Notes from the Field: Citrix Provisioning Server 2402 CU1 LTSR Upgrade

by Leave a Comment

While upgrading our Citrix Provisioning Server (2203 LTSR) to the latest LTSR version 2402 CU1, we ran into some difficulties that we didn’t encounter with earlier versions. In addition to issues with the Citrix Provisioning Server Console, we also had some struggles getting both Citrix Studio and Citrix PVS Console to run from a single admin server. In this blog, I’ll share our findings.

Until now, our default upgrade procedure was to upgrade all Citrix Provisioning Server Consoles, test the console, and then upgrade the Citrix Provisioning Server itself. However, we quickly noticed that the new PVS Console (based on LTSR 2402 CU1) was unable to successfully connect to a Provisioning Server running LTSR 2203.

When connecting a 2402 PVS Console to a 2203 PVS Server, the following error messages appear:
FX:{d4362438-2b4a-4f95-91b1-4f813d7b18e7} Type is not resolver for member ‘EnterpriseAccess.EAException

For completeness, an older 2203 PVS Console was able to connect to a 2402 PVS Server without any error messages. The product documentation was recently updated with this information.

Upgrade the Citrix Provisioning console and server on every Citrix Provisioning server. After all servers are upgraded, upgrade the console on any other systems it is installed on. The console is not backward compatible.

Next, we upgraded the first Citrix Provisioning Server to 2024 CU1 LTSR. Although the upgrade went flawlessly and the configuration wizard succeeded without any errors, the upgraded server appeared as “down” in the PVS Console. The first error message that appeared in Event Viewer was Event ID 268: “StreamProcess – Cannot establish a connection to the database because the server cannot be found.” It seemed to be something related to the database. The issue was caused by the ‘Microsoft OLE DB Driver 19.x‘ driver, which, due to stricter security measures, requires certificate validation on the SQL Server. In our case, the Microsoft SQL Server was configured with the ‘force encryption’ option enabled, but did not provide a certificate. Regarding encryption, PVS DOES NOT use the default. It specifies Encrypt=Optional when it connects to the database.  This means the connection is encrypted if the SQL Server has Force Encryption=Yes, and otherwise it is unencrypted.  This is identical to the behavior with earlier versions.

CTX69229 : PVS Server Down In Console After Upgrade to 2402 CU1

Because Citrix Provisioning 2308 and later only supports Microsoft OLE DB Driver 19.3 or newer, downgrading to OLE DB 18.x (which doesn’t require a certificate) was not an option. As a result, we had to involve the database team and ask them to modify our SQL instance. After this change, we were able to successfully start the upgraded Citrix Provisioning Server.

The next issue we encountered was the compatibility with Citrix Studio (2402). As mentioned earlier, we like to have all Citrix consoles installed on our admin servers. Unfortunately, Citrix Studio was completely broken after installing the Citrix Provisioning Server console. We tried several installation sequences, but in the end, the only working sequence was as follows:

  1. Uninstall Citrix Studio
  2. Install Citrix Provisioning Server Console
  3. Uninstall Citrix DaaS Remote PowerShell SDK
  4. Reinstall Citrix Studio

After this sequence, we finally had both Citrix Studio and the Citrix Provisioning Server Console working side by side on the admin servers.

Uninstall Citrix Studio before installing the Citrix Provisioning Server Console.

Depending on your environment, the third step might not apply to your setup. However, in our case, we still use Ivanti Workspace Control to publish Citrix applications (on-prem, non-cloud). Unfortunately, this does not work well when the Citrix DaaS Remote PowerShell SDK is installed. One thing we found very frustrating is that the ‘Citrix DaaS Remote PowerShell SDK’ is installed as a requirement by the ‘Citrix Provisioning Server Console.’ There is no option to skip this component, even if another SDK is already in place. We discussed this issue with Citrix Support, and hopefully, they will make adjustments in the future. For now, manually uninstalling the Citrix DaaS Remote PowerShell SDK was our only option. 😞

Ivanti Workspace Control application publishing (on-prem) is not compatible with the “Citrix DaaS Remote PowerShell SDK”

That’s it for now! Hopefully, we’ve saved you some frustrations while upgrading your Citrix Provisioning Servers. 😉 Finally, I would like to thank my colleague Hugo Koop for his research efforts and insightful discussions with Citrix Support.

