Troubleshooting gMSA Installation Failure Caused by Kerberos Encryption Mismatch (28 vs 24)

by Leave a Comment

In our environment, we use several gMSA accounts, which are more secure than conventional service accounts. While testing our scripts on Windows Server 2025, we ran into issues when installing a gMSA.

Install-ADServiceAccount : Cannot install service account. Error Message: ‘The provided context did not match the target.’

We began by double checking the gMSA itself. To rule out account issues, we tested installing the gMSA on an older Windows Server 2022 system, where everything worked as expected. Next, we checked the PrincipalsAllowedToRetrieveManagedPassword attribute using:

Read more: Troubleshooting gMSA Installation Failure Caused by Kerberos Encryption Mismatch (28 vs 24) 
Get-ADServiceAccount -Identity 'gMSA Accountname' -Properties PrincipalsAllowedToRetrieveManagedPassword

This confirmed that the Windows Server 2025 host was authorized to use the gMSA. We also noticed that the affected gMSAs failed the following test:

Test-ADServiceAccount -Identity 'gMSA Accountname'

On Windows Server 2025, this command returned False, indicating the account could not be used successfully.

It took us a while to realize the issue was encryption related. The security baseline on Windows Server 2025 differed from that of Server 2022. The policy “Network security: Configure encryption types allowed for Kerberos
(Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options)
was configured to allow only AES128_HMAC_SHA1 and AES256_HMAC_SHA1. The option “Future encryption types” is reserved for potential new Kerberos encryption algorithms that may be introduced in future Windows versions. It does not specifically include AES128 or AES256, as these have their own settings.

When we temporarily added RC4_HMAC_MD5 to the allowed list, we were able to install the gMSA successfully. But this raised a red flag, why lower security just to get a gMSA to install? First, we checked the current encryption level on our new Windows Server 2025 using:

Get-ADComputer -Identity $env:COMPUTERNAME -Properties msDS-SupportedEncryptionTypes | Select Name, msDS-SupportedEncryptionTypes

Next, we checked the gMSA itself using:

Get-ADServiceAccount -Identity 'Serviceaccount' -Properties msDS-SupportedEncryptionTypes | Select Name, msDS-SupportedEncryptionTypes

We noticed a mismatch between the server and the gMSA. The server was set to 24, while the gMSA was set to 28. To clarify the relevant Kerberos encryption bitmask values:

  • RC4 = 4
  • AES128 = 8
  • AES256 = 16
  • AES-only (AES128 + AES256) = 24
  • AES + RC4 = 28

Note: A value of 0 or null means “follow the domain/GPO default,” which often still allows RC4.

In short, Windows Server 2025 was enforcing AES only, while the gMSA was configured for AES + RC4.

This was the most confusing part for us. We initially assumed that if RC4 wasn’t available on the server, Kerberos would simply fall back to AES after all, the gMSA was also capable of AES. However, Kerberos doesn’t really “negotiate” in this scenario. The Key Distribution Center (KDC) selects one encryption type based on what the gMSA allows. If RC4 is enabled on the gMSA, the KDC may choose RC4. If the client (server) is AES only and doesn’t accept RC4, there is no fallback to AES and the operation just fails.Since we didn’t want to lower our security baseline, we decided to update the affected gMSAs to AES-only by running:

Set-ADServiceAccount -Identity 'gMSA Accountname' -KerberosEncryptionType AES128,AES256

After running the command above, the gMSA’s encryption type changed from 28 to 24. We also reviewed the creation process for new gMSAs. By default, they were still being created with AES + RC4, which we already knew would not work on Windows Server 2025. To address this, we added the -KerberosEncryptionType parameter to the New-ADServiceAccount command so that new gMSAs are created with AES only. Just like computer accounts, their passwords are random, complex, and change every 30 days by default

New-ADServiceAccount -Name 'gMSA Accountname' -DNSHostName 'hostname.domain.local' -PrincipalsAllowedToRetrieveManagedPassword 'AllowedGroupOrServer' -KerberosEncryptionType AES128,AES256

The last thing we looked into and tested was the behavior of an AES only gMSA when installed on a Windows Server 2022 system that still allowed AES + RC4. In this scenario, even though the server permitted RC4, the AES only gMSA worked without any issues. This confirmed that all gMSAs we had updated to AES-only (EncryptionTypes 24) continued to function on legacy Windows Server 2022 hosts configured with AES + RC4.

