Issue and Background
Recently we took over a build that had crossed many hands and have many interpretations of the original design document. Some environments had components in various levels of completion, and another site did not have any group permissions assigned, so the administration of the site was non-existent without the single user that had full administration permissions present. A new site was created reusing as much as possible, including the existing groups in Active Directory which existed but had not yet been configured for the site. Days have passed and now it’s time for hardening. The first environment succeeds without any issue and now it’s time for the rebuilt one.
The account that reinstalled Citrix Studio and the Delivery Controller is still listed in the studio administrators so that would need to be deleted.
The standard groups are assigned for their roles and look similar to every other environment.
Lo and behold, the rebuilt environment does not have permissions again as soon as the user account was removed.
Having been sure that the correct AD groups had been attached and the user account is a member, it’s time to dig deeper.
Resolution Attempt 1
After triple-checking that the user account is in the correct group, maybe something in the Citrix Studio cache file was corrupted. Delete that file and relaunch Citrix Studio.
This time around, the quick fix didn’t work.
Resolution Attempt 2
Starting to have doubts that maybe the groups attached to the Full Administrator role was misspelled. There must be a way to verify.
Launch Microsoft SQL Server Management Studio on the SQL server.
In the Site database, right-click the DAS.Administrators table and click “Select Top 1000 Rows”.
All of the SIDs associated with the entries in the Citrix Studio Administrators are kept here.
Copy that SID and replace the variable $sid value.
$sid= ‘S-1-5-21-168434713-3797181315-1096347406-1666’ $osid = New-Object System.Security.Principal.SecurityIdentifier($sid) $user = $osid.Translate( [System.Security.Principal.NTAccount]) $user.Value
With the first SID matching NONPROD_CITRIX_ADMIN it’s time to determine if the corresponding group in Active Directory was recreated at some point and the original SID is lost.
Get-ADGroup -Identity NONPROD_CITRIX_ADMIN
The SID matches and hasn’t been corrupted so it’s time for another check.
Resolution Attempt 3
Check event viewer for anything out of the ordinary immediately after attempting to open Citrix Studio.
Confirm the Citrix Delegated Admin service is running, and services are running without any issues.
Resolution Attempt 4
Reading through other CTX articles, and certain that the correct groups are assigned. Attempting to log into director when being a member of the NONPROD_CITRIX_HELPDESK group gave hope when that too didn’t work.
There is definitely something wrong with the groups.
https://support.citrix.com/article/CTX227672 – Citrix Studio failed to start
https://support.citrix.com/article/CTX259066 – Cannot access Studio via OnPrem delivery controller – ‘Reenter the controller address or enter a new address.’
https://support.citrix.com/article/CTX227110 – Unable to logon to Citrix Director, Error “Make sure that you have the required permissions”
Root Cause and Resolution
Another look comparing working groups with this environment revealed that these groups where domain local in the wrong domain. Since the SID is attached to these groups, a quick fix is to change the group scope to Universal, hit apply, then change to Global.
Success, Studio hardening definitely works!
Michael Wieloch is part of Ferroque’s technology services team with a seasoned background in datacentre operations. Michael is an avid Linux enthusiast and specializes in networking, security, virtualization, and operational monitoring & alerting integrations. When not thwarting cyberattacks, engineering hypervisors, and building ZFS clusters, Michael can be found cruising the streets on his motorcycle.