• DCOM Error - Event ID 10009

    Cause:

    Distributed COM (DCOM) extends the Component Object Model (COM) technology to enable applications using a COM server communicate across machines on the network.

    COM Server is a dynamic-link library (DLL) or an executable (.exe) file that exposes some functionality to be used by different applications.

    Event ID 10009 (Event ID 10028 for Windows Server 2012 and above) indicates that the remote machine could not be found by DCOM, in most cases this error is not fatal.

    Might be caused, because the remote machine is not available, either because it is down or there is has no network connectivity, by default Windows Firewall does not allow COM+ network access.

    Frequent instances of this error might be caused when trying to perform “Discovery” with “Citrix AppCenter” with the help of a remote XenApp server, and it does not respond for example.

    Could also appear because of a remote ControlUp Agent failing to communicate with the ControlUp Console.

     

    User Actions:

    • Verify that the remote machine is up and running, and there are no firewall rules restricting the TCP connection, which uses Extended Remote Procedure Call (RPC) with port 135.
    • Verify that the protocol settings on the machine for DCOM are configured properly.

    From the command prompt type, “dcomcnfg”, it will open the Component Services mmc.

    In the left pane, expand Component Services, then expand Computers, and right click on My Computer and open Properties.

     

    Switch to Default Protocols tab and ensure that the DCOM Protocols are configured to use “Connection-oriented TCP/IP”.

     

     

     

     

  • ControlUp KaaS SChannel Events

     

    Various Schannel events in the System Log

     

    Symptoms:

    There are three Schannel events which are most commonly seen. Those are 36874, 36887, and 36888.

    Log Name:  System

    Source:      Schannel

    Date:         13/05/2016 07:29:32

    Event ID:    36888

    Task Category: None

    Level:         Error

    User:          SYSTEM

    Computer:   CUXEN65TS20.controlUp.demo

    Description: The following fatal alert was generated: 10. The internal error state is 12.

     

    Troubleshooting/Research Steps:

    Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communication.

    These errors indicate a problem with the cipher suite chosen, or just the fact that the two sides (client and server) cannot agree on a cipher suite to use. The error message description will vary depending on the actual error involved.

    Event IDs 36888, 36874 can be caused by certificate/TLS communication issues (like lack of compatibility)

    Event ID 36887 indicates an SSL fatal alert. The error itself is vague. This may be logged if you try to initiate an HTTP connection to an HTTPS server, or if the server is being probed or scanned for vulnerabilities.

    Similar to other Windows Events problems, the ControlUp Incidents pane is an excellent place to start troubleshooting application errors such as this. Start by double-clicking on the ‘Windows Events’ row in order to get to the 2nd level.

     

     

    Once there, we want to group and sort in order to group all events from Schannel, so we type ‘schannel’ in the filter box in the upper right corner. Grouping by the Event ID can be useful if there are a lot of errors, so we check that box. We clicked the ‘Computer’ column header to sort the list and make it easier to find what we’re looking for.

     

     

    Now that we have grouped just the events we are interested in. a double-click on that line takes us to the 3rd level, which will give us a list of every event captured by the Incident Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

    For these errors, Wireshark and Fiddler are going to be the best sources of more in-depth information to get to the root cause of the specific message.

     

    If the issue cannot be solved, or the error is expected, there is always the option of turning off Schannel logging altogether by setting EventLogging=0 (dword), under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Hiding the log is not good security practice, but it is an option. See https://support.microsoft.com/en-us/kb/260729 for more information.

     

  • ControlUp action auditing - Event ID 5000

    Application Log Event ID 5000 Error

     

    Symptoms:

    Event ID 5000 Error appears on the Application Log, in the event viewer with the source ControlUp Auditing. This event comes as an error and information. This event indicates weather an action within the ControlUp Console (i.e. Get Session Screenshot, start Hypervisor, power actions, Change XenApp Logon Mode, etc.) succeeded or failed.

    If the action was on the agent \ target computer, i.e. Flush DNS, the event will be written in the event viewer of the target computer.

