Product Documentation

Troubleshoot

Feb 26, 2018

Active Directory integration issues in the License Server VPX

These are the most commonly encountered errors during integration of the License Server VPX to Active Directory:

  • ERROR: Cannot find user
    The domain user account being used is not found in the target domain.
    Trust domains are not supported. You might see this error if a user belongs to any trusted/parent domain and is not a part of the target domain.
  • ERROR: User does not have access
    Ensure that the domain user has the right privileges to join the machine to Active Directory.
    For more information, see this article: https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con.
  • ERROR: Cannot contact the domain
    Correct the domain name or check if the domain is reachable from the License Server VPX and fix any network related issues.
  • ERROR: User has insufficient permissions to join the domain
    The account does not have the privileges required to join a machine to Active Directory.
    For more information, see this article: https://github.com/BeyondTrust/pbis-open/issues/51.

For any other errors, see this article for details: https://github.com/BeyondTrust/pbis-open/issues.
 

Keytab creation issues in the License Server VPX

If you see any issues during the keytab creation, follow the instructions below and retry :

  1. Ensure that you have elevated permissions when executing the ktpass.exe command.  Run the cmd prompt as Administrator.
  2. Ensure that the User Account Control (UAC) restrictions are minimal.
  3. Ensure that all password requirements are met. For example, password filters aren't blocking password characters on the target domain and you are specifying a supported number of characters.
  4. Retry the command by adding the domain to account used in the -mapuser argument.  Use a  user principal name (account@domain.com) or a down-level logon name (domain\username).
  5. Ensure that the account being used is a member of the target domain and not of a trusted or parent domain.
  6. Add the -target argument to the command and pass the domain name.
    1. Ensure that the account used in the -mapuser argument is a service account created solely for this purpose.
    2. Ensure that the first name, last name, and the service account name for the account are the same.
    3. We recommend that you name the account with the name of the License Server VPX name to ensure that uniqueness is maintained during mappings.

See the Microsoft ktpass command article for more details: https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx.

Troubleshoot cluster-enabled license servers

Important

If any of the licensing services fail to start, the cluster detects that licensing is offline and attempts to restart the service three times (by default). If these attempts are unsuccessful, fail-over to the next node is initiated and the cluster attempts to start the services on the second node. If the attempts fail on the second server, the process may enter into an infinite loop. In this case, the computers running Citrix products fall into the grace period. During the grace period, client connections are not affected.

When troubleshooting a cluster-enabled license server, try the following:

  • If you move the resources to the other node, do you still see the issue?
  • Did you check the Use Network Name for Computer Name check box in the Microsoft Cluster Server? See http://support.microsoft.com/kb/198893.
  • If the installation fails, ensure you don't enable the User Account Control (UAC) when installing on a cluster.
  • For Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016:
  1. In the Failover Cluster Management window, from the left pane, select the cluster. In the middle pane, the summary information for the cluster appears.
  2. Click the Cluster Core Resources title to expand the section.
  3. Verify that the cluster resources are all online (green arrow).