I was running through the steps outlined over at http://community.citrix.com/display/ocb/2010/09/07/XenApp+6+SDK+-+Remoting+via+PowerShell+Remoting the other day, and just wanted to comment on one thing that I came across.
I was beginning to get frustrated because I could not successfully run the Enable-XAPSRemoting command on my Citrix Server, because it was telling me that it did not have a certificate to use for SSL communication. I installed the PowerShell SDK for XenApps 6, this server is a web interface so I have IIS installed, I have an internal PKI so rather than using a self-signed certificate as detailed in the Citrix forum, I installed a certificate from my internal CA via the IIS certificate wizard.
Now that I have this certificate installed, I should be able to enable XAPSRemoting, and remotely invoke the Citrix PowerShell commandlets from computers in my domain over an SSL connection, right? Wrong (not yet anyway).
Issuing the Enable-XPSRemoting command from the Citrix Server returns a response that I do not have a certificate to use for SSL which has CN=servername.domain.local in the subject, and has Server Authentication specified in the Enhance Key Usage field. Did I screw up my certificate request and create a common name that does not match the FQDN? Is the certificate not in the right store?
First I check that the certificate is there. Since I am already in PowerShell, I check the store from there cd cert:\localmachine\my shows the certificate is there with the proper CN in the subject. Secondly, I fire up the Certificates Snapin from the MMC, and view the certificate. Everything looks good there, it has the “Server Authentication” in the Enhanced Key Usage field, which I am being told is required, and the subject has the proper CN=server.domain.local FQDN. The error message only states these two requirements for my certificate.
From the Certificates Snapin in my MMC, I request a computer certificate from my internal CA. Once installed, I run the Enable-XAPSremoting command again, and it executes without error. Going back to view the certificates side-by-side, the only thing that I can tell is that the Enhanced Key Usage has both Server AND Client Authentication.
I am not sure how many people will run into this, but since there is few little information about the XenApp PowerShell SDK at this time, I thought it couldn’t hurt to provide this information.