Getting any MCS Provisioning Exceptions, make sure to get the entire details of the Exceptions to help work the case\issue.

• If using a Proxy, ensure that the Citrix Cloud Whitelists are in place and the Proxy Configuration is completed
• Use the Citrix Proxy Checker Utility to test functionality
• Customers securing the AWS Inbound port rules for the Cloud Connectors must open the required ports for MCS Provisioning and connectivity.

• If the Connectors are behind a Proxy you would need to add the proxy settings to the AWS Host Connection Advanced properties
• Identify if the AWS Default VPC been removed\deleted
  • UseExplicitVpcForVolumeWorkerBootstrap=true
• Is Role-based Access Control in use, or is the connection made using AWS IAM Keys? 
• Are Custom AWS Tags in use?
• Identify that the recommended AWS JSON Policy is in place on AWS
• Is AWS Dedicated Hardware in use? If so the following should be checked:
  • Check the AWS Dedicated Hardware Quota limits to ensure enough is available
  • Adding the following to the AWS Host ADV Property:
    • VolumeWorkerInstanceType=m4.large

• One of the most overlooked items is to have the Master AMI\VDA\VDI Image join a domain and then install the VDA Health Check Assistant and run this to ensure all the basics are passing.
  • Note: It’s suggested to ensure that the latest 1912 LTSR Cumulative Update (CU) or the latest Current Release (at least 2012 VDA or later versions as well) is in use
• As an additional item it's also suggested to change the Nic IPv4 properties for the DNS settings
  • Add your AD DNS Server IP as well as the DNS Name in the DNS Names list and move your specific DNS Name to the top of the list.

• A common error is MCS fails on AWS due to name resolution failure for S3 bucket

• Unless you are in a region with ONLY Nitro-based instances and you create your own volume worker template, you should NOT USE Nitro instance types for the volume worker.
  • Note: The XD template gets made once (even if the catalog fails) per image.
• AWS GOV Info and Nitro instances
  • Nitro instances can be used for the VDAs, but is NOT RECOMMENDED for the Volume Workers
    • Note: If a Nitro instance must be used for Volume Workers, the "Out of Box" Nitro Instance will need to be modified and reconfigured
• Nitro Examples include:
  • C5, T3, M5, R5 and any of these types with an "a" at the end denotes AMD chipset

• It's been reported that attempts to lock down the Citrix Cloud Cipher Suites can yield MCS Provisioning Exception similar to the following:

  • Exception:
    DesktopStudio_ErrorId : ProvisioningTaskError
    ErrorCategory : NotSpecified
    ErrorID : FailedToCreateImagePreparationVm
    TaskErrorInformation : Terminated
    InternalErrorMessage : Invalid OpId:acec61db-cfb5-48d3-8e65-f6c19d77634e

• The following TLS and Cipher Suites have been verified to work with MCS Provisioning:
  • Note: Utilize IIS Crypto to check settings
    • It's suggested to use the button for preferred settings from IIS Crypto and then reboot Cloud Connectors
  • Svr2019 CC system Minimum settings:

    • TLS_DHE_RSA_WITH_AE5256_CBC_SHA
      TLS_DHE_RSA_WITH_AE5128_CBC_SHA
      TLS_RSA_WITH_NULL_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P3

       
      • 
      • 

• If still receiving MCS Provisioning Exceptions, please check the AWS Policy JSON settings and use only the preferred settings at the top of this page ​​​​​​​
  • Note: Do not use/add AWS Guardrails in the Policy JSON, as this ends up breaking the Citrix MCS Provisioning processes

Problem Cause

Citrix Virtual Apps and Desktops on AWS