Citrix StoreFront Error “Cannot complete your request”

by Leave a Comment

While replacing Citrix StoreFront (2203 CU5 LTSR) servers running Microsoft Server 2019 with servers running Server 2022, we encountered an error message during login attempts to Citrix StoreFront. Users were shown an error message stating: “Cannot complete your request.”

We were running a GSLB setup with a multi-server group (across sites), each containing several Citrix StoreFront servers (2203 CU5 LTSR). As described in “Virtual Apps and Desktops – 1912/2203 – Citrix Infrastructure / OS Upgrade” (CTX278869), we exported the configuration from an old StoreFront server running Server 2019 and imported it onto the newly created StoreFront servers running Server 2022. All servers were deployed in the same OU, received the same GPOs/settings, and apart from the different operating systems, all settings were pretty much identical.

Read More →

Setup Authentik as Radius Provider

by Leave a Comment

For my home lab environment, I use Authentik as my Identity Provider. Authentik is an open-source authentication and authorization platform that enables Single Sign-On (SSO), identity management, and multi-factor authentication (MFA) via protocols like OAuth, SAML, and LDAP. For various applications, such as the Citrix NetScaler, I use RADIUS for secondary authentication. All my Authentik users have a TOTP token in their authenticator app, which I want to use for RADIUS authentication. While configuring RADIUS in Authentik, I found the available documentation somewhat limited, and it took considerable effort to achieve a working RADIUS setup. This blog describes all the steps I followed to get RADIUS successfully running within Authentik.

For this guide, I used Authentik version 2024.10.1. I assume you already have a working Authentik setup where users already have a TOTP authenticator code available.

Read more: Setup Authentik as Radius Provider

Within the admin console, select “Stages” under “Flows and Stages” and next select “Create”. First we’ll create a “Identification Stage”. The parameters that should be configured in the stage are:

  • Type : Identification Stage
  • Name : pepperbyte-radius-identification-stage
  • User fields : Username, Email & UPN

Next, we’ll create an “Identification Stage” with the following parameters:

  • Type: Authenticator Validation Stage
  • Name : pepperbyte-radius-authenticator-validation-stage
  • Device classes : Static Tokens & TOTP Authenticators
  • Not configured action : Deny the user access
  • WebAuthn User verification: user verification should not occur.

Lastly, we’ll create a “User Login Stage” with the following parameters:

  • Type : User Login Stage
  • Name : pepperbyte-radius-user-login-stage

Now that all the required stages have been created, select “Flows” and create a new Flow with the following parameters:

  • Name : PepperByte Radius Authentication Flow
  • Title : PepperByte Radius Authentication Flow
  • Slug : pepperbyte-radius-authentication-flow
  • Designation : Authentication
  • Authentication : Require Outpost (flow can only be executed from an outpost)

Select the newly created flow “pepperbyte-radius-authentication-flow”, click on “Stage Bindings”, and then select “Bind existing stage”. Bind the previously created stages in the following order:

  • Order : 10, Stage : pepperbyte-radius-identification-stage
  • Order : 20, Stage : pepperbyte-radius-authenticator-validation-stage
  • Order : 30, Stage : pepperbyte-radius-user-login-stage

With this, the Flow is ready. Next, go to “Provider” under “Applications” and select “Create”. We’ll create a new provider with the following parameters:

  • Type : Radius Provider
  • Name : PepperByte Radius
  • Authentication flow : pepperbyte-radius-authentication-flow
  • Code-based MFA Support : Disabled
  • Shared secret : Write down the shared secret; we’ll need it later on
  • Client Networks : By preference, only specify the IP address of the RADIUS client here.

