Citrix Password Manager

[Andy]

У одного из пользователей возникла такая ситуация - клиент Citrix Password Manager не мог законнектиться в терминальной сессии к CPM серверу. Выдавал вот такую ошибку:



Долго искал причину. В логе XTE сервера были следующие ошибки:

[Thu Jul 28 11:45:08 2011] [error] [client x.x.x.x] request failed: error reading the headers

В итоге нашел описание ошибок (ошибка из скриншота поиском не нашлась). Оказалось дело в количестве групп Active Directory у данного пользователя. Лечится правкой конфига httpd.conf - увеличением параметра LimitRequestFieldSize.

Ниже привожу полный текст статьи, может пригодиться:

Error: You cannot use the password reset feature. Please contact your administrator Document ID: CTX117606 / Created On: 02.07.2008 / Updated On: 01.10.2008
Average Rating: not yet rated
View products this document applies to
Symptoms

When using Citrix Password Manager Self-service Password Reset (SSPR), you receive the following error message:

“You cannot use the password reset feature. Please contact your administrator”

Cause

There are multiple conditions that can cause this problem. To narrow down the problem, go to the user configuration > Client Side Interaction > Check "Log Citrix Password Manager events using Windows Event logging"

When SSPR fails, it generates an error in the event viewer of the computer running the agent.

The error can occur when the user is trying to register the questions or when trying to use Self Service Password reset.

Issue 1:

The user is able to register questions but is unable to reset the password.

Event log entry:

Event Type: Error
Event Source: Citrix Password Manager
Event Category: Application
Event ID: 206
Date: 6/23/2008
Time: 3:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: ITTEST1
Description:
The Citrix Password Manager agent cannot contact Password Manager service to complete authentication. Return code: 12

This issue usually occurs when there is a policy setting the Minimum Password Age. This is a Windows policy. None of the Citrix Password Manager policies take effect during SSPR.

The Citrix Password Manager service may shows the following event:

Event Source: Citrix Password Manager Service
Event Category: None
Event ID: 512
Date: 6/18/2008
Time: 11:58:15 AM
User: N/A
Computer: TEAMWI1
Description:
The user is not allowed to perform self-service password reset because the current password has not reached the minimum age specified in the domain password policy. User: 'TEAM.NET\\perfil1'

You can also use the Net Accounts command to show the password policies that apply to a user.

Issue 2:

The user is unable to register questions.

Event log entry:

Event Type: Error
Event Source: Citrix Password Manager
Event Category: Application
Event ID: 206
Date: 6/11/2008
Time: 12:06:16 PM
User: CHCF\temp
Computer: ITTEST1
Description:
The Citrix Password Manager agent cannot contact Password Manager service to complete authentication. Return code: 29

This event usually occurs when the agent is not able to contact the Citrix Password Manager service.

Check if the URL for the Citrix Password Manager service is correctly configured at the agent. You can look at HKLM\Software\Citrix\MetaFrame Password Manager\Extentions\Server - BaseURL

Make sure you can access the Citrix Password Manager sites from Internet Explore on the workstation with the agent:

http://FQDN/MPMService/AuthSvc.asmx
http://FQDN/MPMServi...ollmentSvc.asmx
http://FQDN/MPMServi...TLMAuthSvc.asmx
http://FQDN/MPMServi...wdResetSvc.asmx

FQDN is the Fully Qualified Domain Name of the computer running the Service.

Issue 3:

You may get the error on issue 2 when registering the questions or you may be able to register the questions but fail at the SSPR with following event:

Event Type: Error
Event Source: Citrix Password Manager
Event Category: Application
Event ID: 206
Date: 6/13/2008
Time: 12:47:01 PM
User: NT AUTHORITY\SYSTEM
Computer: ITTEST1
Description:
The Citrix Password Manager agent cannot contact Password Manager service to complete authentication. Return code: 404

The XTE log in the Citrix Password Manager service may show (Program Files\Common Files\Citrix\XTE\Logs - Error.log):

[error] [client 192.168.0.80] File does not exist: C:/apache
- Or –

[error] [client 192.168.0.80] (OS 87)The parameter is incorrect. : mod_auth_ntlm: Can not generate context
This may occur if the Time Clock on the workstation and the Citrix Password Manager Service is Off for more than five minutes.

Issue 4:

You may get the error on issue 2 when registering the questions or you may be able to register the questions but fail at the SSPR with following event:

Event Type: Error
Event Source: Citrix Password Manager
Event Category: Application
Event ID: 206
Date: 8/08/2008
Time: 8:08:08 PM
User: PMTEST\User
Computer: PMWKSTN01
Description:
The Citrix Password Manager agent cannot contact Password Manager
service to complete authentication. Return code: 29

The XTE log in the Citrix Password Manager service may show (Program Files\Common Files\Citrix\XTE\Logs\Error.log):

[Fri Aug 08 20:08:08 2008] [error] [client 10.8.8.8] request failed:
error reading the headers

When accessing the page https://passwordmana...TLMAuthSvc.asmx from an agent computer as a user who cannot register questions, you receive the following error message:

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
This issue may occur if the user is a member of a large number of Active Directory groups. To resolve this issue, increase the LimitRequestFieldSize value from 8192KB to a suitable value, for example 16932KB, within the httpd.conf file (Program Files\Citrix\MetaFrame Password Manager\Service\httpd.conf).

More Information

Recommendations for SSPR issues:

Make sure you enable Log Citrix Password Manager events using Windows Event logging at the user configuration
Check the event log on both the Citrix Password Manager service and the agent.
Check the XTE log in the server hosting the Service at Program Files\Common Files\Citrix\XTE\Logs - Error.log)
Test the Citrix Password Manager sites.
Ensure that the LimitRequestFieldSize directive is suitably sized to accommodate any users who may be a member of a large number of Active Directory groups.
See CTX107169 – Troubleshooting the Citrix Password Manager Service


This document applies to:
Password Manager 4.5
Password Manager 4.6