Saturday, 31 December 2011

On-demand application delivery with Citrix XenApp

How application virtualization and session virtualization work

Citrix XenApp is an on-demand application delivery solution that comprises application virtualization and session virtualization technologies.

Understanding application virtualization

Citrix application virtualization technology isolates applications from the underlying operating system and from other applications to increase compatibility and manageability. As a modern application delivery solution, XenApp virtualizes applications via integrated application streaming and isolation technology. This application virtualization technology enables applications to be streamed from a centralized location into an isolation environment on the target device where they will execute. With XenApp, applications are not installed in the traditional sense. The application files, configuration, and settings are copied to the target device and the application execution at run time is controlled by the application virtualization layer. When executed, the application run time believes that it is interfacing directly with the operating system when, in fact, it is interfacing with a virtualization environment that proxies all requests to the operating system.

 XenApp is unique in that it is a complete system for application delivery, offering both online and offline application access through a combination of application hosting and application streaming directly to user devices. When users request an application, XenApp determines if their device is compatible and capable of running the application in question. The minimum requirements of a target device are a compatible Windows® operating system and appropriate Citrix client software. If the user device meets minimum requirements, then XenApp initiates application virtualization via application streaming directly into an isolated environment on the user’s device. In the event that the user device is not capable of running a particular application, XenApp initiates session virtualization.

Understanding session virtualization
Session virtualization uses application streaming to deliver applications to hosting servers in the datacenter. XenApp then connects the user to the server to which the application has been delivered. The application then executes entirely on the server. The user interacts with the application remotely by sending mouse-clicks and keystrokes to the server. The server then responds by sending screen updates back to the user’s device. Whereas application virtualization is limited to Windows-based operating systems at this time, session virtualization via XenApp allows any user on any operating system to access any application delivered by IT. As a result, XenApp enables Windows, Mac, Linux, UNIX, thin clients, iPhone®, Windows Mobile® devices, and even Symbian- and Java-enabled devices to run any applications using session virtualization. Furthermore, session virtualization leverages server-side processing power which liberates IT from the endless cycle of PC hardware refreshes which are typically needed to support application upgrades when using traditional application deployment methods.

Using application virtualization and session virtualization together

In both application virtualization and session virtualization, user interaction with the application is seamless. Printers, drives, peripherals, and even the clipboard work in the exact same manner as if the application were installed. As a result, XenApp reduces the cost of application management and related costs by up to 50 percent and enables a better-than-installed experience for users when compared to traditional application deployment models.

Friday, 30 December 2011

Session initialization in Citrix

No matter how an ICA session is invoked (Program Neighborhood, Web Interface, double-clicking an ICA file, etc.), the ICA client engine (wfica32.exe for Win32 clients) fires up and loads the module.ini file from the root folder of the ICA Client. The module.ini file defines the specific capabilities that the ICA client should or can use. Therefore, when troubleshooting, it’s possible (and useful) to change settings in the module.ini to change the capabilities of the ICA Client. For example, you might chose to disable specific client drives (DisableDrives=A,D,F) or to enable server drives in a pass-through session (NativeDriveMapping=TRUE).

The following screen shot has highlighted the module.ini section where the virtual drivers that get loaded by the ICA client are specified. For testing purposes you could just choose to remove a specific virtual driver all together. This will prevent the client engine of loading the specific virtual driver, for example SmartCard, SpeechMike, ClientAudio etc.
 

Some virtual drivers (like clipboard functionality) are “built into” the client engine. Removing the word “Clipboard” from that VirtualDriver line will only disable the Clipboard on a client basis.
Once the ICA client works out which drivers it will use, it starts a connection with the server via port 1494 (even with session reliability enabled). The server responses with “7F7FICA” for an ICA handshake as shown in the next screen shot. During the handshake the client sends its list of capabilities (virtual channels supported by the client) to the server.



Next, (still before anything shows up in any admin console or on the client desktop), the TSCAL license verification is made. If the license cannot be verified then the session just ends. Even though this is by design it’s still very confusing for most people.

