Citrix Virtual Apps And Desktop: ICA Session Launch Failure Due to TrySSPI Call Delay

Citrix Virtual Apps And Desktop: ICA Session Launch Failure Due to TrySSPI Call Delay

book

Article ID: CTX479747

calendar_today

Updated On:

Description

  • Intermittently Desktop session launch gets stuck at connecting on a blue screen and after some time the connection closes out.


 
  • Issue is not specific to any specific machine or user.
  • The issue is seen both with thin clients and fat  clients.
  • Issue occurs for both Internal and External users.
  • After multiple tries the user may be able to reconnect to same or different VDA.

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

  • Add below registry key to bypass the delegation detecting logic as a workaround. This registry key is just for mitigating the issue and isolating the issue root cause. Adding the below registry key may or may not address other Active Directory/DNS issues causing SSPI related errors or delays.
  • If the registry key workaround works, you still need to work with Microsoft investigate why sometimes it takes longer to get the computer name from AD.

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Logon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon]
Value Name: DisableSSPI
Value Type: REG_DWORD
 Value: 1
 

Problem Cause

  • TrySSPI (Security Support Provider Interface authentication) during Credential retrieval stage was taking longer.
  • The time-consuming function involved in here is IADsADSystemInfo.get_ComputerName, it is provided by Microsoft to get the Distinguished Name (DN) from Active Directory.
 
VDA CDF

In VDA side CDF, it was seen that  the delegation detecting function, it took 42s to get the computer name from AD. It is the TrySSPI (Security Support Provider Interface authentication) during Credential retrieval stage, for nonworking session which took around  42s as compared to 0.5 seconds in the working data set.
 
 18:56:36:86245,22020,25100,LogonUI.exe,23,ctxsspi,44,TrySSPI,9,Information,"TrySSPI: Session checks ok",""
30324,0,2023-02-06 18:56:36:86262,22020,25100,LogonUI.exe,23,cutildll,SSPIChecks,257,MakeComputerChecks,9,Information,"CTXGINA: SSPI: MakeComputerChecks: Detecting delegation...","
30325,0,2023-02-06 18:56:36:86263,22020,25100,LogonUI.exe,23,cutildll,user,311,DelegationEnabledHelper,9,Information,"DelegationEnabledHelper entered",""
319567,4,2023-02-06 18:57:14:33599,3052,2756,svchost.exe(termsvcs),0,Rpm,SCSMgr,380,ctx::CSCSMgr::NotifySessionStateChange,14,Information,"ctx::CSCSMgr::NotifySessionStateChange: Session Id 23, Event Id 13, SESSION TERMINATE",""
320937,2,2023-02-06 18:57:18:98515,22020,25100,LogonUI.exe,23,cutildll,user,360,DelegationEnabledHelper,9,Information,"Got account DN as <CN=abc,OU=def,OU=HSD,DC=DomainControllerABC,DC=local>",""
321209,3,2023-02-06 18:57:22:64385,17156,2756,svchost.exe(termsvcs),0,Rpm,Connection,1495,ctx::Connection::sendRPMDisconnectNotify,13,Information,"Session ID 23, SuccessfulLogon=0, Previous session state TERMINATING=2, dwappState CTXWS_APPSTATE_ACTIVE=1, m_disconnectReason ERRINFO_LOGOFF_BY_USER = 0xC, isReconnect (temporary session)=0, isPreLogOff=0",""
327450,8,2023-02-06 18:57:24:12474,1208,4224,BrokerAgent.exe,0,BrokerAgent,,0,,5,EntryExit,"=========>>>>> StackManager.NotifySessionEvent(75603032-b80f-4a38-b9e8-fa7839dbd2ac): Enter(SessionEvent:SESSION_EVENT_TERMINATE, SessionReasonCode:SESSION_EVENT_REASON_CONNECTION_FAILURE, rdsCalId:0)",""
 

Additional Information

  • SSPI errors during session launch, VDA registration, logon issues, Pass-through etc generally point to Microsoft AD/DNS  related issues. 
  • Please refer to below Microsoft Articles for more information about SSPI and IADsADSystemInfo.get_ComputerName function.

https://learn.microsoft.com/en-us/windows/win32/rpc/sspi-architectural-overview
https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture
https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture
https://learn.microsoft.com/en-us/windows/win32/adsi/iadsadsysteminfo-property-methods

Other Scenarios where SSPI errors result into Citrix issues:
 
  1. https://support.citrix.com/article/CTX324114
  2. https://support.citrix.com/article/CTX279900/aggregation-of-a-delivery-controller-to-an-existing-site-running-on-sql-express-fails-sqlclientsqlexception-the-target-principal-name-is-incorrect-cannot-generate-sspi-contex
  3. https://support.citrix.com/article/CTX335438/citrix-cloud-cvad-1912-ltsr-vda-registration-failure-security-support-provider-interface-sspi-authentication-failed
  4. https://support.citrix.com/article/CTX474888/daas-vdas-not-registering-with-cloud-connectors-after-applying-microsoft-update-kb5019966
  5. https://support.citrix.com/article/CTX238521/xenappxendesktop-7x-delivery-controller-failing-to-connect-to-site-databases-sql-error-sspi-handshake-failed-with-error-code-0x8009030
  6. https://support.citrix.com/article/CTX209470/xenapp-xendesktop-7x-unable-to-contact-database-error-cannot-generate-sspi-context
  7. https://support.citrix.com/article/CTX218968/server-vda-suddenly-goes-to-unregistered-state-with-error-the-security-support-provider-interface-sspi-negotiation-failed
Powered by Wolken Software