CTX130480 – Error: ‘An error occurred while making the requested connection’ when Launching Applications on a XenApp Kerberos-based Environment – Citrix Knowledge Center

Symptoms

When the users try to start an application in a XenApp Kerberos-based environment, the following error message appears on the browser:

“An error occurred while making the requested connection.”

The following error appears in the Application log of the Web Interface server:

Log Name: Application
Source: Citrix Web Interface
Date: <Date>
Event ID: 30102
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: wi54.amc.ctx
Description:
Site path: C:inetpubwwwrootCitrixKrb2.

The Citrix servers reported an unspecified error from the XML Service at address http://xa5.amc.ctx/scripts/CtxIntegrated/wpnbr.dll[com.citrix.xml.NFuseProtocol.RequestTicket].

Refer to the Logged Messages and Event IDs on Citrix web page for specific information about this message.

Cause

The issue is caused during the process where the XML broker is trying to request a logon ticket such that the Web Interface server can generate a launch.ica file successfully. In this scenario, the XML broker is returning an “unspecified” error in the ResponseTicket section, as displayed in the following screen shot:

The reason for this unspecified error is caused by an Anonymous Logon and NTLM authentication attempt being made to the XenApp server hosting the application, instead of Kerberos.

The following entry appears in the Event Log from the Security log of the XenApp server hosting the application:

Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: xa5-2.amc.ctx
Description:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x9c788
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: –
Network Information:
Workstation Name: XA5
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): NTLM V1
Key Length: 128

When building a XenApp Kerberos-based authentication environment with Web Interface, the XML brokers must have XML shared with IIS in order to handle properly the Kerberos ticketing. By default, when you install XenApp with XML shared with IIS, the Identity account for XML service application pools are set to Network Service, as displayed in the following screen shot:

The Network Service account has minimum privileges on the local computer; hence, it cannot be used for Kerberos ticketing in this scenario. Refer to the http://msdn.microsoft.com/en-us/library/ms686005(VS.85).aspx">Service User Accounts web page of Microsoft MSDN library for more information.

Resolution

To resolve this issue, complete the following procedure:

1. Access the XenApp server that is being used as the XML broker on the XenApp Web site.
2. Change the identity account to LocalSystem from Advanced Settings for both XML service application pools, that is CtxAdminPool and CtxScriptsPool, as shown in the following screen shot:

1. Run the IISRESET command on the XML broker on which you made the change.
2. Restart the application to verify that the application works.
3. The Security log of the XenApp server hosting the application shows the following entry:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: <Date>
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: xa5-2.amc.ctx
Description:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: AMCadministrator
Account Name: Administrator
Account Domain: AMC
Logon ID: 0x95a965
Logon GUID: {16434083-ffe5-cf7d-fb76-504b8bd5b7b1}
Process Information:
Process ID: 0x0
Process Name: –
Network Information:
Workstation Name:
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services:
WI54$@AMC.CTX
HTTP/xa5.amc.ctx@AMC.CTX
Package Name (NTLM only): –
Key Length: 0

More Information

CTX127053 – Error: ‘An error occurred while making the requested connection’ when Launching Applications through Citrix Access Gateway / Web Interface
CTX123003 – Error: An error occurred while making the requested connection when Launching Applications from Presentation Server 4.0 Farm through Web Interface 5.2 and Earlier

This document applies to:

• Web Interface 5.3
• Web Interface 5.4
• XenApp 5.0 for Windows Server 2003 x64
• XenApp 5.0 for Windows Server 2003 x86
• XenApp 6.0 for Windows Server 2008 R2

Source: CTX130480 – Error: ‘An error occurred while making the requested connection’ when Launching Applications on a XenApp Kerberos-based Environment – Citrix Knowledge Center