If the client has or gets a valid TSCAL, the server’s WinLogon.exe process calls the GINA (and any linked GINAs, like ctxgina.dll when MetaFrame is installed) and the user is presented with the logon GUI. Once the user credentials are validated via csrss.exe, WinLogon downloads the user profile. (Here is a nice article about profiles http://www.windowsitpro.com/Windows/Article/ArticleID/41654/41654.html)
The GINA then calls UserInit.exe which is responsible for setting up the user’s environment (restoring net uses, etc.). When Terminal Server is installed, UserInit queries the registry key AppSetup located in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and executes all the programs listed in that key. By default this is limited to UsrLogon.cmd, although MetaFrame XP adds cmstart.exe to the list and MetaFrame version 3 adds CtxHide UsrLogon.cmd, and CmStart.exe. (Those of you who’ve been using Terminal Server for awhile will remember that UsrLogon.com is a hold-over from the early days when application compatibility scripts were used. See Microsoft article Q195950.)
The last thing UserInit does is launch the user’s shell as specified in the registry. By default this is explorer.exe, although you can change it to whatever you want and have some fun with your colleagues by changing theirs to progman.exe.
Once the shell is fired up the final steps take place, including items listed in the run registry keys and the programs from the Startup folder.
There’s a great utility from SysInternals called “AutoRuns” that you can run on a server to quickly and graphically show you all the things that run automatically when a session is started.



Everything on the server side that we’ve mentioned so far is Microsoft only. It applies if you’re connecting via a standard Terminal Server / RDP session or via a MetaFrame ICA session, (For more detail on WinLogon, UserInit, Csrss, and other Windows processes, take a look at Microsoft Knowledge Base article Q263201.)
Now let’s take a look at what happens when Citrix is thrown in the picture. As we mentioned earler, UserInit also executes the CmStart.exe process. CmStart.exe is the Citrix Client Manager Starting Utility and it’s responsible for two things:
  1. It starts the Citrix seamless windows engine shell called wfshell.exe.
  2. It launches the Citrix Client Manager (cltmgr.exe ) that’s used to keep the ICA client up to date.
The following screenshot is of Systernals’ Process Explorer running during a MetaFrame session start.



Let’s take a closer look at these processes and what they each do.
Citrix Client Manager Starting Utility (CmStart.exe)
CmStart is responsible for launching the seamless engine which means no seamless windows without CmStart.exe in the AppSetup Key! This missing entry will not stop a desktop session from working though.

Citrix Seamless engine (wfshell.exe)
One of the things wfshell is responsible for is to autocreate the client printers. If you are using third party printer drivers (HP, Canon, Lexmark etc.) instead of original printer drivers that come on the Windows CD then you might see some of the following issues:
  • Crashes of wfshell.exe (CTX102634)
  • High CPU spikes of wfshell.exe
  • Slow logons
  • Printer being not mapped
Advice: Don’t use third party printer drivers. Instead, use mappings from the printer matrix at http://www.printingsupport.com and at least don’t use PCL6 Drivers an advice by Stefan.

Citrix Client Manager (cltmgr.exe )
Cltmgr.exe is launched right after wfshell because it uses a virtual channel (VDCM.dll, ClientManagement) to get the client version from the version.dat file. Problems with the retrieving of the ICA client version and the update might have the following effects:
  • Crashes of wfshell.exe
  • Slow logons (without updating the client)
Advice: If the Client Update feature is not used, you should disable the client update database on every Citrix server (Start | Run | cudutil.exe | Database | Properties | uncheck enable).
Session Termination
When closing a published application or logging off from a desktop session, the most important parts are terminating the user processes and unloading the user’s registry hive from the system registry.
In a desktop session the termination of the processes is done by csrss.exe. With published applications the seamless engine is responsible for closing the applications and sending the logoff message to csrss. Under certain circumstances this might not work and ends with a user’s session remaining active on the Citrix Server, although we’ll discuss this more later.
In some cases the user’s registry can not be unloaded during the logoff. This issue is very famous in the community and the solution is to use the Microsoft’s UPHClean service. (Be sure you’re using the most current version.) If the unload process doesn’t work as expected, then the profile gets stuck on the server (a bit different with Windows 2003). This then impacts the logon process, especially with anonymous users.

Thursday, 29 December 2011

Command to know in which server is the Web Interface installed.

How to know in which server is the web interface installed?

First copy psinfo.exe from PSTOOLS to your desktop(or any folder) and execute the below command.

psinfo \\servername/ -s  | find "web interface"
ex: psinfo \\mycitrixserver/ -s | find "web interface"

If you have more number of servers, you can use the same command in a batch script and use it.

