Remotely configuring “Startup type” and “Service status” with the “sc” command

I’ve been asked the several times in the past by colleagues about what is the best way to remotely configure the Startup type and Service status of a Windows desktop or server so I thought it would be good to write a blog post so I could direct these questions to.

The method I use to remotely configure a service is the sc command as described in the following TechNet article:
https://technet.microsoft.com/en-us/library/bb490995.aspx

#1 – Review a service’s properties (Startup type)

To review a remote computer’s service’s property, execute the following:

sc \\<computerName> qc wsearch

The following is an example of the output:

C:\>sc \\tmrsvd-048 qc wsearch

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: wsearch

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START (DELAYED)

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\SearchIndexer.exe /Embedding

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Search

DEPENDENCIES : RPCSS

SERVICE_START_NAME : LocalSystem

C:\>

Note that the above output would tell you the Startup Type.

#2 – Review a service’s status (Service status)

To review a remote computer’s service’s status, execute the following:

sc \\<computerName> query wsearch

The following is an example of the output:

C:\>sc \\tmrsvd-024 query wsearch

SERVICE_NAME: wsearch

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

C:\>

Note that the above output would tell you the Service status (whether it is running or stopped).

#3 – Configure a service’s Startup Type

To configure a remote computer’s service’s Startup Type, execute the following:

sc \\<computerName> config wsearch start=<startup Type>

The startup type options are as follows:

1. auto
2. demand
3. disabled
4. delayed-auto

**Note that demand is manual.

More information about the switches can be found in the following TechNet article:
https://technet.microsoft.com/en-us/library/cc990290(v=ws.11).aspx

The following is an example of the output:

C:\>sc \\tmrsvd-075 config wsearch start=delayed-auto

[SC] ChangeServiceConfig SUCCESS

#4 – Starting or stopping a service

To start or stop a remote computer’s service, execute the following:

sc \\<computerName> <start or stop> wsearch

More information about the switches can be found in the following TechNet article:
https://technet.microsoft.com/en-us/library/cc742126(v=ws.11).aspx

The following is an example of the output:

C:\>sc \\tmrsvd-075 stop wsearch

SERVICE_NAME: wsearch

TYPE : 10 WIN32_OWN_PROCESS

STATE : 3 STOP_PENDING

(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x1

WAIT_HINT : 0x7530

C:\>

C:\>sc \\tmrsvd-075 start wsearch

SERVICE_NAME: wsearch

TYPE : 10 WIN32_OWN_PROCESS

STATE : 2 START_PENDING

(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x4

WAIT_HINT : 0x7530

PID : 4172

FLAGS :

C:\>

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

With the commands above, we can create a batch file to bulk configure a set of computers as such:

rem --Used to set service to auto delayed start and then start the service--

sc \\computer-071 config wsearch start=delayed-auto
sc \\computer-071 start wsearch
sc \\computer-072 config wsearch start=delayed-auto
sc \\computer-072 start wsearch
sc \\computer-073 config wsearch start=delayed-auto
sc \\computer-073 start wsearch
sc \\computer-074 config wsearch start=delayed-auto
sc \\computer-074 start wsearch
sc \\computer-075 config wsearch start=delayed-auto
sc \\computer-075 start wsearch

rem --Used to check service--

sc \\computer-024 query wsearch
sc \\computer-024 qc wsearch
sc \\computer-075 query wsearch
sc \\computer-075 qc wsearch

Hope this helps anyone looking for an easy way to configure a remote computer’s service.

Installing VMware Horizon View agent onto Windows 7 desktop causes RDP to no longer work

Problem

You’ve installed or upgraded to the latest VMware Horizon Agent onto a Windows 7 virtual desktop:

… but quickly noticed that you are no longer able to RDP to the virtual machine as the following error message is thrown:

This computer can’t connect to the remote computer.

Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

Proceeding to review the System logs on the Windows 7 virtual desktop displays the following error message every time you attempt to remote desktop to the machine:

Log Name: System

Source: Schannel

Event ID: 36871

Level: Error

One of the common troubleshooting steps that typically show up during searches on the internet is to Enable the Require use of specific security layer for remote (RDP) connections and set the Security Layer to Negotiate as shown in the following screenshot:

Unfortunately, the solution above does not correct the problem.

Windows 10 virtual desktops does not appear to exhibit this issue.

Solution

One of the reasons why installing the Horizon View 7 agent would cause this issue is because the installation appears to disable TLS 1.0 on the Windows 7 desktop if it is not already disabled.  You can confirm this by launching the registry editing on the desktop and navigating to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\

Note that the Enabled REG_DWORD in the screenshot above is set to 0 which is disabled.  You can quickly get RDP to work again by changing the value to 1 but this is not the best solution as it is best practice to leave TLS 1.0 off.

----------------------------------------------------------------------------------------------------------------------------------------------------------------

**Note that downgrading the View agent to 6.2 would actually remove the TLS 1.0 key in the registry thus re-enabling it and causing RDP to work again:

----------------------------------------------------------------------------------------------------------------------------------------------------------------

The proper steps to correct this issue is to ensure that the patch supplied in the following KB article is installed onto the Windows 7 desktop:

Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2
https://support.microsoft.com/en-us/kb/3080079

Download the .msu file:

Complete the install:

… and RDP should now work again.

Executing “Set-MsolADFSContext -computer” to configure Azure directory federation fails with: “The connection to .domain.com Active Directory Federation Services 2.0 server failed due to invalid credentials.”

Problem

You’ve used the Connect-MsolService cmdlet to connect to the WAAD instance then attempt to execute the Set-MsolADFSContext -computer <ADFSserver>.domain.com command to hook into the local ADFS server but notice that you get the password prompt that doesn’t appear to accept any passwords that you attempt to use:

After the second attempt to authenticate, you are presented with the following error:

PS C:\> Set-MsolADFSContext -computer adfs.domain.com
Set-MsolADFSContext : The connection to adfs.domain.com Active Directo
ry Federation Services 2.0 server failed due to invalid credentials.
At line:1 char:20
+ Set-MsolADFSContext <<<<  -computer adfs.domain.com
    + CategoryInfo          : InvalidOperation: (:) [Set-MsolADFSContext], Fed
   erationException
    + FullyQualifiedErrorId : ConnectionToGenevaServerFailed,Microsoft.Online.
   Identity.Federation.Powershell.ContextCredentialsCommand

PS C:\>

You’ve ensured that Enable-PSRemoting -force has been executed successfully as outlined in the following KB: https://support.microsoft.com/en-us/kb/2587730

You’ve also confirmed that the port 5985 is opened on the firewall as per the following TechNet blog: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/07/the-connection-to-adfs-domain-com-active-directory-federation-services-2-0-server-failed-due-to-invalid-credentials.aspx

You proceed to use the Set-MsolADFSContext cmdlet with the -logfile c:\log.txt switch for more information:

… and obtain the following information:

11/16/2015 10:07:37 AM    Command Set-MsolADFSContext invoked.
11/16/2015 10:07:37 AM    Creating ADFS Server PS session.
11/16/2015 10:07:37 AM    ContextCredentialsCommand:CreatePowerShellSessionToGenevaServer: Invoked.
11/16/2015 10:07:37 AM    Creating PS session to 'adfs.domain.com' ADFS server
11/16/2015 10:07:37 AM    Connect using current logged-on user creds.
11/16/2015 10:07:37 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:37 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:38 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:38 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:38 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:38 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:38 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:38 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:38 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:07:39 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:39 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:39 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:39 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:39 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:39 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:39 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:39 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:39 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:07:41 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:41 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:41 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:41 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:41 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:41 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:41 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:41 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:41 AM    Failure after too many retry attempts...
11/16/2015 10:07:41 AM    Wrong credentials to ADFS Server connection, attempt #'1'
11/16/2015 10:07:41 AM    Prompting the user for 'adfs.domain.com' ADFS Server creds.
11/16/2015 10:07:41 AM    ContextCredentialsCommand:GetServerCredentials: Invoked.
11/16/2015 10:08:04 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:04 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:04 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:04 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:04 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:04 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:04 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:04 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:04 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:08:05 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:05 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:06 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:06 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:06 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:06 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:06 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:06 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:06 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:08:08 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:08 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:08 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:08 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:08 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:08 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:08 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:08 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:08 AM    Failure after too many retry attempts...
11/16/2015 10:08:08 AM    Wrong credentials to ADFS Server connection, attempt #'2'
11/16/2015 10:08:08 AM    Prompting the user for 'adfs.domain.com' ADFS Server creds.
11/16/2015 10:08:08 AM    ContextCredentialsCommand:GetServerCredentials: Invoked.
11/16/2015 10:08:22 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:22 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:23 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:23 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:23 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:23 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:23 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:23 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:23 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:08:24 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:24 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:24 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:24 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:24 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:24 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:24 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:24 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:24 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:08:26 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:26 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:26 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:26 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:26 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:26 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:26 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:26 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:26 AM    Failure after too many retry attempts...
11/16/2015 10:08:26 AM    Wrong credentials to ADFS Server connection, attempt #'3'

Reviewing the event logs of the ADFS server (not the proxy) show that the following Event ID 4 error is logged:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server bmadfs01$. The target name used was HTTP/adfs.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.COM) is different from the client domain (domain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Log Name: System

Source: Security-Kerberos

Event ID: 4

Level: Error

You’ve reviewed the following forum post and your environment does not exhibit the SPN issue:

https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell

Solution

The solution to this issue if none of the above troubleshooting suggestions apply to your environment actually to execute the Set-MsolADFSContext cmdlet using the internal ADFS server’s FQDN rather than the adfs A record you created to reference the server.  The environment I worked in that exhibited this issue had an internal DNS A record adfs that mapped to the internal ADFS server so when the cmdlet was executed referencing this record, it caused the Kerberos error to be thrown and logged.  As simple as this error could be, I find that this question gets asked quite often so I hope this blog post would help those encounter this issue.

Attempting to connect to VMware Horizon View virtual desktop through the security server throws the error: “Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.”

Problem

You’ve noticed that the following error is thrown when you attempt to connect to a VMware Horizon View virtual desktop through the security server with the VMware Horizon Client:

Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.

The following information is logged in the events:

Severity: Audit failure

Module: Connection Server

Message: Unable to launch from Pool <desktopPoolName> for user domain\username

More Information: Unable to launch from Pool <desktopPoolName> for user domain\username: No co-management availability for protocol PCoIP

Attempting to use the Blast protocol from the View client will present a black screen:

… then thrown the following error:

The connection to the remote computer ended

Attempting to use the browser to login:

… will briefly present a triangle and exclamation mark for the desktop:

Then display the following error:

An error has occurred: {"code":"ETIMEDOUT","errno":"ETIMEDOUT","syscall":"connect","address":"10.34.30.60","port":22443}

Solution

One of the reasons why these errors would be thrown is if the following ports are not opened between the Security servers to the virtual desktops:

• TCP/UDP 4172
• TCP 22443
• TCP 32111
• UDP 22443
• TCP 9427

Verify the ports above and all other ports identified in the following KB:

VMware View ports and network connectivity requirements (1027217)
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027217

Unable to add additional Delivery Controller to an existing Citrix XenDesktop 7.9 site

Problem

You’ve just completed configuring a new Citrix XenDesktop site on your first delivery controller and proceed to install XenDesktop onto the second delivery controller then select the Scale your deployment – Connect this Deliver Controller to an existing Site to connect the second delivery controller to the site:

You proceed to specify the first delivery controller’s FQDN:

… but the process does not complete and displays the following message:

There was a problem communicating with the server

Clicking on the View details button displays the following:

Error Id: XDDS:CCA074AC

Exception:

Citrix.Console.Models.Exceptions.CommunicationErrorException There was a problem communicating with the server.

at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.CreateException[T](ICommonLog logger, ExecutionResults`1 results, ICmdletExecutionHost host)

at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.Execute[T](ISdkCmdlet`1 sdkCmd, ICmdletExecutionHost host, Boolean allowFailover)

at Citrix.Console.PowerShellInteraction.SdkServiceBase.GetDatabaseScript(ICmdletExecutionHost cmdletExecutionHost, String instanceAddress, SdkScriptType sdkScriptType, String serviceGroupName, String controllerSid, Boolean databaseIsLocal, String databaseName, DataStore dataStore)

at Citrix.Console.PowerShellSdk.DatabaseService.Scripts.GenerateSchemasScript.RunScript()

at Citrix.Console.PowerShellInteraction.PowerShellScript`1.Run()

at Citrix.Console.PowerShellSdk.DatabaseService.PSDatabaseService.AddControllerToDatabases(IEnumerable`1 databaseCredentials, String configServiceAddress, ScriptExecutionContext context, String controllerToAddAddress)

at Citrix.Console.PowerShellSdk.SiteService.Scripts.JoinExistingSiteScript.RunScript()

at Citrix.Console.PowerShellInteraction.PowerShellScript`1.Run()

at Citrix.Console.DeliveryCenter.UI.Dialogs.JoinExistingSiteDialogViewModel.OkBackgroundOperation(IProgressReporter progressReporter)

at Citrix.Console.Common.OperationTimer.TimeBlock(Action operation)

at Citrix.Console.CommonControls.ProgressDisplay.GenericProgressOperationWithFeedBack.PerformOperationInternal()

at Citrix.Console.CommonControls.ProgressDisplay.ProgressWindowOperation.PerformOperation()

at Citrix.Console.CommonControls.ProgressDisplay.ProgressWindowViewModel.PerformAction(Action operationComplete)

DesktopStudio_ErrorId : CommunicationError

Sdk Error Message : An invalid URL was given for the service. The value given was 'SVR-CTXDC-02.ccs.int'.