How to Use Authentik as a SAML Identity Provider for Citrix NetScaler as Service Provider

by Leave a Comment

For a recent project, we needed users to log on with their accounts from a new domain and then be able to launch a CVAD desktop using SSO within an old legacy domain. In this blog, I’ll describe the steps I took to get this up and running.

First, let us briefly describe the components that were going to be used. Although it’s listed below, I won’t be covering the Citrix FAS configuration in this post. The main focus will be on configuring Authentik SAML in combination with a Citrix NetScaler.

  • Authentik as the SAML IdP
  • Citrix NetScaler as the SAML SP
  • Citrix Federated Authentication Service (FAS) to enable single sign-on (SSO) for CVAD
  • The sAMAccountName in the legacy domain was different from the sAMAccountName in the new domain
Read More →

Notes from the Field: Citrix Provisioning Server 2402 CU1 LTSR Upgrade

by Leave a Comment

While upgrading our Citrix Provisioning Server (2203 LTSR) to the latest LTSR version 2402 CU1, we ran into some difficulties that we didn’t encounter with earlier versions. In addition to issues with the Citrix Provisioning Server Console, we also had some struggles getting both Citrix Studio and Citrix PVS Console to run from a single admin server. In this blog, I’ll share our findings.

Until now, our default upgrade procedure was to upgrade all Citrix Provisioning Server Consoles, test the console, and then upgrade the Citrix Provisioning Server itself. However, we quickly noticed that the new PVS Console (based on LTSR 2402 CU1) was unable to successfully connect to a Provisioning Server running LTSR 2203.

Read More →

Citrix StoreFront Error “Cannot complete your request”

by Leave a Comment

While replacing Citrix StoreFront (2203 CU5 LTSR) servers running Microsoft Server 2019 with servers running Server 2022, we encountered an error message during login attempts to Citrix StoreFront. Users were shown an error message stating: “Cannot complete your request.”

We were running a GSLB setup with a multi-server group (across sites), each containing several Citrix StoreFront servers (2203 CU5 LTSR). As described in “Virtual Apps and Desktops – 1912/2203 – Citrix Infrastructure / OS Upgrade” (CTX278869), we exported the configuration from an old StoreFront server running Server 2019 and imported it onto the newly created StoreFront servers running Server 2022. All servers were deployed in the same OU, received the same GPOs/settings, and apart from the different operating systems, all settings were pretty much identical.

Read More →

Setup Authentik as Radius Provider

by Leave a Comment

For my home lab environment, I use Authentik as my Identity Provider. Authentik is an open-source authentication and authorization platform that enables Single Sign-On (SSO), identity management, and multi-factor authentication (MFA) via protocols like OAuth, SAML, and LDAP. For various applications, such as the Citrix NetScaler, I use RADIUS for secondary authentication. All my Authentik users have a TOTP token in their authenticator app, which I want to use for RADIUS authentication. While configuring RADIUS in Authentik, I found the available documentation somewhat limited, and it took considerable effort to achieve a working RADIUS setup. This blog describes all the steps I followed to get RADIUS successfully running within Authentik.

For this guide, I used Authentik version 2024.10.1. I assume you already have a working Authentik setup where users already have a TOTP authenticator code available.

Read More →

Another error: ‘Application can’t be started… (Instant Passthru could not be resolved)’ caused by the CWA upgrade.

by Leave a Comment

A while ago, I wrote a blog about the error message ‘Application can’t be started… (Instant Passthru could not be resolved)’ that we encountered when launching a published application from our Ivanti Workspace Control managed session. Recently, we received the same message again, but this time the cause was different.

