Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

How To Troubleshoot Deployments of StoreFront and NetScaler Gateway

Citrix Synergy, May 2014

Juan Zevallos, Escalation Engineer

Tweet about this session with hashtag #SYN401 and #citrixsynergy

© 2014 Citrix. Confidential.2

Prevent issues during configuration

Narrow down the issue

Tools to troubleshoot the issue

Agenda

DISCLAIMER: Examples used in this presentation are from a test internal lab environment and is not affiliated with any outside entities


“” Alexander Graham Bell

“Before anything else, preparation is the key to success.”

StoreFront Configuration3 steps


Enable Pass-through from NetScaler GatewayStep 1


Add the GatewayStep 2


Enable Remote AccessStep 3


What is the Discovery file?

Automatically configure the Store Account into Receiver – receiverconfig.cr


How Do I Access the Discovery file?

Receiver for Web site StoreFront management console


What’s in a Discovery file?


StoreFront’s BaseURL

NetScaler Gateway ConfigurationQuick Configuration Wizard


How To Access the Wizard?


Create the Gateway


Bind SSL Certificate


Select the Authentication Settings


Configure StoreFront Settings


“” Coco Chanel

“Success is often achieved by those who don’t know that failure is inevitable.”


Understanding the Flow

StoreFront

NetScaler

INTERNET INTERNAL NETWORKDMZ

443443/80

443

XenAppXenDesktop

Active Directory

389/636

ICA 1494/2598STA 80/8080

ICA

443


Authenticating the End User

NetScaler

443

Active Directory

389/636



Failed to Authenticate


Common Reasons for Authentication to Fail

Communication issue from NSIP or SNIP to the Domain Controller

Bad Service Account used for LDAP Bind

Misconfigured Base DN

Invalid credentials


Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999

> shell

Run the following command to change to the /tmp directory:cd /tmp

Run the following command to start the debugging process:cat aaad.debug


Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999

start_ldap_auth attempting to auth juanz @ 10.12.33.216

recieve_ldap_bind_event receive ldap bind event

recieve_ldap_user_search_event built group string for juanz of:Domain Admins

send_reject sending reject to kernel for : juanz


Internal Server Error 29


Accessing StoreFront After Authentication

NetScaler

443

Active Directory

389/636


StoreFront443/80


Receiver for Web vs Receiver Session Policy

Receiver Session Policy

Receiver for Web Session Policy


How To See Policy Hitshttp://support.citrix.com/article/CTX138840

> shell

Run the following command to start viewing Policy hitsNsconmsg -d current -g pol_hits


How To See Policy Hitshttp://support.citrix.com/article/CTX138840

1 7001 30 1 0 pol_hits Policy(192.168.2.10_LDAP_pol)

3 0 28 1 0 pol_hits Policy(PL_WB_192.168.200.10)


Priority of Policies

The numerical priority takes precedence regardless of where the policy is bound.

Priority Order

User (highest priority)

Group

Virtual Server

Global (lowest priority)

Priority Number


Policy for the Web Browser



NetScaler

443

Active Directory

389/636


StoreFront443/80

443


Gateway logon page

StoreFront logon page


Remote Access is NOT Enabled


How Single Sign-On is Invoked on StoreFront


HTTP Header X-Citrix-ViaEnable StoreFront Verbose Logging - CTX139592


Cannot Complete Your Request


How Callback Can Fail

StoreFront cannot resolve the Callback FQDN

StoreFront does not have network connectivity to the Gateway virtual server Port or IP

StoreFront does not trust the Gateway virtual server SSL Certificate


Verify the Certificate Chainhttp://digicert.com/help


StoreFront Callback URL Dilemma

NetScaler 1ag1.webteam.com


StoreFront

? ?


Configuring StoreFront with Multiple GatewaysAn example of two Gateways configured with the same URL but unique Callback URLs

NetScaler 1 NetScaler 2

192.168.200.10 192.168.200.11

https://callback1.webteam.com https://callback2.webteam.com


DebugView and HTTP Headers


A New Header: X-Citrix-Via-VIP

https://callback1.webteam.com

X-Citrix-Via-VIP 192.168.200.10

X-Citrix-Via-VIP 192.168.200.11

https://callback2.webteam.com



StoreFront


DebugView and Callback Service


Apps Enumerated



NetScaler

443

Active Directory

389/636


StoreFront443/80

443

STA 80/8080

443ICA

XenAppXenDesktop


DebugView and STA Ticket Request


DebugView and STA Ticket Response

STA ID

STA Ticket


Analyze the Default.ica Values

40 = Port 259810 = Port 1494 STA ID STA Ticket


NetScaler Gateway and STA

STA ID

UP State


NetScaler Trace and STA

> shell

nstcpdump.sh -A host <IP address or FQDN> and port <port number>


NetScaler Request STA Ticket

<RequestData>

<Ticket ticketType="STAv4">

5F9EC00DA0ED19CCA447DEFDA802765A

</Ticket>

<TicketVersion>40</TicketVersion>

</RequestData>


NetScaler Response STA Ticket

<TicketData>

<Value name="Refreshable">false</Value>

<Value name=… ServerAddress;192.168.2.28:1494…;UserName;juanz;… UserDomain;webteam;…ApplicationName;Calculater…</Value>

<Value name="CGPAddress">192.168.2.28:2598:localhost:1494</Value>

<Value name="ICAAddress">192.168.2.28:1494</Value>

</TicketData>



NetScaler

443

Active Directory

389/636


StoreFront443/80

443

ICA 1494/2598

443ICA

XenAppXenDesktop


Communication from NetScaler to 1494/2598


What About Receiver?Supported Platforms

Windows 7/8/RT/Phone

Mac

Linux

Blackberry

Android

iOS


Common issues for Receiver

The StoreFront Store is inaccessible (internally)

Misconfigured StoreFront BaseURL in Session Profile for Receiver

Internal Beacon is reachable externally

Customizations on the Gateway logon page

iOS Receiver does not support SHA256 SSL Certificates

Android does not support SAN SSL Certificates

Enable Windows Receiver logging – CTX134101

http://support.citrix.com/article/CTX134101


Resources

How To Configure NetScaler Gateway with StoreFront – CTX139963

SSL Certificate Tester – Digicert Tool

How To Troubleshoot Authentication on NetScaler - CTX114999

How To Verify Policy Hits on NetScaler - CTX138840

How To Enable Verbose Tracing/DebugView on StoreFront - CTX139592

How To Enable STA Logging on XenApp - CTX120589

How To Capture nstrace from NetScaler CLI - CTX120941


http://digicert.com/help

http://digicert.com/help







Before you leave…

Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes

Download presentations starting Monday, May 19 from the My Event Planning tool

http://www.citrixsynergy.com/


WORK BETTER. LIVE BETTER.

Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

Technology

Transcript of Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway