Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Cannot onboard Citrix servers with new method

Copper Contributor

Hello,

A fews months ago, we enrolled a bunch of 2012R2 (and 2016) to MDE. At time we needed isolation for these servers as well but the functionality was not available. We solved it via a script that would query the tenant for events and then connect to Vmware Api to isolate the server.

 

However, a few months ago, Microsoft finally released the unified method of onboarding servers to MDE and we went through the process of migrating all our servers. However, I'm struggling to migrate specific 2012R2 servers, namely the ones that are Citrix workers.

 

I followed this https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?vi... but didn't help.

 

So here is what I've got to test on my "master"

- Windows 2012 R2 fully patched.

- I install the unified client

- I copy the Onbording script, specially created for VDI (as per article)

- I want to have one entry per citrix worker. 

- I configure local group policy to run the scripts at startup

Now, I reboot the master (I know, it will onboard the master) OR I have also launched the script manually (the one that is configured at startup: Onboard-NonPersistentMachine.ps1)

 

But... it doesn't onboard anything, I don't see anything in the tenant.

 

So I checked the event viewer.

- In the application events I do see a successful WDATPONboarding event

- In the sense event, I see a bunch of information events (that are triggered after the onboarding process finishes) but then I see periodic events (10s, 130s, 10s, 70s, etc) of an error:

Failed to communicate with authentication service, register request failed, result 0x800705B4, error code 0

- the sense service is running

- the diagnostic tracker is running

- when I run the MDE analyser I get 1 warning which doesn't seem to be related to the issue.

- Sometimes in the middle of the hundreds of errors in the SENSE event log, I see a warning that says:

Contacted server 7 times, failed 6 times and succeeded 1 times, URI: https://winatp-gw-weu.microsoft.com/ Last HTTP code: 0

 

Searching around on the Internet, the hex error I got seems to be usually related to network stuff... so

- I double checked our lines of firewall. Opened everything wide.

- I made sure the Update service was enabled and rechecked for updates. Nothing.

- From the server, I do have Internet access to all sites (Microsoft and non-Microsoft)

- I disabled local firewall

- I connect to the URL and it tells me that the CA is not trusted. I add the certificate (and all the chain for that matter to the _system_ CA trusted root store), Now I do not have an error anymore.

- If I append /test to the URL, I get a "Ok" string back. So the browser is able to connect to the site and I suppose the system can also.

- I install Wireshark but obviously I don't see anything. I only wanted to see if there were some SYN that didn't get a response.

- If I go to a server that was onboarded normally and which works, I see that it tries to connect to the same URL but it says: Contacter server X times, all succeeded.

 

 - At one point, I thought the error is maybe normal and it will disappear for a Citrix worker and not for the master/template... so I pushed it... but everything is the same (onboard according to Event log, errors in SENSE error log, nothing in the MDE Portal.

 

Any ideas? I'm currently out of any.

Thanks

Paulo

 

 

 

 

 

 

6 Replies
Hello
I know I was quite verbose but nobody experienced those type of errors?
Or an approach to debug this

Thanks
Paulo
Hey so we are running into the exact same issue. "Most" of our citrix servers will not onboard (everything else runs) and onboarding script says "succesful" but countless "Failed to communicate with authentication service, register request failed, result 0x800705B4, error code 0" errors.
Some citrix servers do seem to onboard but there are still many intermittent errors of the same variety. Almost like they are "working enough".

Any chance you figured out a magical solution or discovered the base problem, by chance?
Some wild VDA (we're running 7.15 LTSR cu2 vda) thing maybe.
Having the same problem.
Win2k12R2 in our DMZ with Proxy
But Win2019 in DMZ with same reg settings are working

I tried to set TLS 1.2 only to rule out that - which would be the only different thing i tried but same error.
so we upgraded our citrix servers vda to CU5 , and that resolved our issue.

that's good info! I'll check what we have.
In the meantime; I opened a call with Microsoft but it didn't get anywhere. I was trying to onboard the master which apparently will NOT work ; but when I prep'ed the master to create the worker, according to their procedure, it still doesn't work....

So @yscotty I'll check your solution

@yscotty 

 

I had a Windows Server 2012R2 system having the exact event log entry with error code. The server was running Citrix 7.15 LTSR CU2. I upgraded to 1912 LTSR CU6 and the server onboarded without issues.