Archive
How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?
Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:
How do you know which policy that is hit when your different Receivers are logging in?
Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:
But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?
First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:
cat /tmp/aaad.debug
When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:
At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.
Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:
nsconmsg -d current -g pol_hits
This is the output when I access using my Receiver on OS X:
#Citrix #StoreFront Slowness, Join and Replication issue – check list!
Ok, I guess that you may have seen issue with StoreFront before… and it you have not then good for U!
But in the case that you have experience it here are a couple of things that you can do and hopefully it solves your issue with slow StoreFront console startup, server join issues or replication issues. Sometimes I’ve seen that the join, replication and slowness is ok and the process goes through. But then all of a sudden you get an error and the propagation fails… and this can be because of a timeout in the StoreFront process that you’ve initiated.
I already assume that you’ve checked the basic stuff.. that the servers can reach each other (ping server name and FQDN etc. and that there are no FW issues)….
You may have an issue because you/your server cannot reach the Internet, and some of the components of the product is signed with SSL certificates and StoreFront will try to perform a check whether the publishers certificate is ok or not. So if your servers are behind a proxy serevr that you usually configure in your browser to be able to connect from your companies internal network to the Internet then you should do the following.
1. Log on to your first StoreFront server and create a copy of the original aspnet.config file under C:\Windows\Microsoft.NET\Framework\v2.0.50727 (verify which framework version that your app is using in IIS and modify that appropriate aspnet.config file, more info about this change can also be found here and is for Web Interface but is also applicable to StoreFront)
2. Open Notepad as an Admin (if you have UAC of course enabled) and open the asp net.config file
It will have the content as described by the picture above, add this line to it: <generatePublisherEvidence enabled=”false”/>
The IT Melting Pot! 