     

    Event ID 5000 appears on ControlUp Monitor as an Error

     

    Event ID 5000 appears on ControlUp Monitor as an Information

     

    Solution:

    The audit trail in ControlUp allows admins to track actions that took place in the console (successful and failed). The auditing trail is crucial for admins due to the extensive management actions that are available within the ControlUp Real-time Console. In the current version of ControlUp the audit trail is hard-coded in the product and not yet configurable.

     

     

     

  • Meta Frame Events - Event ID 1116

    Application Log Event ID 1116 Error

     

    Symptoms:

    Event ID 1116 or 1106 indicates that printer auto creation has failed in XenApp environments. Reasons for auto creation printer failure are various. However, driver issues are often the main reason for unsuccessful printer auto creation.  In this article we will gather a few useful tips to help admins overcome this error.

     

    Cause:

    • The print spooler cannot load the driver – this error is usually caused by insufficient privileges on the built-in local user on XenApp Servers ctx_cpsvcuser. The caller which is the Citrix Print Manager Service failed to supply sufficient privileges to call the OpenPrinterW() function. To resolve this issue please refer to the following Citrix article about permissions and entitlements the ctx_cpsvcuser should have.

     

    • No suitable driver found on the server - this happens when universal printing is not enabled and the correct drivers are not installed on the XenApp Server. This is one of the most common reasons for failure in auto-creation. One viable solution is to change the Citrix Policy setting of “Universal Print Driver Usage” to “Use Universal Printing Only”. Otherwise an installation of the all the drivers on all the XenApp servers may be required.

     

  • Application Error - Event ID 1000

    Application Log Event ID 1000

     

    Symptoms:

    Occasionally an application will crash with Application Log event ID 1000, for example:

     

    Event ID 1000 – Application Error

     

    Faulting application name: v4pa_agent.exe, version: 6.2.0.173, time stamp: 0x56574930

    Faulting module name: v4pa_process.dll, version: 6.2.0.173, time stamp: 0x56574945

    Exception code: 0xc0000005

    Fault offset: 0x0000000000042300

    Faulting process id: 0x3c0

     

    Troubleshooting/Research Steps:

    The ControlUp Incidents pane is an excellent place to start troubleshooting application errors such as this. Start by double-clicking on the ‘Windows Events’ row in order to get to the 2nd level.

     

     

    Once there, we want to group and sort in order to group all events from event ID 1000, so we tick the ‘Event Id’ checkbox. Separating by computer is not needed in our case, so we uncheck that box. If the list is too long, you can also use the filter in the upper right corner to shorten the list. We clicked the ‘Event Id’ column header to sort the list and make it easier to find what we’re looking for.

     

     

     

    Now that we have grouped just the events we are interested in. a double-click on that line takes us to the 3rd level, which will give us a list of every event captured by the Incident Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

     

     

    With this level of data gathered, it should enable you to fine-tune the troubleshooting process and provide deeper insight into the specific problem and find potential solutions.

  • Application Log - Event ID 502

    Application Log Event ID 502 Error

     

    Symptoms:

    Event ID 502 Error appears in the Application Log, in the event viewer. This event usually happens in conjunction with abnormal logon time, and is closely related to the “Network directories to sync at Logon/Logoff time only”.

     

    This policy will make the AppData folder available offline for users

     

    This is the most common scenario which triggers this event:  These settings are usually configured in order to help applications that do not handle online folders properly, and need to use offline folders in order to function properly.

     

    Cause:

    This issue happens when the “Network directories to sync at Logon/Logoff time only” is applied before the folder redirection policy has been applied. Once the “Network directories to sync at Logon/Logoff time only” is applied on the computer, it makes the folder available offline and when folder redirection tries to create the folder link, it fails due to the “Offline Files” mechanism suspending the share and it is no longer available. This is a known bug and Microsoft has published a hotfix for it.

     

    Viable solution:

    In order to solve the issue, try to install the Microsoft hotfix for the issue.

    To resolve this issue in Windows 8.1 and Windows Server 2012 R2, install update 2919355. 

    To resolve this issue in Windows 7 and Windows Server 2008 R2, refer to the following KB on Microsoft’s web site.