CTX118692
EdgeSight
EdgeSight for Endpoints 5_4,EdgeSight for XenApp 5_4
Configuration,Connectivity,Performance
2016-04-15
2014-04-10
This article describes the security, configuration and related errors in accessing ES agent in real-time from ES server.

Symptoms or Error

Performing various remote activities with the EdgeSight Troubleshoot > Troubleshoot or Troubleshoot > Real-time Reports to a remote device, an NTLM authentication Window appears. The EdgeSight Server console user gets the prompt to enter a username and password to gain access to the remote appliance.

Failed or canceled authentication results with one of the following error messages:

“Error occurred connecting to <device name>: (Error -2142217843 Access denied: You do not have permission to access this resource.”

“There was an error connecting to the remote Citrix System Monitoring Agent database. The Citrix System Monitoring Agent may not be running on the specified machine. Please try again.”

“Real time information is unavailable. Authentication failed.”

“There was an error connecting to the device: Authentication failed.”

“Authentication failed”

The EdgeSight Server console user might get repeated prompts to authenticate, even if the proper credentials are entered. This symptom repeats indefinitely.


Solution

Ensure that you Open Port 9035 for Inbound Traffic

Ensure that port 9035 is not blocked for inbound traffic. This port is used, over TCP/IP, to connect with the rscorsvc.exe, the core service running on the agent device.

Ensure that the EdgeSight Security Requirements are Met

For Active Directory Users

Place all the possible EdgeSight Web console users into the Active Directory group, <ADgroup>. Modify the EdgeSight registry key, for each remote appliance, as noted in the following table. Only one Active Directory group can be entered into the registry key.

If the EdgeSight Server console, the user is not a member of <ADgroup>, then the EdgeSight prompts the user to authenticate with an alternate credential.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

Registry Key for 32-bit Computer Value
HKEY_LOCAL_MACHINE\Software\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurityGroup?? <ADgroup>
HKEY_LOCAL_MACHINE\Software\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurity
Note: This key is removed in EdgeSight 5.0, with the recommended value of only 1. In future EdgeSight releases ignore if this key does not exist.
1
HKEY_LOCAL_MACHINE\Software\Citrix\System Monitoring\Agent\Core\4.00\ListenPort
Note: EdgeSight only supports communication on port 9035. Do not change this value in the registry of an EdgeSight agent.
9035
Registry Key for 64-bit Computer Value
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurityGroup <ADgroup>

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurity
Note: This key is removed in EdgeSight 5.0, with the recommended value of only 1. In future EdgeSight releases ignore if this key does not exist.

1

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\System Monitoring\Agent\Core\4.00\ListenPort
Note: EdgeSight only supports communication on port 9035. Do not change this value in the registry of an EdgeSight agent.

?? 9035

For Workgroup Users

The EdgeSight Server console user is not a local administrator on the remote appliance. As a result, EdgeSight requests an alternate credential to be entered into the authentication screen to access the remote appliance. Credentials entered through the pop up Window must have administrator privileges on the remote appliance.

  • To specify a domain or Active Directory user, enter <ADorDomainName\userName> in the User name field.

  • To specify a local administrator, enter <deviceName\userName> in the User name field.

An alternate method is to specify a local user group (even if there is only one user) on the remote appliance. Add the group name to the registry key as described in the solution for Active Directory users. This is particularly useful when the user is repeatedly presented with the NTLM authentication.

Example: This can happen in some reports that open in Excel that draws multiple charts.

The following EdgeSight activities require Remote Authentication:

Monitor (tab)

Troubleshoot (tab)

Configure (tab) > Agents > Run Worker


Additional Resources


Disclaimer

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

 

Join the conversation

Citrix Discussions

Open a case

Citrix Support