PVS 7.6, Windows 2012, SMB 3.0, and Secure Negotiate


I hope Y’ALL had a great weekend!
Going back to PVS I wanted to share the resolution to an issue I came across recently during a client implementation. Instead of confusing you with a big giant paragraph, I’ll use one of my favorite templates back from my years on the Citrix Escalation Team.



Citrix Product: Provisioning Services 7.6
VHD Storage: EMC Isilon NAS (w/ CIFS shares)
PVS Server OS: Windows 2012 R2 SP1
VHD OS: Windows 7 SP1



Attempting to create a vDisk on shared storage failed with Error Management Interface (Management Interface: Operating System error occurred). The same error was thrown both when creating it from the PVS Console and from the target device using the Imaging Wizard. Also, when validating server paths in the vDisk Store Properties, randomly Path Not Found message is displayed.



On all Provisioning Servers in the environment, run the following command in PowerShell as an Administrator to disable Secure Negotiate in Windows:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force



This behavior can be caused by the Secure Negotiate (also known as Secure Dialect Negotiation) feature added by Microsoft in SMB 3.0 for Windows 2012 which requires that error responses by all SMBv2 servers including protocols 2.0 and 2.1 are correctly signed. If the correct signature is not received back from the SMB client, the connection is cut off to prevent Man-in-the-Middle attacks. Some file servers don’t support this feature and that’s where you would see the most failures. Check out Microsoft’s article on Secure Negotiation by the Open Specifications Support Team HERE (they’re pretty technical BTW! 😉 )

Machine Creation Services (MCS) Fail to Create Catalog (Permissions)

Dear Readers,

I haven’t posted anything in such a long time mainly because I’ve been so busy with my new role as Consulting Architect and all the cool things I’m learning in the field. Anyway, the PVS Guy is NOT dead. In fact, he is more alive than ever 🙂 – and I am planning to revive the website starting NOW. I am launching a new category called XenDesktop to share some tips & tricks from my VDI projects.

Today we’ll talk about an error I came across recently that can be often seen in recently upgraded XenDesktop environments (5.x – 7.x) and parallel implementations. As most of you are aware, when creating a new machine catalog with MCS, the Delivery Controller uses the vCenter host connection and service account configured at site setup to request actions from the VMware hypervisor. If you happen to use the same account on a 7.x DDC that you used in 5.6 without changing any permissions in vCenter, MCS will most likely fail to create the catalog. If you export the error details to a text file (as you always should), you will see the following exception:


Terminating Error:
An error occurred while preparing the image.
Stack Trace:
at Citrix.Console.PowerShellSdk.ProvisioningSchemeService.BackgroundTasks.
Action sdkProvisioningSchemeAction)
at Citrix.Console.PowerShellSdk.ProvisioningSchemeService.BackgroundTasks.
(Guid task
Id, Action`1 actionResultsObtained)
at Citrix.Console.PowerShellSdk.ProvisioningSchemeService.BackgroundTasks.
at Citrix.Console.PowerShellSdk.ProvisioningSchemeService.BackgroundTasks.
at Citrix.Console.PowerShellSdk.BackgroundTaskService.BackgroundTask.

DesktopStudio_ErrorId : UnknownError
ErrorCategory : NotSpecified
ErrorID : FailedToCreateImagePreparationVm
TaskErrorInformation : Terminated
InternalErrorMessage : Either the account is not granted sufficient privilege or disabled or username/password is incorrect Either the account is not granted sufficient privilege or disabled or username/password is incorrect Permission to perform this operation was denied.

That’s because XenDesktop 7.x requires two additional rights assigned in vCenter that were not required for 4.x and 5.x:

VirtualMachine.Config.AdvancedConfig ==> Virtual machine > Configuration > Advanced

VirtualMachine.Config.Settings ==> Virtual machine > Configuration > Settings

For a full list of VMware service account permissions for XenDesktop, click HERE for 7.x and HERE for 4.x and 5.x.


Ah!! Tricky, isn’t it?! 🙂