Troubleshooting Provisioning Server Image Trust Issues

Thursday, October 21, 2010


In every relationship, there is going to be some trust issues. Winking smile  Citrix Provisioning Services is no different.  Here are two quick items to check when your Domain doesn’t seem to want to trust you anymore.

In a typical Provisioning deployment, multiple machines will be set to use the same shared Read Only vDisk and reset back in time each time there is a reboot.  It’s the action of rolling back in time that creates the Active Directory trouble.  To Microsoft’s Active Directory, it can look like a replay attack where a rogue entity has sniffed your machine token and tries to ‘replay’ it to gain unauthorized access.  To correct this appearance, Provisioning Services needs to keep track of the ever changing Machine Account Passwords to keep the Domain Trust with all the different servers using this single vDisk.  By default, it does not.  Be sure to verify in your vDisk File Properties that Active Directory machine account password management is checked.  This will allow Provisioning Services to intercept, store, track and regurgitate the proper Domain passwords/Tokens when needed.


Now that the vDisk file knows to track passwords, your next troubleshooting stop would be the device properties.  When adding new devices to the Provisioning server farm, be sure to CREATE the Machine Account Active Directory Object via the PVS Console.  This will give Provisioning Services the starting point it needs to begin keeping track of password changes.  Right Click on the particular device and Choose Create or Reset Machine Account Password.  If you don’t even see the Reset option, chances are you forget to create the AD Object via the PVS console in the first place.  Just delete the Machine Account and recreate it. 


I think these can pretty easy for a Citrix Administrator to forget and should solve about 99% of your trust issues related to Citrix Provisioning Services. 
Happy Provisioning!

Next Post »