Citrix Studio – Full Admin but Permission Denied

Credit goes to Richard Podd for finding the solution for this – Kudos Rich!

Summary

You are logging in to Citrix Studio with a AD account that has full admin rights but still getting permission denied error messages. This happens on all Delivery Controllers.

Error Id: XDDS:292F2E2C

Exception:
Citrix.Console.Models.Exceptions.ScriptException You are not authorized to perform this operation.DesktopStudio_ErrorId : AuthorizationError
Exception : Citrix.Fma.Sdk.ServiceCore.AuthorizationFailureException: Failed to authorize operation GetServiceStatus. Failed ISM for communication with Delegated Admin Service. —> Citrix.Fma.Sdk.InterServiceManager.AllMatchingServiceInstancesFailedException: All the service instances that matched the requested client profile are in the failed stateReason : AuthorizationFailureException
Message : Failed to authorize operation GetServiceStatus. Failed ISM for communication with Delegated Admin Service.
Sdk Error Message : There was a problem communicating with the Citrix Delegated Administration Service.
DesktopStudio_PowerShellHistory : ValidateConfigurationServiceLocationScript
1/5/2015 8:52:27 AM

For full error message – please see references at the end of the page.

Environment

• Citrix XenDesktop 7.15 LTSR CU2
• Microsoft SQL Server 2012

Carl Stalhood suggested a solution which worked great for older versions of XenDesktop e.g. 7.5 where the issue had to do with the maxReceivedMessageSize parameter of the “Citrix.DelegatedAdmin.exe.config” file. His solution can be found here

Assumptions

The solution proposed here assumes that the [DAS].[Administrators] table have corrupted record(s) in the database.

Solution A – The quick way

The quick way involves removing all administrators directly on the database and reinstating yourself as admin.

1. Get your SID using PowerShell, save it somewhere

2. Load SQL Management Studio on the Database server
3. Open a new Query window to the Site DB
4. Run the following

5. Reload Studio

Solution B – The longer way

Using the same logic from above, instead of deleting all Administrators from [DAS].[Administrators] and the rights from [DAS].[Rights], test recreating the records of those tables for one SID at the time and re-test Studio until you find the corrupted record(s).

References

https://discussions.citrix.com/topic/359322-full-admin-but-permission-denied/

https://support.citrix.com/article/CTX217067

https://support.citrix.com/article/CTX215602

Full error message

Error Id: XDDS:292F2E2C

Exception:
Citrix.Console.Models.Exceptions.ScriptException You are not authorized to perform this operation.
at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.CreateException[T](ICommonLog logger, ExecutionResults1 results, ICmdletExecutionHost host)
at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.Execute[T](ISdkCmdlet1 sdkCmd, ICmdletExecutionHost host, Boolean allowFailover)
at Citrix.Console.PowerShellSdk.HealthMonitor.Scripts.ValidateConfigurationServiceLocationScript.RunScript()
at Citrix.Console.PowerShellInteraction.PowerShellScript1.Run()
at Citrix.Console.PowerShellSdk.PowerShellService.ValidateCentralConfigurationServiceLocation(String ccsLocation)
at Citrix.Console.DeliveryCenter.UI.Dialogs.CcsValidator.ValidateCcs(String ccsLocation)
at Citrix.Console.DeliveryCenter.UI.ViewModel.DesktopStudioViewModel.ConnectToSite(String ccsLocation, Boolean safeForDispatcher)
at Citrix.Console.DeliveryCenter.UI.Mmc.StartupTabViewModel.<>c__DisplayClass2.b__1()
at Citrix.Console.CommonControls.ProgressDisplay.GenericProgressOperation.PerformOperationInternal()
at Citrix.Console.CommonControls.ProgressDisplay.ProgressWindowOperation.PerformOperation()
at Citrix.Console.CommonControls.ProgressDisplay.ProgressWindowViewModel.PerformAction(Action operationComplete)

DesktopStudio_ErrorId : AuthorizationError
Exception : Citrix.Fma.Sdk.ServiceCore.AuthorizationFailureException: Failed to authorize operation GetServiceStatus. Failed ISM for communication with Delegated Admin Service. ---> Citrix.Fma.Sdk.InterServiceManager.AllMatchingServiceInstancesFailedException: All the service instances that matched the requested client profile are in the failed state
at Citrix.Fma.Sdk.InterServiceManager.InterServiceManager.FilterAndSort(ServiceFamily family)
at Citrix.Fma.Sdk.InterServiceManager.InterServiceManager.GetPreferredServiceInstance(ServiceFamily serviceFamily)
at Citrix.Fma.Sdk.InterServiceManager.WcfClientBase1.SelectNewConnection()
at Citrix.Fma.Sdk.InterServiceManager.WcfClientBase1.MoveToNextConnection()
at Citrix.Fma.Sdk.InterServiceManager.WcfClientBase1.RegisteredCallAndRetry[TResult](Func2 operation)
at Citrix.Configuration.DelegatedAdminProvider.DemandPermission(String operation)
--- End of inner exception stack trace ---
at Citrix.Configuration.DelegatedAdminProvider.DemandPermission(String operation)
at Citrix.Fma.Sdk.ServiceCore.LogicBase.DemandPermission(String operation, ServiceRegistrationStates localAdminStates)
at Citrix.Fma.Sdk.ServiceCore.ServiceBase.<>c__DisplayClass10.b__f()
at Citrix.Fma.Sdk.ServiceCore.ServiceBase.CheckedCall[T](String name, Func1 operation, Func`2 defaultValue, Enum code)
Reason : AuthorizationFailureException
Message : Failed to authorize operation GetServiceStatus. Failed ISM for communication with Delegated Admin Service.
Sdk Error Message : There was a problem communicating with the Citrix Delegated Administration Service.
Sdk Error ID : Citrix.XDPowerShell.Status.AuthorizationError,Citrix.Configuration.Sdk.Cmdlets.Management.Commands.GetConfigServiceStatusCommand
ErrorCategory : NotSpecified
DesktopStudio_PowerShellHistory : ValidateConfigurationServiceLocationScript
1/5/2015 8:52:27 AM

Get-ConfigServiceStatus -AdminAddress ‘localhost’
Get-ConfigServiceStatus : There was a problem communicating with the Citrix Delegated Administration Service.
+ CategoryInfo : PermissionDenied: (:) [Get-ConfigServiceStatus], UnauthorizedAccessException
+ FullyQualifiedErrorId : Citrix.XDPowerShell.Status.AuthorizationError,Citrix.Configuration.Sdk.Cmdlets.Management.Commands.GetConfigServiceStatusCommand