Workspace ONE Access 21.08 is here, and we finally get Connectors that support Virtual Apps (with some exceptions, see “caution” section here)! One of the best things about this version is that we no longer have the need for Integration Brokers, making Citrix integrations far easier. Each Connector now has this built-in, so no more load-balancing, IIS, etc., when it comes to integrating your Citrix environments!
The Connector migration process is incredibly easy. There are plenty of videos and documentation that take you through the process. That is not actually the point of this post, though. I am creating this as a living post of undocumented bugs, tips, gotchas, and will go back and make edits as I find them in the field. I hope you find them useful!
Connector install appears to succeed, but no services are created!
This is a fun one! After going through the 21.08 Connector install, you go back to the Access Console thinking everything went through just fine. Nope! You do not see your Connectors in the list, and the migration wizard still shows step 1 as not completed. First thing to do is check the Services – they all start with VMware: VMware User Auth Service, VMware Virtual App Service, VMware Directory Sync Service, etc. If the services are not there, read on, because you may have hit this snag:
Assuming you took the default install location, head to C:\Program Files\Workspace ONE Access. You should see a .log file for each service that was attempted to install. If the logs say something like this:
---- Processing command line arguments ----
& was unexpected at this time.
(I have seen other characters other than &, such as >) …then you may have hit an undocumented bug with the password complexity for your configuration file you downloaded from Access. It appears that when the password gets passed as an install argument, it throws the command off and the install fails. Head back to the Connector Installer wizard in Access and re-download your configuration file. This time try something simple with the password, like putting a ! at the end for the special character requirement. You will need to uninstall the Connector first, and then try again.
Directory Syncs Intermittently Fail
In newer 20/21.xx Connector versions, the sync process is much more streamlined, and multiple threads can be utilized for the sync process. Unfortunately in large AD environments with tens/hundreds of thousands of users, the Domain Controller responding to the queries cannot always keep up, and Access quickly times out as a result. The following error is seen in the Console and emailed to the admins:
Failed to complete sync due to an exception.
Additionally, if you head to the Directory Sync logs (DirectorySyncService.out and eds-service.log), you may see the following:
login() failed for the user <sync service account> javax.security.auth.login.LoginException: Read timed out
and/or:
LDAP response read timed out, timeout used: 5000 ms
There is a workaround now in place with Access Connector 21.08.01. Once you upgrade to that (it’s a simple in-place upgrade from 21.08 Connector), set the following in your Directory Sync Service\Conf\application.properties file and restart your VMware Directory Sync service for any Connectors configured for directory sync:
eds.directory.query.concurrency.factor=5
This throttles the amount of concurrent threads to 5. By default, this value is 10. Try to start at 5, and then slowly work your way up until you start running into errors, and go back down. This will find your happy medium between fast syncs (more threads) and hitting AD timeouts (too many threads / queries).
Citrix Apps Show No Assignments
This seems to be a bug that was introduced in 21.08. Although the assignments were fine in 19.03.x, migrating to 21.08 begins to drop Citrix app assignments. Chances are, there may only be groups assigned to the application. To work around this, you can assign ANY AD user (does not even have to be sync’d with Access, such as the Access service account) and the group entitlements will sync successfully.
This appears to have been fixed in the 21.08.01 Connector.