I'm getting access denied despite my service principal being given full permissions.

Not having this issue with any other Citrix Cloud APIs

Meh - it works with a secure client... not a service principal. Annoying!

Any Citrix peeps here know when the reversion to Director which incorrectly reports full load events as failures will be fixed?

Using a custom domain URL against Entra ID, do I need to worry about the OIDC enterprise application's redirect URIs, like I would if i were using SAML? Or does Citrix Cloud manage that for us?

xAnother Citrix Cloud DaaS API issue! I’d be very interested to see if others are seeing the same, as I see the same issue on every Citrix Cloud Tennent I’ve checked so far. When querying Citrix Cloud connectors via the Citrix Cloud API, the status is always 'unknown' even if the cloud connector is in a good state. API: https://api.cloud.com/connectors/ Endpoint: Connectors_GetAll API Docs: https://developer-docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connectors/apis/#/Connectors/Connectors-GetAll Example JSON from API request: Connectors_GetAll: [ { "id": "*[REDACTED]*", "fqdn": “*[REDACTED]*", "role": null, "windowsSid": "S-1-5-21-*[REDACTED]*", "location": "*[REDACTED]*", "currentVersion": "4.381.0.4578", "currentBootstrapperVersion": "6.114.0.4578", "expectedVersion": "4.381.0.4578", "expectedBootStrapperVersion": "6.114.0.4578", "versionState": "Normal", "inMaintenance": false, "leaseEndDateTime": null, "upgradeDisabled": false, "connectorType": "Windows", "status": "Unknown", "lastContactDate": "2025-04-11T101040.0169354Z" }, { "id": "*[REDACTED]*", "fqdn": "*[REDACTED]*", "role": null, "windowsSid": "S-1-5-21-*[REDACTED]*", "location": "*[REDACTED]*", "currentVersion": "4.381.0.4578", "currentBootstrapperVersion": "6.114.0.4578", "expectedVersion": "4.381.0.4578", "expectedBootStrapperVersion": "6.114.0.4578", "versionState": "Normal", "inMaintenance": false, "leaseEndDateTime": null, "upgradeDisabled": false, "connectorType": "Windows", "status": "Unknown", "lastContactDate": "2025-04-11T100826.6928764Z" } I have tested this across different customer tenants and get the same result I see similar behaviour from the Cloud Connector ConnectivityData API /healthdata/connectivitydata When the parameter 'dataAggregationTime' is set to 'OneDay' the latest entry is always 'unknown'. { "overallConnectorConnectivity": { "1744329600": "Unknown", # Unix time conversion: midnight, 11/4 (the past) "1744416000": "Connected"... # Unix time conversion: midnight, 12/4 (the future) but without the 'dataAggregationTime' param, all tests always come back 'connected' The confusing part here is that, at the time of query, 12/4 was in the future so there was no way the test could have run yet it states connected and the test that ran previously states unknown… I have raised this with Citrix (case ID: 83259093) but they seem to be struggling. Any help or insight much appreciated

Hello, pretty basic question, while setting up citrix cloud, we have to setup a company.cloud.com url mandatory and another custom workspace url. Is the company.cloud.com netscaler gateway url and the custom url is storefront url? What is the difference between netscaler gateway service url and workspace url in citrix cloud? Also, why do we need to setup company.cloud.com url and set a custom workspace url while configuring citrix cloud? Can someone please explain?

Can this be configured so DaaS Monitor pulls in On-Prem Director data, instead of the other way around? Unified search for Hybrid multi-cloud deployments | Director.

anyone else had issues with Citrix cloud adm agents lately? there was an automatic upgrade on friday to 14.1-49.39 which gives me "not reachable" status on our Netscalers. The agent has been restarted, services restarted & agent shows up and running but still not reachable. We have even restarted our MPX but still the issue persists. We have two agents, the one that we haven't restarted has the status "LSA" with the text on it. Is there some type of Master configuration with these Citrix cloud agents which require ALL the agents to be restarted? the MPX that receives licenses however is not configured with the 2nd agent which has the "LSA" status on it. Contact with Citrix but they were not able to figure it out, yet.. we have entered grace period and I suppose that everything should be working fine for the upcoming 649 hours but not sure if this has some type of effect on bandwidth or similar because we have had some hiccups in our environment since this happening.

wondering if anyone else can reproduce this issue - when editing an MCS catalog with machines in Azure, the "select machine size" dialog does not return any results (see attached images). Creating new catalogs provides the correct "select size" dialog as expected, but editing an existing catalog always fails to return results

If I want to create a small Windows 11 Enterprise multi-session POC using my existing Citrix Cloud infrastructure can I simply create a Windows 11 Enterprise multi-session VM to be used as the master image for MCS? Do I need to use Azure Virtual Desktop and create a pool if I plan to use Citrix Cloud and MCS? Thanks

Hello

Im on a on-prem admin but Ive been assigned a Citrix Cloud task but...honestly, no idea. A client, using Citrix Cloud, has told us they want to limit access to their portal via IP. What are they talking about the "Cloud Netscaler" or what?

For the device posture service and intune integration, does anyone know what "managed" means? Is it keying off a specific value in Intune?

