Citrix LAS DDC – Not Activated
🟦 Introduction
If your transitioning to Citrix LAS this week and come across a DDC that is not activated but the other DDCs are activated. You may have a Cipher issue, which is an issue we came across.
But first!
Ensure all your DDCs are running the correct supported Version
Citrix Virtual Apps & Desktops:
- 2507 CU1
- 2402 CU3
This is a real-world issue I recently encountered, and the root cause wasn’t Citrix at all…
It was Windows TLS configuration.
🟦 The Problem
One Delivery Controller showed:
- Status: Active
- Version: Correct (2507)
- License server: Reachable (ports open)
- Other DDCs: Activated
But this one:
LastLicensingUpdateTime : (blank)
Status: NotActivated
Everything looked correct — but licensing simply wouldn’t initialise.
🟦 Initial Checks (All Passed)
We verified:
- License ports:
- 27000 (License Server)
- 7279 (Vendor daemon)
- 8083 (Web Services)
- Services running:
- Citrix Licensing
- Citrix Web Services for Licensing
- Controller state:
- Active in site
- Version consistency across DDCs
Still not activated.
🟦 The Breakthrough
The issue became clear when comparing TLS cipher suites between:
You can run the following PowerShell command to check the cipher List order in your environment.
Get-TlsCipherSuite | Format-Table CipherSuite, Name- Working DDC ✅
- Broken DDC ❌
❌ Broken Server (Top Ciphers)
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
✅ Working Server (Top Ciphers)
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
🟦 Root Cause
The affected server was prioritising legacy TLS ciphers, causing a silent failure when connecting to:
https://localhost:8083
This endpoint is used by Citrix licensing.
What happens:
- DDC connects to licensing service
- TLS handshake starts
- Weak ciphers are offered first
- Handshake fails or is rejected
- Licensing update never completes
Result:
- No timestamp
- Controller shows Not Activated
🟦 The Fix
We corrected the cipher suite order via registry, please rememeber to backup your registry key before making changes in case you need to revert
📍 Registry Path
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
🔑 Key
Functions (REG_SZ)
✅ Value
TLS_AES_256_GCM_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
🟦 Apply the Change
gpupdate /force
shutdown /r /t 0
Then restart services:
Restart-Service "Citrix Licensing"
Restart-Service "Citrix Web Services for Licensing"
Restart-Service CitrixBrokerService
🟦 Result
Immediately after reboot:
LastLicensingUpdateTimepopulated ✅- Controller status → Activated ✅
🟦 Why This Happens
This is usually caused by:
- Security hardening GPOs
- CIS benchmarks
- Manual TLS configuration
- Inconsistent server builds
One server ends up with a different cipher order
🟦 Key Takeaway
If a Citrix DDC shows “Not Activated” but everything else looks correct — check TLS cipher order.
This is not a licensing issue.
This is not a Citrix bug.
It’s Windows Schannel configuration.
🟦 Pro Tip
Always standardise cipher suites across:
- Delivery Controllers
- StoreFront servers
- License servers
🟦 Final Thoughts
This was a great reminder that:
The hardest Citrix problems are often not Citrix problems
If you’re troubleshooting weird behaviour:
- Compare working vs broken servers
- Look at what’s different, not what’s configured