Citrix Director: ‘Cannot retreive the data’ after CU2 update

After installing the Citrix Director CU2 release (7.6.2000), I received the error ‘Cannot retrieve the data‘ when viewing information like connected sessions, logon duration and Virtual Desktop details. I have seen this error after updating to CU2 at two customer sites, both sites are enterprise hospital environments. I have not seen this error at testing environments and our own company environment.
Viewing the licensing status in Director is working perfectly fine.  Viewing logged in users is fine to, but viewing virtual desktop details wasn’t working.

Next to updating Citrix Director to the CU2 release, I have also updated the Delivery Controllers, License Server and Storefront to CU2.

There were a small amount of users that had no issues with Director and did not receive any error message. Most of them had an admin account and a user account. The user account was working fine. I made a clone of my own user account, deleted some AD groups and the errors were gone in Director. The users that had the error message all were IT users with a lot of (nested) groups, mostly more than 300.

Citrix Director looked like this after the update:

The event viewer on the server where Director is installed showed the following error:

After having contact with Citrix Support and reviewing the Citrix Director trace files, we saw that Director fails with HTTP Error 400.The size of the request header is too long. This is because Director machines is not able to retrieve any information due to bloated kerberos ticket.

We were able to fix the Cannot retrieve the data error by setting the following registery keys (DWORD) on both the Citrix Delivery contoller(s) and the Storefront server(s). The servers required a reboot after setting these keys.

 

Allow change password via RDP

I’ve experienced a few times that i’m not allowed to login using RDP because my password is expired or that ‘use must change password at next login’ is enabled in the Active Directory.

Today was one of those moments. I could not login to an customer environment i havent logged in to for a while, because my password was expired. So ehm.. I had to login to change my password, but I could not login to change my password because my password was expired.. right..
Now what? The customer wasn’t available at that time and I had to get to work.

I have found the following work around for that.

Lokaal

  1. Start mstsc.exe
  2. enter the remote desktop connection
  3. Click ‘Save as..’
  4. Save the RDP file as something like: ChangePassword.RDP
  5. Open notepad.exe and open the RDP file you just created.
  6.  add enablecredsspsupport:i:0 at the bottom of the file.clip_image003_thumb

Save the file, start the RDP connection using this file. Now you will have the possibility to change your password!

What if CredSSP is required?

If CredSSP (Credential Security Support Provider is required to login to the remote desktop, you will get the following error message:
Try to make an RDP connection using the full FQDN (servername.domain.local) in stead of just the servername. Otherwise, the above solution is not possible. Except when you disable CredSSP.

CredSSP can be disabled to change de RDP settings on the remote desktop to disable ‘Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).’