NetScaler MAS represents a very versatile and powerful tool. If you have NetScalers, I recommend you give it a try. As of this writing, if you have 30 or fewer VIP’s configured on your NetScalers, you can use all the features of MAS (confirm with your Citrix Sales Rep). So, let’s say you want to make some changes to MAS and find that a former employee has removed write access to your group and the nsroot password is unknown. What do you do? Citrix provides documentation on resetting the nsroot password on NetScalers, but nothing on MAS.
Get your Mr. Robot on!
We were able to follow most of the procedure in https://docs.citrix.com/en-us/netscaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
This was a virtual machine on XenServer, so I connected to the console
- Connect to the virtual appliance via XenCenter..
- Reboot the NetScaler MAS.
- Press CTRL+C when the following message appears:
Press [Ctrl-C] for command prompt, or any other key to boot immediately.
Booting [kernel] in # seconds.
- Run the following command to start the NetScaler in a single user mode:
Note: If boot -s does not work, then try reboot — -s and appliance will reboot in single user mode.
After the appliance boots, it displays the following message:
Enter full path name of shell or RETURN for /bin/sh:
- Press ENTER key to display the prompt, and type the following commands to mount the file systems:
- Run the following command to check the disk consistency:
Note: Your flash drive will have a specific device name depending on your NetScaler; hence, you have to replace ad0s1a in the preceding command with the appropriate device name. In my case it was ad0s1a
- If you receive the following after running the above command:
fsck: Could not determine filesystem type
- Run this command to resolve:
You should see the following (select Y for all the prompts).
- Run the following command to display the mounted partitions:
If the flash partition is not listed, you need to mount it manually.
- Run the following command to mount the flash drive:
mount /dev/ad0s1a /flash
- Run the following command to change to the nsconfig directory:
- Create a hidden recover file in this directory
- Reboot the MAS
- Once the reboot completes, enter in nsroot/nsroot for the username and password (this may take a couple of minutes before you can login with nsroot.
- Login to the MAS web page with nsroot.
- Change the nsroot password and make other administrative changes.
Citrix’s software developers are hard at work and have rolled out version 4.4 of Workspace Environment Manager. You can now download the new version here (requires Platinum licenses and login to Citrix.com). I’ve provided the release notes below.
Workspace Environment Management 4.4 includes the following new features. For information about bug fixes, see Fixed issues (below).
From this release, the Workspace Environment Management infrastructure service sends anonymous usage data to Google Analytics. For more information, and for opt-out instructions, see Infrastructure services.
From this release, Workspace Environment Management supports Citrix Profile Management 7.15. The following new options are now available in the administration console:
- Enable Logon Exclusion Check (options controlling file system exclusions)
- Enable Profile Streaming Exclusion List – Directories (option controlling user profile streaming)
In the Infrastructure Services Configuration utility, the Database Maintenance tab has a new option Agent registrations retention period. This allows agent registration logs to be deleted after a set time, which reduces the size of the database. It also reduces lag in populating the Registrations tab in the administration console.
At this release, Workspace Environment Management documentation is updated to reflect current product behavior. The documentation has also been remodeled as a single “versionless” documentation set describing the “current release.” This approach reduces duplication in the online documentation set, gives more focused search results, and is better suited to agile release processes. Associated changes include:
- A top level “current release” article contains links to previous documentation sets in PDF format only. (HTML documentation for previous releases is no longer provided.)
- “What’s new” summarizes the new functionality at the current release, and in previous releases.
- A new “Reference” section gathers reference information in one location. Port information previously in the introductory article is relocated to “Reference.”
The following issues have been fixed since Version 4.4
- If you run the Workspace Environment Management administration console as a standard Windows user, and you attempt to start the Modelling Wizard, the wizard does not start. [#WEM-187]
- When you attempt to add a user group, which is in a different AD domain to the infrastructure server, as a processed group in the Citrix User Profile Management tab in the administration console, the exception *IndexOutOfRangeException is raised, and the group is not processed. #WEM-210]
- Links in “This PC” in Windows 10 do not reflect folder redirection, and still point to local folders. [#WEM-234]
- The Agent Host waits about 5 minutes before starting if Workspace Environment Management is installed on Windows version 8, or Server 2012, and a language pack is installed. [#WEM-244]
- If you launch or refresh a UI session agent when it is not bound to a configuration set, keyboard and mouse locks which are active during the agent refresh are not released. [#WEM-321]
- If you attempt to add an agent host machine to a configuration set when the agent host machine is in a different domain to the infrastructure service, the machine is not added in the administration console Active Directory Objects tab. This happens regardless of the actual AD topology involved (parent/child domains, multi-forest setups, one- or two-way trust relationships, and so on). [#WEM-326, #WEM-299]
Your boss comes to you in a panic about security and passwords. You sip your coffee and calmly let her vent. You assure her that yes, you can quickly and easily change the root password on all your XenServers. She walks away confident you know what you are talking about.
Change that password…or can you?
You hit the Internet for information on changing the XenServer root password and are hit with article after article about recovering a lost root password. That doesn’t apply to you. You have your root password safely stored in your password store (right :)).
You ask yourself, “Self, where are the instructions on changing the root password when you already know it?”
A quick look at the XenServer install guide and admin guides don’t reveal anything either.
Yes you can
Citrix support wasn’t much help in this, but the answer is quick and easy, especially if you have XenServer pools.
First connect to your XenServer (use the Pool Master if you have a pool), and get to the console.
Select Change Password
Authenticate with your current password (if prompted).
Enter the old password, followed by the new password twice.
Once you hit enter, the system will change the password.
And you’re done.
BONUS: If you changed the password on the Pool Master, this will change the root password on all the pool member servers.
Thanks for reading,