Problem Definition
In some cases, the following message is displayed to the user after the hotfix AAC400W001 from CTX107166 was installed:
“Access denied
Your computer does not meet the minimum requirements for accessing corporate resources securely. Contact the system administrator for assistance.
Please quote Reference ID xxxx-xxxx-xxxx/CitrixLogonPoint (recorded at hr:min:sec)”
Environment
Troubleshooting Methodology
After the installation of the AAC400W001 hotfix, Advanced Access Control Option Logon Point was not accessible by users. The Logon Point would display a generic error such as the one mentioned above or simply show the generic “The page cannot be displayed” error message.
When the “The page cannot be displayed” error message appeared, the following residual hotfix installation issues were noted:
• All the Advanced Access Control Option services were set to manual and stopped
• On Component Services the “Access Gateway Enterprise Server” COM + Application was set to disable.
To display the logon point page the Advanced Access Control Option services was started, then the “Access Gateway Enterprise Server” COM + Application was enabled and started.
Then the generic “Access Denied” logon point error message was received.
To investigate this, the following was reviewed:
• Event logs: Application, System, and the CitrixAGE Audit logs. Application and System did not show any type error and CitrixAGE Audit did not show any information as Event Logging is not enabled by default in the Advanced Access Control Option farm.
• IISlogs from the W3SVC1 folder. Common log information.
• Using the Reference ID from the logon page and turning on Event Logging option in the farm we were able to get additional information on the End Point Analysis and Logon Point, however only a common information message was displayed in the CitrixAGE Audit logs event viewer page.
• Using our Common Diagnostic Facility (CDF), we captured a trace with all of the modules selected. As reference, here is the template used:
In reviewing the trace, the error that was most interesting was the following:
MSAM_WEBSVC_AuthService CDF_ERROR 3 AC='CitrixAuthService': Authentication.Application.CanShowLogonPageResult Unexpected Internal Error: Failed to register assembly 'Citrix.AuthenticationService.Server, Version=4.1.0.0, Culture=neutral, PublicKeyToken=78839bad31843db7'.
The above snippet mentions that there was an “Unexpected Internal Error: Failed to register assembly…” which was a good hint to go by.
.NET assemblies are stored in the Global Assembly Cache and can be viewed by using the.NET Configuration utility under Administrative Tools. There it was seen that Citrix.AuthenticationService.Server was already registered, so we thought maybe a corruption in the assembly?. Not likely!
A look at another location where that assembly needed to be registered “Access Gateway Enterprise Server” COM + Applications under Component Services showed that there were a few assemblies missing:
Citrix.AuthenticationService.Server assembly
Citrix.Msam.MasterSessionManager assembly
Citrix.Msam.SessionProcessInitializer assembly
• To find out why these assemblies did not get registered, the registry to HKEY_LOCAL_MACHINE\Software\Citrix\MSAM was opened and the following was found:
• Notice the install path is on C drive, but the WebServicesContentPath is on the E drive. So, is the install on the E or C drive? After examining with Windows Explorer it was ascertained that the correct install path was on the E drive, not C as stated in the registry.
• The problem became apparent once this was discovered. The hotfix install had made inappropriate changes to the registry causing the side effects mentioned above.
Resolution
Unfortunately the uninstall process of the AAC400W001 hotfix does not reverse the side effects it created, so some manual work needs to done:
Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
1. Uninstall hotfix AAC400W001.
2. Restart and make sure that all Advanced Access Control Option services are started.
3. Enable and start the “Access Gateway Enterprise Server” COM + Applications.
4. Use a registry editor such as Registry Crawler from dcsoft.com to change all the paths. For example:
C:\Program Files\Citrix\Access Gateway Enterprise\
to
E:\Program Files\Citrix\Access Gateway Enterprise\
5. Copy the following assembly files from the Global Assembly Cache to a backup folder:
a. Open a command prompt window.
b. cd to %SystemRoot%\assembly\GAC
c. cd to Citrix.AuthenticationService.Server\4.0.0.0__78839bad31843db7
d. Copy citrix*.* \temp.
e. cd to Citrix.Msam.SessionManagement.Server\4.0.0.0__78839bad31843db7
f. Copy citrix*.* \temp.
g. Exit the command prompt window.
6. Open Component Services from Administrative Tools:
a. Expand the Component Services node > My Computer node > COM + Applications node > Access Gateway Enterprise Server.
b. Right-click Components, then click New > Component.
c. Choose Install new component(s) and pick both of the assembly DLLs from your temp folder, then choose Open.
d. The following window should be what is displayed.
e. Click Next to register those assemblies to your COM + Application.
Note: After the assemblies are registered you can safely remove them from the temp directory, if you wish to do so.
7. LogonPoint should be accessible and normal functionality restored.
Additional Information
An updated AAC400W001 hotfix will be available in article CTX107166.