Application can’t be started… (Instant Passthru could not be resolved)

Shortly after a relatively simple task—upgrading an outdated version of Citrix Workspace App (CWA) from 1912 LTSR to the slightly newer 2203 LTSR—we encountered some inexplicable issues that made it impossible to launch Citrix Published Apps via SelfService.exe.

Read More →

How to Prevent SQL Database Locks and Improve Performance

by Leave a Comment

Within a large environment where Ivanti Workspace Control is used in combination with a Microsoft SQL Database, the SQL Server has to handle numerous connections initiated by all the Ivanti Workspace Control Agents.To minimize the load and connections on the SQL Server, Ivanti introduced the Ivanti Relay Servers, which act as proxies for all agent connections to the SQL Server, thereby reducing the total number of SQL connections and the overall load.

While monitoring our Ivanti Relay Server, we noticed that a couple of times a day, the Ivanti Relay Servers started queuing all messages. The transactions folder filled up with transactions that weren’t forwarded to the SQL Server. The Ivanti Relay Servers have a built-in failsafe option, where they stop accepting new transactions when the queue exceeds 50,000 transactions. So, in a short period of time, all Ivanti Relay Servers went offline because they hit the 50,000 transaction threshold.

Read More →

Why SQL Tables Are Created with domain\username.tablename Instead of dbo.tablename

by Leave a Comment

Let’s start by stating I’m not a SQL DBA 😉 when it comes to databases, I’m just a user who needs a database for my applications 🙂 Lately, in various environments, we’ve been creating different Ivanti Workspace Control and Automation Manager databases. We simply request an empty database from the SQL department and are assigned DBO rights. Subsequently, we establish a connection to the database from Ivanti Automation Manager (for example) and handle the initial database setup within the application itself.

After initializing the SQL database, the user who performed the initialization can start Ivanti Workspace Control, for example, without encountering any issues. Another user, who has the same permissions (DBO) on the database, is unable to launch the application. The second user is able to access the SQL Database using SQL Management Studio, where they seem to have full control over the database.

Read More →

The Citrix Workspace App sometimes detects an incorrect keyboard layout on OSX.

by Leave a Comment

Apple OSX users sometimes experience an incorrect keyboard layout loaded within their Citrix session. As a result, special characters are often located in different places. The cause of this issue is that Apple has a different keyboard layout compared to Windows, leading to an Apple US-international keyboard being recognized as a Dutch keyboard in Windows.

How to identify your Apple keyboard layout by country or region

Some time ago, we conducted extensive research together with Citrix Support to investigate the cause of this issue and whether there are possibilities to change this behavior. Unfortunately, it has been found that this behavior cannot be changed through a central solution. This behavior can only be altered by making adjustments on a per OSX system basis. This guide provides detailed instructions on what needs to be adjusted.

Read More →

How to manage Windows ACL Permissions on a Synology

by Leave a Comment

For quite some time, I’ve been using Synology PhotoStation to manage all my family photos. Since I’m not the only user—my children also use the app—I thought it might be a good idea to set some permissions on the different folders. In general, I use three different groups: full control, read-write, and read-only. This way, my kids can access all shared family photos but can’t accidentally delete them. Setting access permissions within Synology Photos is somewhat limited, so I had to reorganize my folder structure to fulfill my needs. However, in the end, it worked out very well.

Last week, I decided to move over some additional photos and reorganize parts of my original folder structure. Thinking it would be quicker than using the web GUI, I accessed my photo share through SMB. Immediately, I noticed something wasn’t right. Folders could not be renamed, data couldn’t be moved, and so on. When I looked at the Windows ACL permissions, I noticed they were different from the permissions set in Synology Photos. In my case, most permissions were inherited from the root photos folder.

Read More →