Next, go to “Applications” and select “Create”. We’ll create a new Application with the following parameters:

  • Name : PepperByte Radius
  • Slug : pepperbyte-radius
  • Provider : PepperByte Radius

Next, select “Outposts” under “Applications” and click “Create”. We’ll create a new Outpost with the following parameters:

  • Name : PepperByte Radius
  • Type : Radius
  • Application : PepperByte Radius
  • Configuration :
    • authentik_host: https://local authentik ip:port/
    • authentik_host_insecure: false
    • authentik_host_browser: “https://authentik fqdn/”

With the Radius Outpost created, last thing we have to do within the Authenik admin console is to retreive the “Authentik_Token”, which we’ll need to run the Authenik Radius Container. Select “View Deployment Info” and click “Click to copy token”. Save this token, as we’ll need it later on.

With everything set up within Authentik, we now need to add the actual RADIUS listener by adding the RADIUS Outpost to your (at least in my case) docker-compose file. Add the following configuration to your existing Authentik docker-compose file, with the following parameters:

  • {{AUTHENTIK_HOST}} : Internal Authentik FQDN/IP, in my case “https://192.168.x.x:4443”.
  • {{AUTHENTIK_RADIUS_TOKEN}} : Then, use the “Authentik_Token” saved when creating the RADIUS Outpost.
  radius_outpost:
    image: ghcr.io/goauthentik/radius:latest
    restart: unless-stopped
    ports:
      - 1812:1812/udp
    environment:
      AUTHENTIK_HOST: {{AUTHENTIK_HOST}}
      AUTHENTIK_INSECURE: "true"
      AUTHENTIK_TOKEN: {{AUTHENTIK_RADIUS_TOKEN}}
    depends_on:
      - server

After redeploying your Authentik setup, an additional “Authentik Radius” container should be present, or you can use the automatically created “ak-outpost-pepperbyte-radius” without redeploying your whole setup. Either way, you should have an “Authentik Radius” container running.

Verify the “Health and Version” status of the RADIUS container from within the Authentik admin console, under Applications > Outpost.

With everything set up, the last step is to validate your setup by using a RADIUS test client like NTRadPing. Simply enter your Authentik server IP, the shared secret, and test a user in combination with a TOTP token code.

Ensure the RADIUS client IP is listed within the “Client Network” field in the RADIUS provider configuration.

In the screenshot below, you’ll see a RADIUS Reject response because an incorrect TOTP code was entered. A correct TOTP will, of course, generate an Access-Accept response.

Another error: ‘Application can’t be started… (Instant Passthru could not be resolved)’ caused by the CWA upgrade.

by Leave a Comment

A while ago, I wrote a blog about the error message ‘Application can’t be started… (Instant Passthru could not be resolved)’ that we encountered when launching a published application from our Ivanti Workspace Control managed session. Recently, we received the same message again, but this time the cause was different.

Application can’t be started… (Instant Passthru could not be resolved)

Shortly after a relatively simple task—upgrading an outdated version of Citrix Workspace App (CWA) from 1912 LTSR to the slightly newer 2203 LTSR—we encountered some inexplicable issues that made it impossible to launch Citrix Published Apps via SelfService.exe.

Read More →

How to Prevent SQL Database Locks and Improve Performance

by Leave a Comment

Within a large environment where Ivanti Workspace Control is used in combination with a Microsoft SQL Database, the SQL Server has to handle numerous connections initiated by all the Ivanti Workspace Control Agents.To minimize the load and connections on the SQL Server, Ivanti introduced the Ivanti Relay Servers, which act as proxies for all agent connections to the SQL Server, thereby reducing the total number of SQL connections and the overall load.

While monitoring our Ivanti Relay Server, we noticed that a couple of times a day, the Ivanti Relay Servers started queuing all messages. The transactions folder filled up with transactions that weren’t forwarded to the SQL Server. The Ivanti Relay Servers have a built-in failsafe option, where they stop accepting new transactions when the queue exceeds 50,000 transactions. So, in a short period of time, all Ivanti Relay Servers went offline because they hit the 50,000 transaction threshold.

