Verify Your Credentials and Try Again Secure Hub

Posted in : Other By Xenit Translate with Google ⟶

4 years agone

EMM systems are complex, error-prone and sensitive to changes from a lot of manufacturers, thus I'll dedicate this post to just that: techniques for troubleshooting XenMobile. This is non a "I have this problem, what could be the solution"-type post, but I'm rather going to outline some of the more than useful tools that you can apply to help solve your bug.

XenMobile Analyzer

Like shooting fish in a barrel to miss, but by far the easiest to utilise and amongst the more powerful troubleshooting tools. XM analyzer "simulates" enrolling a device, authentication to both XenMobile and the NetScaler Gateway, browsing to internal URLs with Secure spider web every bit well as ShareFile SSO and Secure Mail Motorcar Discovery. When I'thousand setting upwards a new environment or troubleshoot an existing i, I usually start over here since information technology gives me a dainty breakdown of which step fails as well equally suggestions for possible fixes. I squeamish matter is that you tin really schedule reports to run at regular intervals, provided of class you allow enrolls without Pivot.

XenMobile Analyzer results

XenMobile Analyzer is available at https://xmanalyzer.xm.citrix.com/ after logging in with your Citrix account.

XenMobile Connectivity Check

Available in the admin panel, under Troubleshooting and Support > Diagnostics > XenMobile Connectivity Checks is this examination. It is basically trying to reach other servers necessary for XenMobile to piece of work, and allows y'all to encounter whether information technology works or not. It is a simple mode to cheque if your internal firewalls are blocking something of import:

XenMobile Connectivity Checks

Secure Mail Test Tool

If secure mail is what's acting upwardly for yous, there is really a dedicated test tool bachelor to use. Much like the XenMobile Analyzer, it runs through a lot of tests and checks where information technology fails, only the Secure Mail service Tool runs on your mobile device allowing you to come across the other side of the equation. The only trouble with this tool is that you demand to wrap it with the MDX tool in gild to employ it.

Secure Post Exam Tool

You tin find more than info about the test tool here: https://back up.citrix.com/article/CTX141685

XenMobile Logs

Logs, of grade, should hardly need to exist mentioned. At that place are several layers of logs: Debug and User (and admin audit) logs on the appliance, iOS/Android logs on the devices as well as logs from Secure Hub. Make certain to use these to your reward, and remember that y'all can change the log levels both when reporting a trouble in Secure Hub as well as under Log Settings in the admin UI.
Browsing these logs, nevertheless, tin can exist quite a daunting task. I usually starting time with only the appliance debug log, since you tend to get most of what y'all need from there. A adept start with the debug log would be to check for exceptions, the first row usually gives yous the information you need to set information technology. Other than that you might demand to search the logs for a username or something related to the bug (for example CSR if you're having trouble enrolling client certificates). If you lot are able to reproduce the error, make sure y'all rotate the logs before you reproduce as that'll leave you with a much shorter log to sift through.

NetScaler AAA log

Almost implementations of XenMobile use NetScaler for load balancing and MAM Gateway, and of course a lot of bug could arise here as well. The most basic mode to check the NetScaler is to see if it actually accepts your hallmark.
To practise this, logon to the NetScaler over CLI (PuTTY or other SSH customer to the same hostname as the NetScalers, log on with your usual credentials) and run the commands below:

shell true cat /tmp/aaad.debug

Now you can come across the log live, if information technology'due south a well used NetScaler this might be rather decorated so you will take to start the logging but earlier you lot log on and then cease it subsequently. When you've done a logon you'll get something similar to the image below:

NetScaler aaad.debug log

Here, the top (blurred) rows lists which Advert groups the user is in, this is useful to see if the user is actually in that group you lot connected your delivery policy to. What you want to see is something similar the "sending accept to kernel" lines yous can run into on the screenshot. This means the user has authenticated to the NetScaler properly. Likewise a "sending reject" ways the user login was not accepted. If you're lucky, maybe the user was inputting the wrong password all those times?

NetScaler Policy Hits

XenMobile depends heavily upon session policies for XenMobile to work properly, if these policies doesn't "hit" for the user yous volition well-nigh certainly see some problems. To check which policies hit when a user logs on, you tin check the NetScaler CLI:

trounce nsconmsg -d current -thou POL_HITS

Run the commands and then allow a user log on and yous will get something similar the output below.

NetScaler Policy Hits

Do note that this isn't user specific, all hits occurring during your logging time will be present in the output so you volition demand to know what you are looking for. If you used the XenMobile Sorcerer to set up the NetScaler integration, the most important policy you'll be looking for is the "PL_OS_YOUR_NSGW_IP"-one i highlighted in a higher place, as it is the default name for the policy to employ on a log on from a mobile device. You can as well run across which LDAP policies apply, and if your certificate policies apply as expected.

Also, as a last, more specific tip. If your apparatus is failing to kick, but looping on "starting chief app", brand certain that the database is available to the appliance. In my experience this is the problem near every time.

Tags :

berryvardert.blogspot.com

Source: https://xenit.se/blog/2017/12/20/troubleshooting-xenmobile/

Share this post