The reason given was: Failed to connect to back-end server 'SVR-CTXDC-02.ccs.int' on port 80 using binding WSHttp. The server may be off-line or may not be running the appropriate service

The HTTP service located at http://svr-ctxdc-02.ccs.int/Citrix/AdIdentityContract/v2 is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

The remote server returned an error: (503) Server Unavailable..

Sdk Error ID : Citrix.XDPowerShell.Status.CommunicationError,Citrix.ADIdentity.Sdk.DataStore.Commands.GetAcctDBSchemaCommand

ErrorCategory : ResourceUnavailable

DesktopStudio_PowerShellHistory : JoinExistingSiteScript

8/22/2016 9:44:04 PM

Get-ConfigDBConnection -AdminAddress "svr-ctxdc-01.ccs.int"

Get-AcctDBSchema -AdminAddress "SVR-CTXDC-02.ccs.int" -DatabaseName "CitrixBakery LaneSite" -ScriptType "Instance"

Get-AcctDBSchema : An invalid URL was given for the service. The value given was 'SVR-CTXDC-02.ccs.int'.

The reason given was: Failed to connect to back-end server 'SVR-CTXDC-02.ccs.int' on port 80 using binding WSHttp. The server may be off-line or may not be running the appropriate service

The HTTP service located at http://svr-ctxdc-02.ccs.int/Citrix/AdIdentityContract/v2 is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

The remote server returned an error: (503) Server Unavailable..

+ CategoryInfo : InvalidOperation: (:) [Get-AcctDBSchema], InvalidOperationException

+ FullyQualifiedErrorId : Citrix.XDPowerShell.Status.CommunicationError,Citrix.ADIdentity.Sdk.DataStore.Commands.GetAcctDBSchemaCommand

Inner Exception:

System.InvalidOperationException An invalid URL was given for the service. The value given was 'SVR-CTXDC-02.ccs.int'.

The reason given was: Failed to connect to back-end server 'SVR-CTXDC-02.ccs.int' on port 80 using binding WSHttp. The server may be off-line or may not be running the appropriate service

The HTTP service located at http://svr-ctxdc-02.ccs.int/Citrix/AdIdentityContract/v2 is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

The remote server returned an error: (503) Server Unavailable..

at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)

Inner Exception:

System.ServiceModel.CommunicationException Failed to connect to back-end server 'SVR-CTXDC-02.ccs.int' on port 80 using binding WSHttp. The server may be off-line or may not be running the appropriate service

at Citrix.Fma.Sdk.CommonCmdlets.AdminConnection`1..ctor(ConnectionSpec connectionSpec)

at Citrix.Fma.Sdk.CommonCmdlets.AdminConnection`1.GetAdminConnection(String serverPortString, String endpointAddress, Nullable`1 binding)

at Citrix.Fma.Sdk.CommonCmdlets.CommonCmdletBase.CreateProxy(String adminAddress, String endpointAddress, Nullable`1 adminBinding)

at Citrix.Fma.Sdk.CommonCmdlets.WcfCmdletBase`1.OpenConnection(Boolean terminateOnFailure)

Inner Exception:

System.ServiceModel.ServerTooBusyException The HTTP service located at http://svr-ctxdc-02.ccs.int/Citrix/AdIdentityContract/v2 is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

Server stack trace:

at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)

at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)

at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)

at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)

at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)

at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)

at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at System.ServiceModel.ICommunicationObject.Open()

at Citrix.Fma.Sdk.CommonCmdlets.AdminConnection`1..ctor(ConnectionSpec connectionSpec)

Inner Exception:

System.Net.WebException The remote server returned an error: (503) Server Unavailable.

at System.Net.HttpWebRequest.GetResponse()

at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

You notice the following error while parsing through the log output:

DesktopStudio_ErrorId : CommunicationError

Sdk Error Message : An invalid URL was given for the service. The value given was 'SVR-CTXDC-02.ccs.int'.

The reason given was: Failed to connect to back-end server 'SVR-CTXDC-02.ccs.int' on port 80 using binding WSHttp. The server may be off-line or may not be running the appropriate service

The HTTP service located at http://svr-ctxdc-02.ccs.int/Citrix/AdIdentityContract/v2 is unavailable. This could be because the service is too busy or because no endpoint was found listening at the specified address. Please ensure that the address is correct and try accessing the service again later.

The remote server returned an error: (503) Server Unavailable..

Solution

One of the reasons why this error would be thrown is if the following 2 services is not started:

1. Citrix AD Identity Service
2. Citrix App Library

Simply starting the 2 services and rerunning the Connect this Deliver Controller to an existing Site will allow you to connect the new delivery controller to the site.