Apologies in advance for somewhat vague information. I am new to Citrix XenApp/XenDesktop technology and am just looking for generic troubleshooting information.
At my place of employment we have kiosks that are configured to connect to a SaaS webapp. These kiosk have either the Citrix XenApp or XenDesktop installed.
One of the icons launches the IE browser that connects to the SaaS app using a preconfigured user account. Sometimes, however, instead of launching the browser, the system displays the "The session limit has been reached. Please contact your system administrator." error shown in below image.
The people administering these kiosks think that this message comes from the SaaS web application but that application does not enforce any limits on how many session are open for a given account under a given time.
Also considering how Citrix XenApp/XenDesktop works I would think (but maybe I am wrong) that if the SaaS app did reject a user login, we would be displayed an error message in Internet Explorer instead of this ICA prompt.
So I think that the issue here could be that the message is not about login sessions made to the background SaaS app but either about Citrix sessions or perhaps previous IE browsers somehow running in the background(?)
However our company's Citrix team looked at this and noticed that "Citrix was still active" when this prompt was displayed. The conclusion was then that Citrix is for that reason not the cause here.
So I wanted here to ask some questions on what things I could consider as causes and where I could look in the hopes of getting started on this issue.
This would be for XenApp / XenDesktop 7.18.
The questions I have:
Does XenApp / XenDesktop have log files that can be consulted for
debugging issues like this?
Is it possible to get XenApp / XenDesktop to run in debug mode (to
output more details to the log files)?
Does Citrix have configuration settings that could lead it to
have an issue like this?
A. First check the event logs and see when you facing this issue so does any event logs generated.
B. Also you can check the ICA configuration tool for session settings and checked if session settings are set to NEVER.
C. The ICA listener configuration tool is located at Start > All Programs > Citrix > Administration Tools > ICA Listener Configuration.
You are on the right track with the SaaS application itself reporting the error. If this Citrix session was already active when the icon was clicked again and the preconfigured user was already logged into the SaaS application, that would account for this error. To investigate, logout the Citrix session and try clicking the icon again, or check SaaS application to see if that preconfigured users is already connected.
Is the same user used for all these kiosks or is each kiosk supposed to have a unique user? Can this preconfigured user log in multiple times?
Related
Some background:
We were accessing our RSA Archer application on IE 11 via SSO, and all has been well. But we are required to move on to Edge browser, and that's where we started having the Windows Security credential prompt coming out, whenever we tried to access the application on Edge browser.
The strange thing is, the application is able to load up on Edge properly, in the logged in state, and then the prompt will appear. We can just click on Cancel to close the prompt and we are able to use the application normally. All end users on their client PCs encountered the same problem.
We want to remove the credentials prompt. The RSA support team has confirmed it is not an issue of their product, since there's no problem over at IE. What we have done on our end on the servers:
Enabled SSL on our load balanced environment
Updated the web.config file of the application with the entry below:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
Configure IIS settings to allow Anonymous Authentication instead of Windows Authentication for the application pages.
Will greatly appreciate some assistance or suggestions on how to move forward. Thanks!
Addon after investigation:
After finally being able to investigate via the development tool for this, we discovered that apparently, the behavior of some components / javascripts were different on IE / Edge.
On IE, if the components / javascripts took too long to load, it will fail (status 304) and retry again until it succeeded (status 200).
On Edge, instead of failing, it will go into "Pending", and then the credentials prompts pops out, and usually there's more than one prompt. We suspect the number is based on the number of pending components / javascripts that are in "Pending". Clicking on Cancel on the prompt will caused the components to not load (status 304), and no retry will happen like in the case of IE.
Able to advise what's wrong? Is there a timeout in the Edge settings?
Open Edges developer tools and go to the Network tab and see which request (URL) is prompting you for credentials. Then you can see what IIS has configured for its security.
I have a WSO2 5.10 server behind an AWS elastic load balancer. Per my original question How can I change the management console port of a wso2 is server using deployment.toml file changes , I modified the template and the server starts and correctly reflects the new management console url in the log file. When I log into it, it also indicates that I have logged in, but the browser simply redirects back to the logon page. Further, the original carbon management url is still active and functional. For example, logon.domain.com is the host name, idp.domain.com is the management url. Both display the carbon management screens, but the idp.domain.com url does not seem to function. No logs other than acknowledging the logon are apparent. This is a multi tenant setup, all of the tenant logons work fine
Any thoughts on diagnosing this would be much appreciated.
I have set up JBoss Fuse, created a fabric and installed the fabric:web feature as explained in the resource Using the Management Console. I can browse http://hostName:8181 and it shows the Management Console login screen.
