both sides)
  2. Local Network Gateway (both sides)
  3. Virtual Network Gateways (both sides)
  4. IP Ranges (only if necessary)

Citrix Cloud Connector Installation Unsuccessful on Windows Server 2016

Scenario

After multiple attempts to install the Citrix Cloud Connector software we continued to receive even after mutiple reboots.

Installation was unsuccessful. See below for details.
A system restart is pending. The system must be restarted before any products can be installed.

Solution

Simple delete / clear the windows registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

 

Citrix Cloud – Secure Browser Service

Summary

Citrix Have a cloud based secure browser service unsurprisingly called ‘Secure Browser Service‘. Here is a quick summary of the features / notes taken during a PoC for a customer.

Review

Basically this is an Azure hosted cloud delivery of URLS you specify to publish to users (either anonymously or via your own authentication methods) combined with a browser that is ‘locked down’. You can have Firefox, Chrome, IE11 or IE11 (64bit). Even for a quick test. It’s awesome. Quick, Simple and reliable.

Flash and Video support (youtube) are native, albeit it noticeably slow (but still worked even for a UK based user while the resources were Azure West US region!) Signing up for trial was simple and very quick via my mycitrix.com account (5 minutes after requesting the, trial was ready to go)

From a customisation perspective there is little that is changeable – and possibly will stay this way to keep the service offering simple – you can always deploy your own secure browser service via XA/XD for further customisations. Well done Citrix.

 

Initial Overview Page

Clicking Get started

Enter a Name, URL and select the browser and region

Browser and Region Options

 

I selected IE11 and West US as the region

Clicking Launch Application launched very quickly, but because its published initially in Kiosk mode my native response was to click ‘refresh’ which reloaded the entire published app – not the webpage (including back buttons etc)

Secure Browser service supports on prem apps / backends
Change Settings

Manage >

Enable non-kiosk mode

Launching with non-kiosk

Other sites were accessible

(But I didn’t push my luck)

youtube.com was noticeably slow but still worked, sound and all! Pretty good by default.
Where is it hosted and did it match the region published in – YES

 

Flash is available and the Internet speed was very fast

Flash quality was low and jittery – but was absolutely usable even with approx 150ms from my device to West US Azure

Statistics on usage
Summary Even for a PoC / Demo this is fantastic. Quick and simple and no obvious major issues. Well Done Citrix!