XenApp 6 PowerShell SDK: Enabling Remoting via Enable-XAPSRemoting

I was running through the steps outlined over at http://community.citrix.com/display/ocb/2010/09/07/XenApp+6+SDK+-+Remoting+via+PowerShell+Remoting the other day, and just wanted to comment on one thing that I came across.

I was beginning to get frustrated because I could not successfully run the Enable-XAPSRemoting command on my Citrix Server, because it was telling me that it did not have a certificate to use for SSL communication. I installed the PowerShell SDK for XenApps 6, this server is a web interface so I have IIS installed, I have an internal PKI so rather than using a self-signed certificate as detailed in the Citrix forum, I installed a certificate from my internal CA via the IIS certificate wizard.

Now that I have this certificate installed, I should be able to enable XAPSRemoting, and remotely invoke the Citrix PowerShell commandlets from computers in my domain over an SSL connection, right? Wrong (not yet anyway).

Problem

Issuing the Enable-XPSRemoting command from the Citrix Server returns a response that I do not have a certificate to use for SSL which has CN=servername.domain.local in the subject, and has Server Authentication specified in the Enhance Key Usage field.  Did I screw up my certificate request and create a common name that does not match the FQDN? Is the certificate not in the right store?

First I check that the certificate is there. Since I am already in PowerShell, I check the store from there cd cert:\localmachine\my shows the certificate is there with the proper CN in the subject. Secondly, I fire up the Certificates Snapin from the MMC, and view the certificate. Everything looks good there, it has the “Server Authentication” in the Enhanced Key Usage field, which I am being told is required, and the subject has the proper CN=server.domain.local FQDN. The error message only states these two requirements for my certificate.

Resolution

From the Certificates Snapin in my MMC, I request a computer certificate from my internal CA. Once installed, I run the Enable-XAPSremoting command again, and it executes without error. Going back to view the certificates side-by-side, the only thing that I can tell is that the Enhanced Key Usage has both Server AND Client Authentication.

I am not sure how many people will run into this, but since there is few little information about the XenApp PowerShell SDK at this time, I thought it couldn’t hurt to provide this information.

Citrix XenApp 6: An Error Occurred While Making the Requested Connection.

Today’s little doozy comes to you from the fine folks at Citrix and their product Presentation Server, I mean XenApp. 

Background

I installed XenApp 6 on my fresh installation of Windows Server 2008 R2, each role on its own server. I’ve got a license server, a web interface, and of course a Presentation ServerXenApp Server. I logged into my Citrix site grabbed a license and installed it on the new license server.

Problem

I go to launch my first published application (Notepad, of course), and I am presented with the following error on the web interface:

First of all, I look at the application event log for the web interface server to see if anything is logged there. To my luck, there is an entry that says:

Too busy? Really? Sounds unlikely, Notepad is the only thing that I’ve published on this server, and have only published it to myself. So I start my due diligence, telnet to the XenApp server on port 80 to see if the XML service is available. It’s up…so it’s not a communication problem. I go to the XenApp server and try to diagnose why it would be reporting that it’s so busy. There are no CPU or memory issues, so I check the Citrix load on the server. I have the PowerShell SDK installed, so I use the Get-XAServerLoad <ServerName> command to see what’s going on (the QFARM -LOAD command from the cmd.exe would have worked as well). I get a value of 20000!

Resolution

There are a number of reasons that your server could be reporting a load of 20000. For a good walk through of these reasons and explanations of possible causes, please go to the post over at zenapp.blogspot.com. My particular cause turned out to be the license I had installed on the License Server had its subscription advantage expire in 2009.  According to the above referenced blog, the SA date on the license must be 2010.0317 or later.

I went to MyCitrix portal, issued a new license. I had some difficulty installing the new license – copying the license to the server would give me a “Hostname mismatch” error. I verified, reverified, regenerated license files, but kept getting this hostname mismatch error while importing my license file. I went back to import the previous license file, which I knew would not server concurrent users, but was at least installable on the license server…and again got the hostname mismatch.

I am at my wits end with this license server…so I am about to scap it and start over. The whole deployment of the server only takes about 20 minutes after all. However, I decide to import a license with a valid SA date one more time, and reboot. After rebooting the license server dashboard shows the concurrent user license file installed with a valid SA. That’s progress!

I check the load on XenApp Server, and it’s still 20000. I rebooted the server (probably could have just restarted the IMA service), and checked the load again, and now it’s down to 0. Fantastic.I headed over to the web interface to launch Notepad, and it fires right up without error.

In summation – the SA Date on your concurrent user license MUST BE 2010.0317 OR LATER.

I ran into another quirky little issue in getting remote access to the XenApp 6 PowerShell SDK, but I’ll save that for another post.