Symptoms or Error
You will see the following error messages in the Secure Hub Logs:
2016-09-06T22:55:17.691+0400 <CAMAUTH> INFO (4) called for store <CAMStoreID: a2a4975a7f5c84735194f3de3e1ba7ce> with error Error Domain=com.citrix.Receiver.AuthManager Code=6 "CAMAuthManErrorCodeOutOfLicences" UserInfo={com.citrix.Receiver.AuthManager.DiagnosticDescription=The gateway is out of licences, NSLocalizedDescription=CAMAuthManErrorCodeOutOfLicences}
Secure Hub 130
or You might Find following exceptions in log,
2017-05-12T13:34:48.384+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.xam.bo.accounts.AccountsService | Configured Property: SEND_LDAP_ATTRIBUTES :userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},displayName=${user.displayName},mail=${user.mail}
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | CGUtil Input params: loginId 'user@test.abc.local' and domainName 'null'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | Entered into getDomainByAlias 'test.abc.local'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserListMgr | Entered into getUserListByDomainAlias(String domainAlias) method
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserListMgr | Exit from getUserListByDomainAlias(String domainAlias) method
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | DomainName managed in XMS 'test.abc.local'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserMgr | Entered into getUserByUPN(String UPN:user@test.abc.local)
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserMgr | Exit from getUserByUPN
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | User 'user@test.abc.local' not found in DB by UPN. Use the GC if enabled
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | INFO | http-nio-18443-exec-4 | com.citrix.cg.identity.IdentityManagerFactory | ClassName com.citrix.cg.identity.ldap.ADManagerImpl
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | WARN | http-nio-18443-exec-4 | com.citrix.cg.identity.ldap.LdapManager | Domain Name not getting from GC
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | ERROR | http-nio-18443-exec-4 | com.citrix.cg.entity.UserEntity | User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | ERROR | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | Unable to get the domain name for user 'user@test.abc.local': User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
com.citrix.cg.exception.EntityException: User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
at com.citrix.cg.entity.UserEntity.identifyDomainByGCContext(UserEntity.java:570) ~[oca.jar:?]
at com.citrix.cg.util.CGUtil.getUserDomain(CGUtil.java:2618) [oca.jar:?]
at com.citrix.cg.util.CGUtil.splitLoginId(CGUtil.java:1398) [oca.jar:?]
at com.citrix.cg.util.CGUtil.splitLoginId(CGUtil.java:1311) [oca.jar:?]
at com.citrix.xms.oca.imil.service.impl.UserServiceImpl.splitLoginId(UserServiceImpl.java:169) [oca.jar:?]
at sun.reflect.GeneratedMethodAccessor640.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_66-XMS]
at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_66-XMS]
As per Engineering the issue is in Macros (MacroProcessingHelper.java). It is trying to getUser with ‘sAMAccountName@domainName’ first and it is failing with GC configuration.
2016-09-06T22:55:17.691+0400 <CAMAUTH> INFO (4) called for store <CAMStoreID: a2a4975a7f5c84735194f3de3e1ba7ce> with error Error Domain=com.citrix.Receiver.AuthManager Code=6 "CAMAuthManErrorCodeOutOfLicences" UserInfo={com.citrix.Receiver.AuthManager.DiagnosticDescription=The gateway is out of licences, NSLocalizedDescription=CAMAuthManErrorCodeOutOfLicences}
Secure Hub 130
or You might Find following exceptions in log,
2017-05-12T13:34:48.384+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.xam.bo.accounts.AccountsService | Configured Property: SEND_LDAP_ATTRIBUTES :userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},displayName=${user.displayName},mail=${user.mail}
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | CGUtil Input params: loginId 'user@test.abc.local' and domainName 'null'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | Entered into getDomainByAlias 'test.abc.local'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserListMgr | Entered into getUserListByDomainAlias(String domainAlias) method
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserListMgr | Exit from getUserListByDomainAlias(String domainAlias) method
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | DomainName managed in XMS 'test.abc.local'
2017-05-12T13:34:48.385+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserMgr | Entered into getUserByUPN(String UPN:user@test.abc.local)
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.bo.GenericUserMgr | Exit from getUserByUPN
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | DEBUG | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | User 'user@test.abc.local' not found in DB by UPN. Use the GC if enabled
2017-05-12T13:34:48.386+0200 | 27844abf2d8083f2 | INFO | http-nio-18443-exec-4 | com.citrix.cg.identity.IdentityManagerFactory | ClassName com.citrix.cg.identity.ldap.ADManagerImpl
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | WARN | http-nio-18443-exec-4 | com.citrix.cg.identity.ldap.LdapManager | Domain Name not getting from GC
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | ERROR | http-nio-18443-exec-4 | com.citrix.cg.entity.UserEntity | User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
2017-05-12T13:34:48.389+0200 | 27844abf2d8083f2 | ERROR | http-nio-18443-exec-4 | com.citrix.cg.util.CGUtil | Unable to get the domain name for user 'user@test.abc.local': User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
com.citrix.cg.exception.EntityException: User domain not found from Global Catalog: userName: 'user@test.abc.local'; domainName: 'test.abc.local'
at com.citrix.cg.entity.UserEntity.identifyDomainByGCContext(UserEntity.java:570) ~[oca.jar:?]
at com.citrix.cg.util.CGUtil.getUserDomain(CGUtil.java:2618) [oca.jar:?]
at com.citrix.cg.util.CGUtil.splitLoginId(CGUtil.java:1398) [oca.jar:?]
at com.citrix.cg.util.CGUtil.splitLoginId(CGUtil.java:1311) [oca.jar:?]
at com.citrix.xms.oca.imil.service.impl.UserServiceImpl.splitLoginId(UserServiceImpl.java:169) [oca.jar:?]
at sun.reflect.GeneratedMethodAccessor640.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_66-XMS]
at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_66-XMS]
As per Engineering the issue is in Macros (MacroProcessingHelper.java). It is trying to getUser with ‘sAMAccountName@domainName’ first and it is failing with GC configuration.
Solution
For problem cause one
Allocate adequate universal licenses for the NetScaler Gateway.
Also make sure you have set the correct Universal License Count on the below NetScaler Gateway settings.
NetScaler Gateway --> Global Settings --> Authentication Settings --> Change authentication AAA settings --> Maximum Numbers of Users.
For Problem cause two
Workaround:
Remove the Client property " SEND_LDAP_ATTRIBUTES", to be able to enroll with Secure Hub.
Permanent Solution:
Fix is verified on 10.5 RP4 build 10.5.010040
Allocate adequate universal licenses for the NetScaler Gateway.
Also make sure you have set the correct Universal License Count on the below NetScaler Gateway settings.
NetScaler Gateway --> Global Settings --> Authentication Settings --> Change authentication AAA settings --> Maximum Numbers of Users.
For Problem cause two
Workaround:
Remove the Client property " SEND_LDAP_ATTRIBUTES", to be able to enroll with Secure Hub.
Permanent Solution:
Fix is verified on 10.5 RP4 build 10.5.010040
Problem Cause
There can be multiples causes of the issue
- gateway is out of licenses, causing MAM enrollment to fail.
- macro configured ‘SEND_LDAP_ATTRIBUTES’.LDAP is configured with UPN and with Global Catalog. For e.g. the Domain ‘test.abc.local’ is managed with alias ‘xyz.ab, xyz-test-racing.ab, xms.com’ Users are login with alias like ‘user@xyz.ab’ .