This section provides information about troubleshooting this release. It contains the following topics:
Tip
For more information about known issues, see Issues tables.
WinRM configuration
You can use one of the following commands to configure the WinRM:
- winrm quickconfig -transport:http
- winrm quickconfig -transport:https
Note
If you are logged in on a non-Administrator account, you must either right-click the Command Prompt icon in the Start Menu and select Run as Administrator, or use the Runas command at the command prompt.
The winrm quickconfig command creates a firewall exception only for the current user profile. If the firewall profile is changed for any reason, you must run the winrm quickconfig command again to enable the firewall exception for the new profile.
WinRM automatically configures the ports that it uses. The port number might be different, depending on the version of WinRM that you install.
For WinRM 2.0 or later:
- The default HTTP port used is 5985.
- The default HTTPS port used is 5986.
The winrm quickconfig command also performs following tasks:
- Starts the WinRM service.
- Sets the WinRM service type to auto start.
- Creates a listener to accept requests on any IP address.
- Enables a firewall exception for WS-Management traffic (HTTP only).
Note
During WinRM configuration, on machines with User Access Control (UAC) enabled, ensure that LocalAccountTokenFilterPolicy is configured to grant administrative rights remotely to local users. If you do not configure this during WinRM configuration, then you need to manually add the LocalAccountTokenFilterPolicy registry key.
To add the LocalAccountTokenFilterPolicy registry key manually:
- Click Start, click Run, type
regedit,and press ENTER. - Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
- On the Edit menu, point to New, and click DWORD Value.
- Type LocalAccountTokenFilterPolicy, and press ENTER.
- Right-click LocalAccountTokenFilterPolicy, and click Modify.
- In the Value data box, type 1, and click OK.
- Exit Registry Editor.
Tip
- If WinRM reports that it is unable to verify the status of the firewall, start the firewall service and run the winrm quickconfig command again. You can stop the firewall service after configuring WinRM, if desired.
- If WinRM reports that it is unable to create a WinRM listener on HTTPS because the WinRM Server does not have a valid SSL certificate, check whether the SSL certificate is valid and ensure that it meets all requirements.
For an SSL certificate to be valid, its CN value must match the host name, it must not be expired, revoked, or self-signed, and it should be valid for server authentication.
Viewing WinRM configuration
You can use the following commands to view the WinRM configuration details:
- For the WinRM configuration:
winrm get winrm/config - For the WinRM Client configuration:
winrm get winrm/config/client - For the WinRM Server configuration:
winrm get winrm/config/service - For Winrs configuration:
winrm get winrm/config/winrs - For listener information:
winrm enumerate winrm/config/listener - For the WinRM version details:
winrm id
Verifying WinRM connection for a remote host
You can use the following commands to verify the WinRM connection with a remote host.
- To verify a remote host connection via HTTP or HTTPS using a domain account:
- winrm id -r:http://<hostname>:<port> -u:<domain\username> -p:<password>
- winrm id -r:https://<hostname>:<port> -u:<domain\username> -p:<password>
OR winrs -r:http://<hostname>:<port> -u:<domain\username> -p:<password><sys_command>
winrs -r:https://<hostname>:<port> -u:<domain\username> -p:<password><sys_command>
- To verify a remote host connection via HTTP or HTTPS using a local account:
- winrm id -r:http://<hostname>:<port> -u:<username> -p:<password>
- winrm id -r:https://<hostname>:<port> -u:<username> -p:<password>
OR - winrs -r:http://<hostname>:<port> -u:<username> -p:<password> <sys_command>
- winrs -r:https://<hostname>:<port> -u:<username> -p:<password> <sys_command>
Note
<sys_command> refers to any Microsoft Windows operating system command, such as DIR or SYSTEMINFO.
Data collection issues with published applications
For issues in data collection for published applications (BTK_APPLICATION application class) perform the following:
- Check whether "Citrix Independent Management Architecture" service is running on the XenApp Server used for monitoring the farm.
- Connect to the XenApp farm using Citrix AppCentre. Select the farm from left navigation tree. Click Users tab to see if all active user sessions are listed correctly. In case of issues while viewing the user sessions in AppCenter, PATROL data collection could also be impacted. Please contact Citrix Support to resolve this issue. To know the exact PATROL error please activate
/BTK_FARM/_CollectionStatusparameter.
Overview
Content Tools
Apps
Reporter Replacement
com.bmc.atlassian.bmc-util-plugin-2.section.label
Tasks
2 Comments
Daric Smith
The above information should not be in "Troubleshooting" this should be in the "Configuration after installation" and should have another section called "Pre-configure the OS environment". This is base installation information.
You should also include information on the XenApp account requirements such as "View Only" in the farm.
On top of the above, the XenApp account needs to be either a local administrator on any of the XenApp servers or in the WinRM security group if it exists, otherwise you will get "Access Denied" errors from Patrol.
It should be noted that WinRM needs to be configured on every server in the farm or you get numerous errors in the btk_server log and you won't get server performance data or active session data.
From the above it should be noted that the above configurations can be done through a Domain Group Policy to save configuration steps on individual servers.
Finally, this troubleshooting should reference that Patrol will log KM errors to the file: btk_server_nnn.log in the %PATROLHOME%\log directory.
Daric Smith
To view configuration errors through the operations console do the following (For some reason I can't include a picture):
One of the errors we saw:
ERROR:80338012:The client cannot connect to the destination specified in the request.
Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Another one we saw when we tried to retrieve license usage. This was resolved by enabling WinRM on the Citrix license server.
ERROR: Can't connect to the license server <license_server_name>.
ERROR:80338012:The client cannot connect to the destination specified in the request.
Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Affected Application Classes: BTK_FARM (FarmAvlConcUserLicenses)