I was running through the steps outlined over at http://community.citrix.com/display/ocb/2010/09/07/XenApp+6+SDK+-+Remoting+via+PowerShell+Remoting the other day, and just wanted to comment on one thing that I came across.
I was beginning to get frustrated because I could not successfully run the Enable-XAPSRemoting command on my Citrix Server, because it was telling me that it did not have a certificate to use for SSL communication. I installed the PowerShell SDK for XenApps 6, this server is a web interface so I have IIS installed, I have an internal PKI so rather than using a self-signed certificate as detailed in the Citrix forum, I installed a certificate from my internal CA via the IIS certificate wizard.
Now that I have this certificate installed, I should be able to enable XAPSRemoting, and remotely invoke the Citrix PowerShell commandlets from computers in my domain over an SSL connection, right? Wrong (not yet anyway).
Problem
Issuing the Enable-XPSRemoting command from the Citrix Server returns a response that I do not have a certificate to use for SSL which has CN=servername.domain.local in the subject, and has Server Authentication specified in the Enhance Key Usage field. Did I screw up my certificate request and create a common name that does not match the FQDN? Is the certificate not in the right store?
First I check that the certificate is there. Since I am already in PowerShell, I check the store from there cd cert:\localmachine\my shows the certificate is there with the proper CN in the subject. Secondly, I fire up the Certificates Snapin from the MMC, and view the certificate. Everything looks good there, it has the “Server Authentication” in the Enhanced Key Usage field, which I am being told is required, and the subject has the proper CN=server.domain.local FQDN. The error message only states these two requirements for my certificate.
Resolution
From the Certificates Snapin in my MMC, I request a computer certificate from my internal CA. Once installed, I run the Enable-XAPSremoting command again, and it executes without error. Going back to view the certificates side-by-side, the only thing that I can tell is that the Enhanced Key Usage has both Server AND Client Authentication.
I am not sure how many people will run into this, but since there is few little information about the XenApp PowerShell SDK at this time, I thought it couldn’t hurt to provide this information.