Citrix Xenapp Access Is Denied

[Urbano Bozman]

TheCitrix Monitor Service API is built on the SQL Server Monitor database that is populated during processing and consolidation. This API is based on the ASP.NET Web API Framework. The Citrix Monitor Service API uses the Open Data (OData) protocol, which is a Web protocol for querying and updating data, built upon Web technologies such as HTTP. ASP.NET Web API Framework supports OData Version 3 and Version 4. You can use either endpoints to run your queries.

If you are a Citrix Virtual Apps and Desktop administrator with read-only privileges, you can use the API to get following types of data from the Citrix Virtual Apps and Desktops and Citrix DaaS site:

To get additional information on performing the preceding the tasks, go through the details on monitor service schema, how to access the monitor service data, data access privilege and security, Data Access protocol, and OData protocol.

Use the various access methods to export the data using OData API. Follow the Citrix Monitor Service REST APIs reference to get information on the methods, parameters, field descriptions, error types, and error values associated with the APIs.

The single page Monitor Service Schema diagram mentioned above is divided into the following four categories. Each contains subcategories, related tables, descriptions, and their respective database schema diagrams.

To use the Monitor Service OData API, you must be a XenApp and XenDesktop administrator. To call the API, you require read-only privileges; however, the data returned is determined by XenApp and XenDesktop administrator roles and permissions.

If you choose to use TLS, you must configure TLS on all Delivery Controllers in the Site; you cannot use a mixture of TLS and non-TLS.To improve the security of the Citrix Virtual Apps and Desktops, Citrix will block any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019, allowing only TLS 1.2 communications.

To secure Monitor Service endpoints using TLS, you must perform the following configuration. Some steps need to be done only once per Site, others must be run from every machine hosting the Monitor Service in the Site. The steps are described below.

Tip: In a PowerShell command window, ensure you put single quotes around the GUID in the appID, as shown above, or the command will not work. Note that a line break has been added to this example for readability only.

From any Delivery Controller in the Site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service. asnp citrix.\* \$serviceGroup = get-configregisteredserviceinstance -servicetype Monitor Select -First 1 ServiceGroupUid remove-configserviceGroup -ServiceGroupUid \$serviceGroup.ServiceGroupUid

From any Delivery Controller in the Site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service.asnp citrix.\* \$serviceGroup = get-configregisteredserviceinstance -servicetype Monitor Select -First 1 ServiceGroupUid remove-configserviceGroup -ServiceGroupUid \$serviceGroup.ServiceGroupUid

The Monitor Service API is a REST-based API that can be accessed using an OData consumer. OData consumers are applications that consume data exposed using the OData protocol. OData consumers vary in sophistication from simple web browsers to custom applications that can take advantage of all the features of the OData Protocol.

Every part of the Monitor Service data model is accessible and can be filtered on the URL. OData provides a query language in the URL format you can use to retrieve entries from a service. You can use the OData V3 or OData V4 endpoints to run your queries. OData V4 supports aggregation queries.

Note: Enums are not supported in the OData protocol; integers are used in their place. To determine the values returned by the Monitor Service OData API, see Monitor Service Data Model.

OData (Open Data Protocol) is an OASIS standard that defines a set of best practices for building and consuming RESTful APIs. OData helps you focus on your business logic while building RESTful APIs without having to worry about the various approaches to define request and response headers, status codes, HTTP methods, URL conventions, media types, payload formats, query options, etc.

Place the URL for each data set into a web browser that is running with the appropriate administrative permissions for the XenApp and XenDesktop Site. Citrix recommends using the Chrome browser with the Advanced Rest Client add-in.

b. To use the OData v4 endpoint the first time, click View More Drivers, choose the OData V4 Driver, click the Download and Enable driver link. This adds the Odata 4 driver to the list of available drivers. Subsequently, you can select OData 4 and click Next.

You can now run LINQ queries against the data feed and export the data as needed. For example, right-click Catalogs and choose Catalogs.Take(100). This returns the first 100 Catalogs in the database. Choose Export>Export to Excel with formatting.

I have a Citrix Virtual Apps and Desktops 1912 LTSR CU1 environment with FsLogix profiles in place on top of Windows Server 2019 session machines. After installing the latest FsLogix version 2.9.7576.47294 we have been getting the following error from a considerable number of end users when trying to login to their Citrix/RDS session: "Group Policy Client service failed the logon. Access denied.". The case is described in more detail at -to-resolve-error-group-policy-client-service-failed-the-logon-access-denied-in-citrix-and-fslogix-environments/.

I encountered the same issue in a couple of different environments too and it happened before and after the latest the FSLogix release. Whenever this happens, I noticed that the local_username folder is always there even when the user is not logged in.

We've been getting the same issues on the most recent version of FSLogix as well. This affected a couple of users, but the issue was persistent. Therefore we've decided to rollback to FSLogix 2004 and this seemed to resolve the issues for us.

I noticed the issue occur on multiple computers instead of all users. So I am afraid log analysis based on environment is necessary for further troubleshooting.

However as log analysis is out of Microsoft Q&A forum support scope, we recommend to create a ticket for your issue.

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

3a8082e126