In that post he touches on what's actually happening:
Cause: The error, 0x80244010, means WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS and happens when a client has exceeded the number of trips allowed to a WSUS server. We have defined the maximum number of trips as 200 within code and it cannot reconfigured. A “trip” to the server consist of the client going to the server and saying give me all updates within a certain scope. The server will give the client a certain number of updates within this trip based on the size of the update metadata. The server can send 200k worth of update metadata in a single trip so it’s possible that 10 small updates will fit in that single trip. Other larger updates may require a single trip for each update if they exceed the 200k limit. Due to the way Office updates are published you are more likely to see this error if you’re syncing Office updates since their metadata is typically larger in size.
I've bolded the more important information. This is hardcoded and cannot be reconfigured. This, to me, is a bit ridiculous that it can't be reconfigured.
I have a WSUS client where we 'reset' the Windows Update client. After resetting the client we were getting an error "WARNING: Exceeded max server round trips: 0x80244010". We would try multiple times but this error wouldn't go away and prevented us from running Windows Update on this system. So I started to investigate. The first thing I did was finish reading that blog entry. Hornbeck continues:
The client takes these new updates as they trickle down and inserts them into a small database to cache them for future use. So during the first client synchronization with WSUS the client may get 75% of the available updates, put them into the database, and then fail at some point due to the number of max trips being exceeded. The good news is the second synchronization cycle will not need to start from the beginning since the client has already cached 75% of the updates into its database. The second cycle will pick up where it left off and most likely finish getting all the updates from the server. There have been a few rare cases where a third scan cycle is needed but more often than not two is sufficient.
Again, I have bolded and underlined the important parts.
I started my investigation by trying to replicate the problem. I started up Windows Update and 'checked for updates'.
Ok, no problem. So I checked again.
Well, Hornbeck/Tindale did say it may take a couple passes. Let's try again.
I'm getting worried now... Let's try a fourth time.
Hmmm... At this point I wanted to better understand what Windows Update was doing. I originally installed Wireshark to trace the conversation but it was difficult and time consuming to try and count the traffic back and forth to the WSUS server. So I reverted my system and installed Fiddler2 on it.
From the video you can actually see the traffic from the WSUS server. The request for the 'Updates' starts at item 3 and completes at 203. Exactly 200 round trips.
Since my previous Windows Update attempts at the WSUS server failed after a few tries I thought I would trace the traffic with Fiddler for the multiple attempts. My logic was I wanted to know if the traffic was 'looping'; repeating itself and getting to the limit preventing updates. Or, would each send/receive be unique and thus, simply, more is needed?
The first bit of the first run. If the second run as identical or near identical traffic 'packet sizes' I would be concerned it's looping...
I reset Fiddler and started the second run. Completely different!
When I started the second run I was happy to see it was a completely different result. I cleared Fiddler for a 3rd time ran the 'Check for Updates' until it timed out again, and cleared Fiddler again. I then thought to just let Fiddler capture everything. There really is no need to clear it each time. I monitored the Fiddler output looking for loops or patterns. The update check timed out a forth time (as before). There was no looping I could see.
Finally, on the fifth run:
Updates! We have updates!
In the end, when the Microsoft blog post was written (2008) there probably was only enough updates that two or three passes would go through all of them. As time as gone on and more and more updates have been deployed to systems this hardcoded maximum is doing a huge disservice. Our Windows 2008R2 SP1 systems require FIVE passes of clicking/waiting/clicking/waiting/etc.
A natural solution to this is to expose the "max server round trips" variable and allow it to be programmed by the organization according to their needs. The present state of this issue is unnecessarily confusing and arbitrarily limited.
I was given a new application to sequence:
Logibec's eClinibase.
This application has some restrictions:
1) It has an updater that will pull down .exe's
2) It won't launch from a script in the bubble. Example:
cmd.exe /appvve:%PACKAGEGUID%_%VERSIONGUID%
cd /d C:\Logibec\eClinibase\ilgi11
eclinibase.exe
Will crash.
I'm going to address point 2) first because it's weird and interesting.
