Unable to launch the PVS console. Error: "Unable to connect to the Domain Controller.."

Unable to launch the PVS console. Error: "Unable to connect to the Domain Controller.."

book

Article ID: CTX463529

calendar_today

Updated On:

Description

After completing the PVS configuration Wizard using a service account within the same domain as the PVS server, the administrators are unable to launch the PVS console and observe the error - "Unable to connect to the Domain Controller (if any) or the default rootDSE. Error code: 44936673, message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), provider:".

Resolution

Ensure that the service account being used has the required permissions to register a SPN or alternatively create the registry key using the command below: REG add "HKLM\system\currentcontrolset\control\lsa" /v SpnDowngradeProtection /t REG_DWORD /d 0 /f

Problem Cause

Service account being used did not have permissions to create/register SPNs

Additional Information

  • By default, the PVS SOAP Service uses Kerberos for authenticating to Active Directory. As per the Kerberos architecture, the service should register with the Domain Controller (KDC) when the service starts and unregister when the service stops. 
  • The registration is essential because it allows Active Directory to identify the account that the SOAP service is running in. 
  • The SPN registration attempts by the service account was failing as it did not have permissions. Therefore, the Kerberos authentication fails and Citrix Provisioning falls back to using NTLM authentication.
  • By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
Powered by Wolken Software