Hi everyone, hope you are having a good day. For some reason whenever I create a new VDI I get this error message when starting it for the first time. The VDI is onprem, rest of the environment is Citrix Cloud. I am using MCS. Anyhow, if I try a few more times it will start working and the error message will never appear again after that. Anyone has seen this before? the environment is curently in pilot and I wouldn't want to go to prod with this type of error message even if it works when trying a few times.

If we enable Workspace Session -> Stay Logged in to Workspace App -> Inactivity Period. Is there anyway from an admin point of view, to terminate/invalidate that authentication period? Context: X/Y problem, we currently do most of our connection evaluation/establish user context at the IdP, but when we enable "Stay logged into Workspace App", that eval can be bypassed if the user has an existing OIDC session w/ a living refresh token. https://docs.citrix.com/en-us/citrix-workspace/experience/policies#stay-logged-in-to-workspace-app

image.png

image.png,image.png

image.png

What's best practice when dealing with Azure regions in a DaaS config? When we initially setup a hosting connection in Azure we created a resource group for it with Cloud connectors, as required. But now we are building out additional workloads in a different Azure region. The hosting connection is still the same and the new region appears as an additional resource under it. Are we required to build out a new resource location in DaaS for it, which then automatically creates a separate zone? It seems like everything could just live under the existing Resource location / Zone.

is there a way to selectively enable FAS through citrix cloud gateway only for testing?

I have clients on an internal untrusted Wifi network (guest) when they try to open citrix it appears that HDX Direct wants to be enabled and send traffic to internal DNS names which failes. Is there a way to tell HDX direct to not apply on a certain IP

Hi everyone, good morning! I would like to add some VDIs which I have onprem(vmware) to Citrix Cloud. I have installed VDA on these so they are not using MCS in Citrix Cloud. Can someone help me with this? How do you create the machine catalog and add them in Citrix Cloud?

I had to rebuild my PiHole's recently, IIRC there were a handful of local entries that I put in years ago so that Cedexis/Gateway steering landed me on an "optimal gateway" vs one that may have been resultant of PiHole + DoT/DoH resolver mucking up the calc'd metrics. I can't remember/find the documentation on that though

• Citrix FAS; anyone lock down their MS CA to restrict the Citrix_SmartcardLogn and Citrix_RegistrationAuthority templates like this: • Citrix_RegistrationAuthority / Citrix_RegistrationAuthority_ManualAuthorization: ◦ Grant Read and Enroll permissions only to the specific computer accounts of your FAS servers (or a dedicated AD security group containing only FAS servers). ◦ Grant Read permission to Authenticated Users. ◦ Restrict Write permissions to only necessary administrators (e.g., Enterprise Admins). • Citrix_SmartcardLogon: ◦ Grant Read and Enroll permissions to the FAS servers (or their security group). ◦ Grant Read permission to Authenticated Users. This allows users to read the template's properties but not directly enroll for certificates using it. Enrollment is delegated to FAS. ◦ Do not enable auto-enrollment for users on this template. This would be after FAS has been live for a year.

How do you guys add persistent VDIs in vmware to Citrix Cloud? I don't think that MCS should be used in this case and thought about using sccm to deploy the VDIs instead. MCS is working with snapshots and I noticed that the VDIs take up a lot of space and issues can occur when using MCS with single session persistent VMs.

Citrix FAS Issue: "The request is not supported" when launching a session. Working on a migration from on-prem to Citrix Daas. Fas in use without issue for the on-prem environment. New environment is Citrix Daas and Azure resource location with FAS servers in Azure also. PKI Infrastructure is on-prem still. FAS servers in Az authorised to Citrix cloud and using the same CA's as on-prem. Kerberos Logging enabled on the VDA and seeing error “KDC_ERR_PADATA_TYPE_NOSUPP” mentioned here - https://www.citrix.com/blogs/2019/04/24/troubleshooting-the-federated-authentication-service/ and here but with event id 3 instead of event id 9 - https://www.ferroquesystems.com/resource/issue-citrix-fas-sso-incorrect-username-or-password-kerberos-event-id-9/. Has anybody seen similar or got any ideas? Thanks.

Does the new Citrix Universal Hybrid Multi-Cloud licensing model really rely on named user licensing and no longer on concurrent users?

I have a VDI env where I get this error message whenever I launch the newly created VDI for the first time. But it is intermittent and will work most of the time. Appears specifically after restarting the VDIs. One click, error message, second click it works. This doesn't feel stable at all. Not sure if its related to Netscaler or what it is but I have checked everything pretty much and it all looks good. I'm running full clone persistent VDIs in vmware through Citrix Cloud MCS & just standard 2 cloud connectors and so on. Did someone have this before?

Hi everyone, I’m working with an on-prem customer who’s evaluating Citrix Cloud and wants to achieve the following: • Internal users (on company network): seamless SSO to Citrix Workspace • External users: always authenticate Since Citrix Gateway Service treats all users as external, we can’t distinguish between internal/external at that level. The customer is using Entra ID as authentication method. Would implementing Conditional Access policies help achieve this?