Why does it crash? Because, somehow, it breaks out of the bubble. The reason it crashes is it looking for some registry keys that don't exist outside the bubble and it explodes. The keys it looks for are:
On a local install if I delete the environment keys that matchup to the folder we're launching eClinibase from, I get the same error. Since those keys don't exist outside the bubble, we get the same error... Which means it's trying to look outside the bubble for some reason. Powershell, however, works correctly but only if the exe is called directly:
However, we CAN get it to stay 'in the bubble' if we launch the eClinibase.exe with the /appvve: switch.
This is the first time I've ever encountered this where launching the application from a command prompt inside the AppV bubble fails, but it will work if you launch the exe with the /appvve: switch.
So that's weird that we need to launch it specifically that way, but it appears to work so I guess that's a limitation we have to roll with.
So how do we address point 1)?
I've used this technique before and it works here. We will create a directory symlink to a network file share where the users will have full permission to update the application. Since these updates occur 'as needed' the different environments may update at different times, this keeps them in sync across all of our Citrix servers since they will all point to the same location.
I add the mklink command the DynamicDeploymentConfig.xml:
When launching a Citrix application a user was getting a the 'Citrix launch bar' then, after a few seconds, it would immediately go away. Checking the Application log in the event viewer displayed these entries:
The winlogon notification subscriber TermSrv failed a critical notification event. Event ID 6001
The winlogon notification subscriber Sens failed a notification event. Event ID 6004
The root cause?
A faulty path for the homedrive AD attribute:
See that 'Connect' H: To 'Path'? That was a bad path.
Removing the attribute or fixing it so that it pointed to a path that the user has access to and exists resolved our issue immediately.
We are still in a pilot-preupgrade phase of Citrix Director 7.7 and found an issue where we were getting artifacts with IE11. The artifacts manifested themselves like so:
This is wrong.
When the search box should look like this:
This is right.
This issue appears to be caused by a policy our organization uses to enable compatibility view for sites on the Local Intranet:
The Culprit
Citrix says the following about Director and 'Compatibility View':
Because we use a group policy to push this setting out, disabling it and re-enabling it on a site-per-site configuration isn't acceptable. There is an option to set the 'zone assignment' of our Citrix Director server to be on 'Trusted Sites' instead of 'Local Intranet' but this would be another policy that would have to be pushed out to the ~80,000 workstations we have. Instead, there is another option. We can edit the default.html file in the Citrix Director folder and add a line in the section to tell IE to exclude this site from compatibility mode. To execute this:
Edit the Default.html file ("C:\inetpub\wwwroot\Director\default.html") and add this line:
To the 'head' section. Example:
Add the line around here
Delete your cache and now your website will work without issue.
Citrix has 'replaced' Edgesight with a new tool called Citrix DesktopDirector. It's a monitoring tool that provides help desk or other type of technicians with data on what's going on in user sessions (when referring to XenApp). Although vastly inferior to ControlUp, it is free.
But it's not without poor documentation and its own tales of woe. We have Citrix DesktopDirector 2.1 currently live in our environment. Our environment is purely XenApp 6.5 (at the moment).
For version 2.1, logins are incredibly slow. Enumerating any sort of information on DesktopDirector is horribly slow. It's just incredi-bad.
Enter Citrix Director 7.6 7.7; lots of promises to overcome the failings of the previous version.
First, installing Citrix Director 7.7 for XenApp 6.5:
1) Launch the AutoRun (AutoSelect.exe) installation file
2)
Select ‘Start’ for XenApp
3)
Select ‘Citrix Director’
4)
Agree to the licensing agreement and click ‘Next’
5)
Select ‘Next’
6)
Without entering any information, select ‘Next’
7)
Select ‘Next’
8)
Select ‘Next’ for the firewall rules
9)
Select ‘Install’
10)
Wait for the install to complete
11)
Open IIS Manager on the Director Server. Select the Director site under Default Web Site and double-click on ‘Application Settings’
12)
Under ‘Actions’ click ‘Add'
13)
For ‘Name’ enter ‘Service.AutoDiscoveryAddressesXA’ and for value put the IP of the local ZDC server
14)
If you are not setting up certificates on the server for SSL, you can disable the SSL verification by changing the UI.EnableSslCheck to false.
15) Reset IIS from the command line.
