Some WEMs Agent are failing to check in with WEM Broker
Article ID: CTX225352
Updated On:
Description
Many WEM Agents do not check in with the WEM Broker Server and they are missing from the Agent List inside of the WEM Administration Console.
For example, this screenshot shows only 4 Agents checking in but dozens more WEM Agents are configured and should be present in this list:
The Debug logs on the WEM Agent also shows the following errors:
"Exception -> ConfigurationDataSourcesHelper.CheckAgentBrokerServiceClient() : System.ServiceModel.Security.SecurityNegotiationException : The caller was not authenticated by the Service."
"Exception -> ConfigurationDataSourcesHelper.CheckAgentBrokerServiceClient() : System.ServiceModel.FaultException : The request for security token could not be satisfied because authentication failed."
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
#1: Create Domain Service account for the WEM Broker Server
#2: Add Domain Service account as a Login on SQL Server with Public Permissions and map it to the WEM Database
#3: By using the Broker Service Configuration Console, reconfigure the WEM Infrastructure Service on the WEM Broker to use Windows Authentication and specify new Domain Service account. ***This automatically changes the account used to run the WEM Infrastructure Service account on the WEM Broker.***
#4: Using the Database Management Console, upgrade the database with the option for using Windows Authentication with the Domain Service account.
#5: Create SPN for Norskale/BrokerService using the new domain service account by running the following command from the command prompt as Administrator with domain admin privileges:
"setspn -U -S Norskale/BrokerService [accountname]" - be sure to replace [accountname] with the new Domain Service Account
"The Caller was not authenticated by the Service....The request for security token could not be satisfied because authentication failed."
#2: Add Domain Service account as a Login on SQL Server with Public Permissions and map it to the WEM Database
#3: By using the Broker Service Configuration Console, reconfigure the WEM Infrastructure Service on the WEM Broker to use Windows Authentication and specify new Domain Service account. ***This automatically changes the account used to run the WEM Infrastructure Service account on the WEM Broker.***
#4: Using the Database Management Console, upgrade the database with the option for using Windows Authentication with the Domain Service account.
#5: Create SPN for Norskale/BrokerService using the new domain service account by running the following command from the command prompt as Administrator with domain admin privileges:
"setspn -U -S Norskale/BrokerService [accountname]" - be sure to replace [accountname] with the new Domain Service Account
Problem Cause
The WEM Broker was not using Windows Authentication and SPN was not configured for Norskale/BrokerService. When the WEM Agents were attempting to check in with the WEM Broker they failed to authenticate and this error was present in the Agent debug logs:"The Caller was not authenticated by the Service....The request for security token could not be satisfied because authentication failed."
Issue/Introduction
This article shows how to resolve a problem with WEM Agents not checking in with the WEM Broker when the WEM Agent Debug logs show that the Service can not be authenticated by the Broker.
Additional Information
How to create a SQL Server Login:
https://technet.microsoft.com/en-us/library/aa337562(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/aa337562(v=sql.105).aspx
Was this article helpful?
Yes
No
Powered by
