XenApp/XenDesktop 7.X: Delivery Controller Failing To Connect to Site Databases. SQL Error: "SSPI handshake failed with error code 0X80090304"
Article ID: CTX238521
Updated On:
Description
- XenApp/XenDesktop 7.X: Delivery Controller fails to connect to Site databases.
- Launching Citrix Studio gives an error.
- Running "Get-BrokerSite" powershell cmdlet on Delivery Controllers also throws authentication error.
- Running "Get-AdminAdministrator" powershell cmdlet to list administrators configured for this site also throws an error.
- Connecting to the Site Database from Delivery Controller using .UDL file https://blogs.msdn.microsoft.com/farukcelik/2007/12/31/basics-first-udl-test/ also fails
- SQL Database strings and Permissions of Delivery Controller Login accounts are correct.
- SID of Delivery Controller in Site's Chb.config.controllers SQL table match with the PSGetSID output for the Delivery Controller Computer Accounts.
- On SQL server, under Management node>SQServer Logs>Current, the below error is logged:
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
Configure the below registry entry on the SQL server:
Navigate to reg key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\ ValueName:
Key Name:CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50 (Decimal)
Set this value to 0, so that SQL deletes all the cached logons and fetches the logon accounts for Delivery Controllers again from Domain Controller.
Reference: https://blogs.technet.microsoft.com/instan/2011/12/06/cached-logons-and-cachedlogonscount/
Navigate to reg key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\ ValueName:
Key Name:CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50 (Decimal)
Set this value to 0, so that SQL deletes all the cached logons and fetches the logon accounts for Delivery Controllers again from Domain Controller.
Reference: https://blogs.technet.microsoft.com/instan/2011/12/06/cached-logons-and-cachedlogonscount/
Problem Cause
Corrupt or wrong cached logon entries for Delivery Controller Computer Accounts on SQL server.Issue/Introduction
XenApp/XenDesktop 7.X: Delivery Controller Failing To Connect to Site Databases. SQL Error: "SSPI handshake failed with error code 0X80090304"
Additional Information
The LSA cache contains entries for security entities that have logged on to the machine while it was online and had access to a Domain Controller - this includes service accounts, the computer account, etc.
The registry value CachedLogonsCount controls how many such entries are cached - the defaults will be 10 or 25 depending on OS or SP level of the system with a maximum of 50.
Was this article helpful?
Yes
No
Powered by