16)
On EACH XenApp server, install the Director WMI Provider (DirectorWMIProvider_x64.msi for 64bit OS's and DirectorWMIProvider_x86.msi for 32bit OS's). No reboot is needed, it takes effect immediately.
17) Enable WinRM on each XenApp server. In a command prompt run:
'winrm qc'
18) Configure WinRM with the appropriate permissions:
ConfigRemoteMgmt.exe /configwinrmuser HEALTHY\DesktopDirector.TST /all
**A NOTE ABOUT CONFIGREMOTEMGMT.EXE**
Ensure you use the latest version you can find. For XenApp/XenDesktop 7.7 the version that comes with it is:
It has been revised as time has gone on and numerous bug fixes have been implemented. We implemented a script to update our WinRM so all of our XenApp servers would have the user configured. We didn't include checking, we just assumed if a group was added it would not be added again. With an older version of ConfigRemoteMgmt.exe this was an incorrect assumption and our WinRM SDDL became so large that the command line that ConfigRemoteMgmt.exe generates for winrm.cmd breaks the command line. You see, ConfigRemoteMgmt.exe is also a front end to "C:\Windows\system32\winrm.cmd". Here is the command it generates:
C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\winrm.cmd" set winrm/config/service @{RootSDDL="O:NSG:BAD:P(A;;GA;;;S-1-5-21-38857442-2693285798-3636612711-99999999)(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"}"
The part I bolded is the GUID of the object you pass in the /configwinrmuser. The ConfigRemoteMgmt.exe takes your object and converts it to a GUID and then sets the SDDL using the native Windows tools. The bug in a pervious version of this tool is that it would add another GUID, even if one already existed. So in the buggy version the next command would be this:
C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\winrm.cmd" set winrm/config/service @{RootSDDL="O:NSG:BAD:P(A;;GA;;;S-1-5-21-38857442-2693285798-3636612711-99999999)(A;;GA;;;S-1-5-21-38857442-2693285798-3636612711-99999999)(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"}"
And so on. Eventually, this causes WinRM to fail and it will just hang at this point:
To check your WinRM Root SDDL, execute this command:
"C:\Windows\system32\winrm.cmd" get winrm/config/service
If you have an output similar to this, then you have a problem:
Fortunately, it's a super easy fix. If you run the command with a single GUID it all gets reset:
C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\winrm.cmd" set winrm/config/service @{RootSDDL="O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"}"
And now you can execute the ConfigRemoteMgmt.exe command again. The new version of ConfigRemoteMgmt.exe doesn't seem to just 'stack' the new version on top.
/**A NOTE ABOUT CONFIGREMOTEMGMT.EXE**
Now that you have WinRM configured, Director installed, you login and it works. So you try with a HelpDesk account and it fails:
In order to trouble shoot this, we need to turn logging on for Director. To do so, go into IIS Manager Console, to the 'Director' Site, and double click on Application Settings. Turn on the following "Log." settings:
Now, create the folder you specified the log will be captured in and set the following permissions on it:
Note: The permissions are %COMPUTERNAME%\IIS_USERS
Restart IIS and attempt to login again. You should get a log file generated with content. A failed login had this output:
And a succesful login had this output:
I highlighted the lines in the successful output that showed the command succeeding and the output from that. So why did this fail? The one account "adtest91" is setup as a 'help desk' style account and has 'custom permissions'; essentially 'View-only' but with some categories removed altogether. Could this be permissions based? The odd thing is DesktopDirector 2.1 works without issue with this exact same configuration.
Fortunately, Citrix tries to make this easy to troubleshoot. I will login to the ZDC and start a Citrix PowerShell session with "adtest91" and run the command it supposedly fails on:
Well, at least it appears consistent. So, apparently, we need to get this command working. My first try at troubleshooting was to login to the AppCenter console, go to Administrators and get properties on this account, and change it's 'Privileges' from Custom to Full:
When I attempted to login it worked! So it's definitely a permission issue. I went back to Powershell and executed the same command:
Success!
So if the Powershell command specified in the log file works then 'Director' should work, and so far that is what it looks like. Now I wanted to narrow down *which* permission does this as we do not want our Help Desk to have full control over the farm. The, very obvious, first thing that stood out was:
"Edit Zone Settings." We are having issues enumerating Zones, perhaps this setting enables you to *read* zones? I enabled this setting and retested:
Success! And our 'Help Desk' account can now login to Director.