Read More →

Why SQL Tables Are Created with domain\username.tablename Instead of dbo.tablename

by Leave a Comment

Let’s start by stating I’m not a SQL DBA 😉 when it comes to databases, I’m just a user who needs a database for my applications 🙂 Lately, in various environments, we’ve been creating different Ivanti Workspace Control and Automation Manager databases. We simply request an empty database from the SQL department and are assigned DBO rights. Subsequently, we establish a connection to the database from Ivanti Automation Manager (for example) and handle the initial database setup within the application itself.

After initializing the SQL database, the user who performed the initialization can start Ivanti Workspace Control, for example, without encountering any issues. Another user, who has the same permissions (DBO) on the database, is unable to launch the application. The second user is able to access the SQL Database using SQL Management Studio, where they seem to have full control over the database.

Read More →

The Citrix Workspace App sometimes detects an incorrect keyboard layout on OSX.

by Leave a Comment

Apple OSX users sometimes experience an incorrect keyboard layout loaded within their Citrix session. As a result, special characters are often located in different places. The cause of this issue is that Apple has a different keyboard layout compared to Windows, leading to an Apple US-international keyboard being recognized as a Dutch keyboard in Windows.

How to identify your Apple keyboard layout by country or region

Some time ago, we conducted extensive research together with Citrix Support to investigate the cause of this issue and whether there are possibilities to change this behavior. Unfortunately, it has been found that this behavior cannot be changed through a central solution. This behavior can only be altered by making adjustments on a per OSX system basis. This guide provides detailed instructions on what needs to be adjusted.

Read More →

How to manage Windows ACL Permissions on a Synology

by Leave a Comment

For quite some time, I’ve been using Synology PhotoStation to manage all my family photos. Since I’m not the only user—my children also use the app—I thought it might be a good idea to set some permissions on the different folders. In general, I use three different groups: full control, read-write, and read-only. This way, my kids can access all shared family photos but can’t accidentally delete them. Setting access permissions within Synology Photos is somewhat limited, so I had to reorganize my folder structure to fulfill my needs. However, in the end, it worked out very well.

Last week, I decided to move over some additional photos and reorganize parts of my original folder structure. Thinking it would be quicker than using the web GUI, I accessed my photo share through SMB. Immediately, I noticed something wasn’t right. Folders could not be renamed, data couldn’t be moved, and so on. When I looked at the Windows ACL permissions, I noticed they were different from the permissions set in Synology Photos. In my case, most permissions were inherited from the root photos folder.

Read More →

Managing Citrix Clientname in Double-Hop Scenarios Using Ivanti Workspace Control

by Leave a Comment

We manage a Citrix farm where users primarily launch a full desktop environment. From there, they can also connect to other applications running in Citrix Silo’s or access external Citrix farms. As an user environment manager (UEM), we utilize Ivanti Workspace Control (IWC).

When a user logs onto the primary desktop, the endpoint hostname is utilized by Ivanti Workspace Control within that session. Based on the endpoint hostname, we can set specific configurations using features like “location and devices”. In a double-hop scenario, where a user launches a Citrix published application or another Citrix desktop from within the primary session, the hostname of the primary session server is used as the hostname in the secondary session.

Read More →

The Mystery of Why Citrix NetScaler Sometimes Fails to Load the StoreFront Page after Login

by Leave a Comment

Due to lifecycle management (LCM), we replaced several Citrix NetScaler appliances with new ones. Although we conducted thorough acceptance tests before putting them into production, unfortunately, we experienced an annoying issue once they were operational.

Some users complained that they saw a spinning progress bar after they successfully logged on to the Citrix NetScaler. It was only reported by a minority of users and was resolved by refreshing their web browser sessions. In the end, users stopped reporting the issue because it occurred infrequently and the solution was simple—just press F5. We initiated an investigation in the hope of completely resolving the issue.

Read More →