Linux Virtual Delivery Agent

Known issues

The following issues have been identified in this release:

  • The smart card service leaks file descriptors during smart card authentication, leading to a blockage of new smart card access. This issue occurs because, by default, most Linux distributions limit the maximum number of open files to 1,024 for each process. When the smart card service exhausts this limit, it can no longer establish new connections, effectively blocking subsequent smart card access.

    This issue affects VDAs with smart card logon enabled. Symptoms include numerous Failed to accept new connection: Too many open files errors in /var/log/xdl/hdx.log and an accumulation of file descriptors in /proc/${pid}/fd/, where ${pid} represents the process ID of ctxscardsd. To determine the PID, use the command systemctl status ctxscardsd|grep PID.

    To mitigate this issue, you can either increase the maximum open files limit for the smart card service or restart the smart card service. Ensure that there are no active sessions before attempting to restart the service. Use the following commands to increase the limit or restart the service:

    • To restart the smart card service:

       systemctl restart ctxscardsd
       <!--NeedCopy-->
      
    • To query the current service max open files:

       cat /proc/${PID}/limits
       <!--NeedCopy-->
      
    • To set the maximum open files for the smart card service:

      1. Open the ctxscardsd.service file in read-only mode to check the current settings:

        vim -R /lib/systemd/system/ctxscardsd.service
        <!--NeedCopy-->
        
      2. Add the following line to the Service section in ctxscardsd.service to increase the limit:

        LimitNOFILE=65536
        <!--NeedCopy-->
        
      3. Reload the systemd daemon and restart the ctxscardsd service:

        systemctl daemon-reload
        systemctl restart ctxscardsd
        <!--NeedCopy-->
        
      4. Verify the new limit:

        cat /proc/${PID}/limits
        <!--NeedCopy-->
        

    Note:

    Increasing the max open files can extend the time before running out of file descriptors, but a restart of ctxscardsd might still be necessary eventually.

    [LNXVDA-17768]

  • If you leave the CTX_XDL_DESKTOP _ENVIRONMENT variable unspecified, there is no way to know which desktop is to be used in the subsequent process. As a result, desktop-related environment variables are not configured and apps or plug-ins that depend on these variables might not work as expected. [LNXVDA-16212]

  • Due to an issue with GNOME, the Linux VDA does not work as expected after you upgrade samba-winbind to version 4.18.6 on RHEL 8.X, Rocky Linux 8.x, RHEL 9.x, and Rocky Linux 9.x. For more information, see https://issues.redhat.com/browse/RHEL-17122.

  • Session launch failures occur when the maximum connections set in PostgreSQL are insufficient to handle concurrent sessions. To work around the issue, increase the maximum connections by modifying the max_connections setting in the postgresql.conf file.

  • VDA registration might fail due to the following LDAP exception thrown in /var/log/xdl/jproxy.log:

     javax.naming.NamingException: LDAP response read timed out, timeout used: 10000 ms.
     <!--NeedCopy-->
    

    To work around the issue, do the following:

    • Change the LDAP timeout value. For example, change the LDAP timeout value to 60 s using the following command:

       ctxreg create -k "HKLM\Software\Citrix\GroupPolicy\Defaults" -t "REG_DWORD" -v "LDAPTimeout" -d "0x000EA60" --force
       <!--NeedCopy-->
      
    • Speed up LDAP queries by setting a search base. You can set a search base using the CTX_XDL_SEARCH_BASE variable in ctxsetup.sh or using the following command:

       ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_SZ" -v "LDAPComputerSearchBase" -d "<specify a search base instead of the root of the domain to improve search performance>" --force
       <!--NeedCopy-->
      

    [CVADHELP-20895]

  • Microsoft released cumulative updates KB5019966 and KB5019964 for Windows 10 in November 2022. The updates introduce failures in domain joining and registration. To work around the issue, see Knowledge center article CTX474888.

  • With the RC4_HMAC_MD5 encryption type allowed for Kerberos, the Linux VDA might fail to register with the Controller and the following error message appears:

    Error: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)

    To address this issue, disable RC4_HMAC_MD5 globally in your Active Directory domain (or specifically on an OU) or allow weak encryption types on the Linux VDA. After that, clear the cached Kerberos tickets on the Controller and Citrix Cloud Connector by using the klist -li 0x3e4 purge command and restart the Linux VDA.

    To disable RC4_HMAC_MD5 globally in your Active Directory domain, complete the following steps:

    1. Open the Group Policy Management Console.
    2. Locate the target domain, and then select Default Domain Policy.
    3. Right-click Default Domain Policy and select Edit. The Group Policy Management Editor opens.
    4. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
    5. Double-click Network security: Configure encryption types allowed for Kerberos.
    6. Clear the DES_CBC_CRC, DES_CBC_MD5, and RC4_HMAC_MD5 check boxes and select AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types.

    To allow weak encryption types on the Linux VDA, complete the following steps:

    Note:

    Weak encryption types make your deployment vulnerable to attacks.

    1. Open the /etc/krb5.conf file on the Linux VDA.
    2. Add the following entry under the [libdefaults] section:

      allow_weak_crypto= TRUE

  • The Linux VDA does not support SecureICA for encryption. Enabling SecureICA on the Linux VDA causes session launch failure.

  • In a GNOME desktop session, attempts to change the keyboard layout might fail. [CVADHELP-15639]

  • Ubuntu graphics: In HDX 3D Pro, a black frame might appear around applications after resizing the Desktop Viewer, or sometimes, the background can appear black.

  • Printers created by the Linux VDA printing redirection might not be removed after logging out of a session.

  • CDM files are missing when a directory contains numerous files and subdirectories. This issue might occur if the client side has too many files or directories.

  • In this release, only UTF-8 encoding is supported for non-English languages.

  • Citrix Workspace app for Android CAPS LOCK state might be reversed during session roaming. The CAPS LOCK state can be lost when roaming an existing connection to Citrix Workspace app for Android. As a workaround, use the Shift key on the extended keyboard to switch between upper case and lower case.

  • Shortcut keys with ALT do not always work when you connect to the Linux VDA using Citrix Workspace app for Mac. Citrix Workspace app for Mac sends AltGr for both left and right Options/Alt keys by default. You can modify this behavior within the Citrix Workspace app settings but the results vary with different applications.

  • Registration fails when the Linux VDA is rejoined to the domain. The rejoining generates a fresh set of Kerberos keys. But, the Broker might use a cached out-of-date VDA service ticket based on the previous set of Kerberos keys. When the VDA tries to connect to the Broker, the Broker might not be able to establish a return security context to the VDA. The usual symptom is that the VDA registration fails.

    This problem can eventually resolve itself when the VDA service ticket expires and is renewed. But because service tickets are long-lived, it can take a long time.

    As a workaround, clear the Broker’s ticket cache. Restart the Broker or run the following command on the Broker from a command prompt as Administrator:

     klist -li 0x3e4 purge
     <!--NeedCopy-->
    

    This command purges all service tickets in the LSA cache held by the Network Service principal under which the Citrix Broker Service runs. It removes service tickets for other VDAs and potentially other services. However, it is harmless – these service tickets can be reacquired from the KDC when needed again.

  • Audio plug-n-play is not supported. You can connect an audio capture device to the client machine before starting to record audio in the ICA session. If a capture device is attached after the audio recording application has started, the application might become unresponsive and you must restart it. If a capture device is unplugged while recording, a similar issue might occur.

  • Citrix Workspace app for Windows might experience audio distortion during audio recording.

Known issues

In this article