However, whichever user/pass combination I try, the response is "Failed to log in, Forbidden". It also shows an icon with an exclamation mark, when I click that I see the following messages appear:
[Branding] enabled branding
[Core] Management Console started
That does not help much either. How do I know what login combination I should use? It is not clear to me what I am logging into in the first place.
In your fuse install folder under /etc there is a file called user.properties. Is the user admin with password admin filled in? If not, then at least admin user should be allowed.
If yes, try simply restarting the server. I am not sure why buy that has helped in some cases for me. Do a osgi:shutdown and then start it again.
Have you tried admin/admin?
I believe those are the default credentials.
We Use IBM Personal Communications iSeries Access for Windows version 6.0. When you launch the program you initially get a Log on Prompt that lets you enter a server, user name and password.
It then gives you the log on screen to the server itself and you have to log on a second time. Between the two log ons I'm trying to work out a "Startup Macro"
I don't have anything in it right now because I cannot figure out how to get ONE particular value from the Session, the USER NAME.
I can get the screen title, session name, macro name, but I can NOT for the life of me figure out how to get the user name. I've tried every possible combination of strings and "variable" names I can think of, and nothing.
I've searched the web and all I can ever find is how to record and auto logon to the green screen which is not what I want.
To be clear I just need the Username used to logon to the Personal Communications iSeries Access for Windows program, pre green-screen logon.
It's important to note that IBM i Access for Windows is much more than just the 5250 emulator. There's an ODBC driver, a printer emulator, AFP printer drivers and the graphical Navigator for i. That IBM i signon popup doesn't come from the 5250 emulator. It comes from a lower level IBM i Access for Windows process. Try it yourself. Reboot the PC. Don't start the emulator. DO start IBM i Navigator for Windows. You'll get the signon popup.
It looks like you are trying to automate a 'no signon' signon. The user name is probably stored in the registry, depending on the version of Windows you are using and the version of IBM i Access for Windows. Windows 7: Start > All Programs > IBM i Access for Windows > IBM I Access for Windows Properties Choose the Administration System tab and you'll see the server and user. HKCU > Software > IBM > Client Access Express > CurrentVersion > AS400 Operations Navigator > Application Administration > CurrentAdminSysUser > My Connections
I think, for this, you need to get into the ActiveX Control that comes with iSeries Access. This little code C# snippet should work:
AS400System sys1 = new AS400System();
sys1.Define("mySystemNameHere");
if (sys1.IsConnected(cwbcoServiceEnum.cwbcoServiceAny) != 1)
{
sys1.Connect(cwbcoServiceEnum.cwbcoServiceTelnet);
}
String user = sys1.UserID;
sys1.Disconnect(cwbcoServiceEnum.cwbcoServiceAll);
You'll need to find cwbx.dll and add it as a reference to your project.
If the user is already connected from another application, no dialog will appear. The program will connect, get the connected user id, and then disconnect. If the user has never connected since logging in, then a logon dialog will appear.
Having a tough time with this issue. Not sure how but my ApplicationPoolIdentity is broken.
Currently I'm running IIS 8 on Windows 8 with Visual Studio 2012. When trying to debug an application from Visual Studio, or just navigating to the site in a browser I get the following error logged and a 503 error.
Application pool 'DefaultAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
If I check out the Application error logs, I find the following error from the User Profile Service.
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - The system cannot find the path specified.
Upon looking into the details I find that the User Profile Service is trying to load up a profile with the Id
S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Now I opened up the registry to try and find the profile with that UserId. However there's nothing in the Profile list that helps.
So digging around a little more I've found that this issue can be resolved by either
A) Set the Load User Profile of the Application Pool to false.
B) Use a different account for the application pool.
C) Fix the account.
Seeing how this is the built in account, I'd prefer to fix the issue rather than fix the sympton.
What I have tried
aspnet_regiis -i
Removing IIS from windows and reinstalling.
Attempted to follow the guide here but I don't know the account password :P
My hunch
Somehow the ApplicationPoolIdentity got messed up. Is there any physical folders for the built-in accounts? I know that the Network and Local service profiles physical directories exist at C:\Windows\ServiceProfiles\. It is possible to recreate the ApplicationPoolIdentity profile? Or am I way off on what the real issue is?
C) Here is what i did to fix the account
Go in regedit at key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is a setting called "Default". You have to make sure that the data value point to an existing directory on the drive.
By default it contains "%SystemDrive%\Users\Default". In my company the default is changed to a custom profile. Somehow, someone deleted that user profile. So when the defaultAppPool user tryed to create an accound for himself, it was unable to do so because windows cannot provide him with a default user profile.
You can also diagnose this error when looking at the Event Viewer under the Application folder. You will get a message of that type:
Windows cannot find the local profile and is logging you on with a
temporary profile. changes you make to this profile will be lost when
you log off.