We don't really want Help Desk to have the ability to 'Edit' Zones but I don't see a 'Read-only' permission so we may have to live with it.
So now we've logged into Director and we enumerate an account but we get this message:
Cannot retrieve the data. Cannot find the referenced object. View Director server event logs for further information.
The IIS logging shows:
Citrix.Dmc.Common.NotFoundException: Exception of type 'Citrix.Dmc.Common.NotFoundException' was thrown.
at Citrix.Dmc.Connector.WinRMConnector.WinRMWqlQueryExecute(String query, String wqlUri)
at Citrix.Dmc.Connector.WinRMQueryThrottle.ExecuteQuery(String query, String wqlUri, Int32 timeout, Nullable`1 refreshTimeoutInSec, WinRMQueryInvoker invoker)
at Citrix.Dmc.Connector.WinRMConnector.WinRMWqlQuery(String query, String wqlUri, Nullable`1 refreshIntervalInSec)
at Citrix.Dmc.Connector.WinRMConnector.WinRMWqlQuery(String query, String wqlUri)
at Citrix.Dmc.Common.ConnectorWrapper`1.Invoke[TReturn](Func`2 method)
--- End of inner exception stack trace ---
at Citrix.Dmc.Common.ConnectorWrapper`1.Invoke[TReturn](Func`2 method)
at Citrix.Dmc.WebService.Wmi.WinRMConnectorQuery.ExecuteSelectQuery(String resourceUri, String className, String[] attributes, String whereClause, Nullable`1 timeoutInSec)
at Citrix.Dmc.WebService.Wmi.VDAMachineDao.ExecuteSelectQuery(String resourceUri, String className, String[] attributes, String whereClause, Nullable`1 timeoutInSec)
at Citrix.Dmc.WebService.Wmi.VDAMachineDao.GetRunningApplicationsData(String sessionId)
at Citrix.Dmc.WebService.XAConsoleDao.GetRunningApplicationsData(String farmId, String machineId, String sessionId, Boolean detailed)
at Citrix.Dmc.WebService.ConsoleService.GetRunningIMAApplicationsData(String farmId, String machineId, String sessionId, Boolean detailed)
01/14/2016 08:42:30.5628 : [t:9, s:tnccy45w1lfhxwkzaq0m0geh] Fault mapper Convert method called
01/14/2016 08:42:30.5628 : [t:9, s:tnccy45w1lfhxwkzaq0m0geh] Service exception is mapped to fault error code 104
01/14/2016 08:42:30.5628 : [t:9, s:tnccy45w1lfhxwkzaq0m0geh] Fault mapper Convert method returning
01/14/2016 08:42:30.5784 : [t:9, s:tnccy45w1lfhxwkzaq0m0geh] DmcWebErrorHandler channel level error
System.ServiceModel.FaultException`1[Citrix.Dmc.WebService.DmcServiceFault]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Citrix.Dmc.WebService.DmcServiceFault).
]]>
-->
And the event log shows:
The requested data could not be found in the data 'The virtual desktop via WinRM service reported an exception. See the event log for more information.' ('http://WSCTXZDC301T.healthy.bewell.ca:5985/wsman').
User: 'HEALTHY\adtest91' Console operation: 'Retrieving running application details for IMA Session…' Additional information: 'Exception of type 'Citrix.Dmc.Common.NotFoundException' was thrown.'
When I got this message with my 'Administrator' account I installed the Director WMI Provider and it started working. But with this 'limited' user account I was getting an this error. Amazingly, this error goes away as soon as a user logs in to Citrix Director webpage, who would also be a local administrator on the Director server. After searching and searching and troubleshooting and scanning and trying various things to get this working, the only thing that would work was to grant our Director group admin privileges on the Director web server. I finally stumbled across another article that reaffirmed that the only solution is to have the users be local admins on the web server.
winrm get winrm/config -r:%server% -- Non-administrator user gets access is denied making WinRM queries
This error, though, is only if you set Connector.WinRM.Identity as 'User' and those users are not Administrators. The fix, is to put your users into a group and make them a local admin on the Director server.
