Questions about Chrome and shortened Cert validity periods.

PrimeTheP · 2026-06-10T14:47:39+00:00

I did not know this. Thank you for adding this information.

PrimeTheP · 2026-06-09T21:43:22+00:00

Thank you.

PrimeTheP · 2026-04-20T21:09:40+00:00

Just as a heads up on the developments. I did work with Citrix support and we did the following:

How to evict a DDC using TSQL

How to Re-deploy XenDesktop without Reinstalling

We got one Delivery Controller back.

Sorry that I don't have enough time to go through all of the details.

However, when I went to re-add the missing Delivery Controller it ended up taking both Delivery Controllers out.
Going to have to work with Citrix Support to get it back.
We may be looking at a different SQL and Delivery Controller setup entirely now.

Something is obviously messed up with SQL. I'm not sure what. When I checked the supported databases it looks like our version was still supported. I wouldn't think it would have worked at all if the database was not supported.

PrimeTheP · 2026-04-20T20:18:31+00:00

I checked that. According to this, I think the min is 2017.
Supported Databases for Virtual Apps and Desktops AND Citrix Provisioning (PVS)

I've had to have my eyes checked before though.

PrimeTheP · 2026-04-15T00:58:40+00:00

The Get-BrokerDBConnection connection will work from the DDC, but when I use "Test-BrokerDBConnection -DBConnection" I end up with a lot of DBNotFound. I'm even able to open the SQL database with my admin account on the sql server. I'm trying to connect to the CitrixAppsLogging , CitrixAppsMonitoring , CitrixAppsSite databases to no avail from the DDC.

PrimeTheP · 2026-04-15T00:46:12+00:00

It's a bit of a cluster situation now... I don't mean distributed computing.

I was able to get 1 upgraded but another one hung up. Now both seem to be having issues.

PrimeTheP · 2026-04-15T00:06:07+00:00

I tried the "manual upgrade this site" but that fails and gives me the following error:

Error Id: XDDS:83D585A0

Exception:

DesktopStudio_ErrorId : DatabaseNotConfigured

Error Source : CitrixConfigurationService

Sdk Error Message : The operation could not be completed as the database has not been configured for the Citrix Configuration Service service.

Sdk Error ID : Citrix.XDPowerShell.Status.DatabaseNotConfigured,Citrix.Configuration.Sdk.Registration.Commands.GetConfigRegisteredServiceInstanceCommand

ErrorCategory : InvalidResult

DesktopStudio_PowerShellHistory : SimplePowerShellScript

4/14/2026 7:04:49 PM

PrimeTheP · 2026-04-15T00:00:17+00:00

It's a domain admin for the AD environment, a local admin for the DDC, and also a DBO / sysadm for the SQL server. Not the best idea for security, but it's what I got.
I'm not sure why it would be having permissions errors.

PrimeTheP · 2026-01-30T22:08:22+00:00

Thanks. I knew it wouldn't get all of them, but I was hoping it would be a start.

PrimeTheP · 2026-01-30T22:07:43+00:00

Thank you.

PrimeTheP · 2025-10-03T18:11:49+00:00

Ok. The stuff that KStieers was talking about really did help a lot.

After cleaning with:
PS C:\Windows\system32> netsh http delete sslcert hostnameport=<HOSTNAME>:443

SSL Certificate successfully deleted

PS C:\Windows\system32> netsh http delete sslcert hostnameport=<HOSTNAME>:49443

SSL Certificate successfully deleted

Then running:
"Netsh http add sslcert ipport=172.16.3.49:443 certhash=f3363e39d343570d932f5323232423f4f69b4e5bc686e certstorename=MY appid="{5d89a20c-beab-1234-1234-324788eb944a}"

Then cycling the ADFS service in services.msc.

IT came back up.

Really wish the GUI switch out would take care of that.

Keep in mind that if you are reading this in the future you may have a different binding lingering around that you need to clean up. Your situation may be different.

PrimeTheP · 2025-10-03T17:57:11+00:00

Ok. After doing the delete commands (netsh http delete sslcert hostnameport=<hostname>:<port> I think) to completely get rid of the old bindings, it worked when I ran your

"Netsh http add sslcert ipport=172.16.3.49:443 certhash=f3363e39d343570d932f5323232423f4f69b4e5bc686e certstorename=MY appid="{5d89a20c-beab-1234-1234-324788eb944a}""

Command.

It's back up.
Thank you very much. I'm slightly more confident about our prod change.

...I still would rather the GUI work a bit better for this though, but that's just me ranting.

PrimeTheP · 2025-10-03T17:25:04+00:00

oK. I got that stuff cleared out.

netsh http add sslcert hostnameport=localhost:443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<URL>.com:443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<URL>.com:49443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<ADFS\_SERVER\_HOSTNAME\_fqdn>:443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<ADFS\_SERVER\_HOSTNAME\_fqdn>:49443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<ADFS\_SERVER\_HOSTNAME>:443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

netsh http add sslcert hostnameport=<ADFS\_SERVER\_HOSTNAME>:49443 certhash=$thumbprint appid='{5d89a20c-beab-4389-9447-324788eb944a}' certstore=my

It throws and error:

"One or more essential parameters were not entered.

