DaaS - Getting invalid IdentityPool OU Error when deploy new Machine Catalog (Due to Incorrect RL/CCs used)
Article ID: CTX696347
Updated On:
Description
We could see from events that the ADIdentity - CreateIdentity for the new Machines was failing
- Failed to create the computer account <> due to a problem with Active Directory
- This is often caused by the user running Studio not having permission to create computer accounts in the selected OU
- HTTP 404: The Identity Provider to Agent communications is incorrectly configured
Upon checking further, we could see in the event the IdentityPool.ResourceLocationId <> was incorrect
- It was referencing a different Resource locationID (which uses a different domain) than the one we were expecting for the Machine Catalog > Machines Accounts we were creating
- As a result the Machine Creation process couldnt create Machine Accounts using CCs from a different domain
- Even though there may be a forest trust relationship between Forest_A and Forest_B forest, Citrix Cloud Connector cannot traverse forest trust by design.
Cause
Incorrect Hosting Connection - Zone / ResourceLocation.
Resolution
The identityPool.ResourceLocationId/identityPool.ZoneUid comes from the Hypervisor/Hosting Connection the Catalogs are created with.
In order to identify what the values your Hosting Connections are configured:
- Run the commands:
Posh:> asnp citrix*
Posh:> Get-BrokerHypervsiorConnection | ft Name,HypervsiorConnectionUid,Uid,ZoneUid,ZoneExternalUid
The ZoneUid should match the Resource LocationID, for the intended CCs you wish to use (If you have the wrong ZoneUid configured, then the wrong RL / Cs will be used & result in the OU/Permission Failure failure)
- If you require to change the zone for pre-existing hosting connection & machine catalogs:
Posh:> Get-BrokerCatalog -CatalogName "MachineCatalog"
** This will confirm the configuration above is successful & should return data for your chosen catalog **
** If this is successful, we can move onto the commands to resolve this specific issue**
Posh:> Get-AcctIdentityPool -IdentityPoolName "Catalogname"
** This should output the of the associated catalogs identitypool in question **
** What we are focusing on is the ZoneUid & ResourceLocationID **
** The issue we seen is that under AcctIdentityPool (it had the wrong ZoneUid - Which assigned the wrong ResourceLocationID) **
Posh:> Set-AcctIdentityPool -IdentityPoolName "IdentityPoolName" -ZoneUid "ZoneUiD"
** We used the following command (with the desired CatalogName in "quotes" and chose to set the correct ZoneUid inside the quotes **
Otherwise a permanent solution would be to create a new hosting Connection (And select the appropriate Zone during creation)
- Use this new Hosting Connection to deploy any new catalog going forward.
Issue/Introduction
Customer was unable to deploy new machines or machine Catalog with Hosting Connections (configured for incorrect Resource Location / Zone)
Additional Information
https://developer-docs.citrix.com/en-us/citrix-virtual-apps-desktops-sdk/2411/ADIdentity/Set-AcctIdentityPool.html
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/technical-details#users-and-resources-in-separate-forests-with-trust-with-a-single-set-of-cloud-connectors