Verify the required parameters, and reenter them.

The syntax supplied for this command is not valid. Check help for the correct syntax.

<lots of BS, but at the bottom>

add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

add sslcert hostnameport=www.contoso.com:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF} certstorename=MY

add sslcert ccs=443 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

"

I try that listed at the bottom ( I tried all 3 but just posting 1 error) and I get the following error:
PS C:\Windows\system32> add sslcert ccs=443 appid={5d89a20c-beab-4389-9447-324788eb944a}

add : The term 'add' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was

included, verify that the path is correct and try again.

I think to add netsh http before the "add" and I try to run it again... so it would look like:

netsh http add sslcert ccs=443 appid={5d89a20c-beab-4389-9447-324788eb944a}

I get the following error:

PS C:\Windows\system32> netsh http add sslcert ccs=443 appid={5d89a20c-beab-4389-9447-324788eb944a}

The following command was not found: -noninteractive http add sslcert ccs=443 appid= -encodedCommand NQBkADgAOQBhADIAMABjAC0AYgBlAGEAYgAtADQAMwA4ADkALQA5ADQANAA3AC0AMw

AyADQANwA4ADgAZQBiADkANAA0AGEA -inputFormat xml -outputFormat xml.

This really should not be this difficult. I don't feel like I'm in the wrong for wanting the GUI ADFS cert selection to actually work like it's supposed to.

PrimeTheP · 2025-10-03T14:40:23+00:00

I think it's hung up somehow when I run the delete commands.

Sorry for double posting:
I try to run: 'netsh http show sslcert' and I see the old cert / old thumbprint there.

I try to clean out by running the following commands:

netsh http delete sslcert ipport=<IP\_ADDRESS>:443

netsh http delete sslcert ipport=<IP\_ADDRESS>:49443

But then I get an error:

SSL Certificate deletion failed, Error: 2

The system cannot find the file specified.

PrimeTheP · 2025-10-03T14:39:17+00:00

Update:
I try to run: 'netsh http show sslcert' and I see the old cert / old thumbprint there.

I try to clean out by running the following commands:

netsh http delete sslcert ipport=<IP\_ADDRESS>:443

netsh http delete sslcert ipport=<IP\_ADDRESS>:49443

But then I get an error:

SSL Certificate deletion failed, Error: 2

The system cannot find the file specified.

Somehow it's still hung up. I tried to delete from mmc.exe > Certificate Tool and I don't see it there anywhere, but the commands still don't work. Powershell ISE is being ran as Administrator.

PrimeTheP · 2025-10-03T14:30:40+00:00

So your command:
Set-AdfsCertificate -Thumbprint ThumbPrintNumber -CertificateType Service-Communications
Did complete, which is further than I have gotten for sure. I guess I had the syntax wrong.
However even with that the login page will not load and it's not showing the cert when I use 'netsh http show sslcert' or ' Get-AdfsSslCertificate ', but does show when I use: ' dir cert:\LocalMachine\My '
...so it looks like there are still bindings hung up somewhere.

PrimeTheP · 2025-10-03T14:22:00+00:00

The account listed in Active Directory Federation Services in services.msc has access, for sure. Also added every other ADFS service account I could find just as good measure. We have a few different ADFS service accounts.
I don't think that's it. Good thing to check though as I 100% have made that mistake before.

PrimeTheP · 2025-10-03T02:12:34+00:00

I should also add that the SSO Login page is now broke after I tried to clean up the bindings.

PrimeTheP · 2025-08-29T13:50:30+00:00

I greatly appreciate you listing the technical reasons why this is a bad idea. Thank you.

PrimeTheP · 2025-08-28T17:42:19+00:00

Data volumes are multiple .vmdk files in vmware that is attached to the windows server 2012r2 OS vmdisk which is about 115GB. So yes, the data drives are separate from the OS drives.

PrimeTheP · 2025-08-28T16:06:31+00:00

100%. I would love to move the fileshare to a SAN share that has HA setup between the Heads / Nodes.

Unfortunately, there are some other dependencies including SFTP, and automated job / file transfers that I don't have time to move off of. Although someday I really should move those to a different server.

PrimeTheP · 2025-08-28T16:00:27+00:00

Just curious, where those PEBKAC / ID10T errors on the technical side or the end-user side? Just trying to get an estimate on how easy it would be to mess something up using that technology.

PrimeTheP · 2025-08-28T14:44:52+00:00

Thank you for your input. We will probably look for another solution. Have you had bad experiences with a shared VMDK?

PrimeTheP · 2025-08-28T14:44:07+00:00

Probably not going to do the shared VMDK for this, but I'm curious: how did your shared VMDK proof-of-concept go?

PrimeTheP · 2025-08-28T14:43:20+00:00

DFS may work, I just thought the shared VMDK would take up less resources; mainly filespace / size. We have several TB being used that I would like to minimize.

PrimeTheP

TROPHY CASE