Create a text file called citrixserverlist.txt and update all your citrix servers list into that text file. Now copy the below script into citrixservers.bat and run it.

Batch Script is as follows:

@echo off
for /f  %%i in (citrixserverlist.txt) do psinfo \\%%i/ | find /i "Web interface"
pause

Wednesday, 28 December 2011

Enabling Pass through Authentication in Citrix

You can pass user credentials to Web servers on the secured network configured for Basic, Digest, or Integrated Windows Authentication. This feature avoids requiring users to enter their credentials multiple times to access Web resources. For example, if a team Web site in your organization is configured for Digest Authentication, you can pass the credentials with which users log on to the Access Gateway to that site. If you do not enable the URL address to support Digest Authentication, users might be required to log on to the Web site.

Note that the authentication required for a Web site is determined by the settings of the site’s host Web server.
When configuring a Web resource, you can enable its URL addresses to use one of the following methods of pass-through authentication:

Basic authentication: Credentials are passed to the Web site in plain text.

Important: Because credentials are passed in plain text, consider using SSL for Web sites that use Basic pass-through authentication.

Digest authentication: Hashed credentials are passed to the Web site using Digest Authentication.

Integrated Windows authentication: Hashed credentials are passed to the Web site using Integrated Authentication. NTLM or Kerberos authentication is used, depending on your Web server configuration.

Caution: When using any of the three pass-through authentication methods, the target Web application is first presented with the credentials with which the user logged on to the Access Gateway. Accessing Web sites that require a second, differing set of credentials through Access Gateway can result in the caching of the second set of credentials.

To specify pass-through authentication for a Web site

1. Click Start > All Programs > Citrix > Management Consoles > Access Management Console
2. In the console tree, select the Web resource and under Common Tasks, click Edit Web resource.
3. On the URL Addresses page, select the Web site’s URL and click Edit.
4. In the Authentication types supported area, select the authentication method being used by the Web site.

Disabling passthrough authentication on Citrix PNagent

1. Open the registry and browse to: HKLM\System\CurrentControlSet\Control\NetworkProvider\HwOrder
2. Open ProviderOrder string, delete the entry PnSson
3. Now browse to HKLM\System\CurrentControlSet\Control\NetworkProvider\Order and delete the entry PnSson
4. Reboot

Tuesday, 27 December 2011

The license list is incomplete. An error occurred while getting the information. Error Code: 2c1/800a001a

Symptoms
The license list is incomplete. An error occurred while getting the information. Error Code: 2c1/800a001a.

Possible Causes

1. The server name was changed.
2. The IP address was changed.
3. The server in question could possibly see the data store and some of the ZDC’s, but not all of them.
4. The server in question must be able to talk to all ZDC’s in the farm.
5. Make sure all the ZDC’s and the data store server can resolve the DNS name of the server with the problem.
6. The license information in the datastore is corrupted.
7. A license has been recently been added and the Refresh of the Management Console has happened prior to the completion of the license addition. Wait a short time and Retry the license query.



Action/Resolution
1. Recreate the local host cache (LHC).
2. Use CTX107800 – DSCHECK Version 5.15 to fix any possible datastore corruption.
3. Run queryhr to see if there is corrupt information. If there is a corrupted entry, locate the corrupt Host ID and make a note of the number. Run queryhr –d <Host ID number> and press Enter.
4. Ping the server in question by IP address.
5. Ping the server in question by name. If the name does not resolve and the ping is unsuccessful, it is a DNS issue.
6. Ensure there are no relevant hotfixes that may address license issues. This is not necessarily a complete list. CTX104982 – Readme - Service Pack 4 for MetaFrame XP 1.0
    The IMA Service failed to start because of license group corruption in the data store.
Note: This fix prevents corruption in the data store but it does not correct any corruption that may already exist. You need to check for corruptions present in the data store and correct them using the appropriate tools.

Monday, 26 December 2011

How to securely redirect to Web Interface in Citrix

As default Web Interface should be used with SSL encryption (HTTPS) enabled, since users are sending credentials overt the wire. This is even more important when using WI internally because researches showed that most attacks are coming from inside.
Difficult part is that users are not very familiar with typing httpS...
  1. After the Server certificate was applied to IIS, SSL should be disabled
    IIS Manager | Default Web Site | Directory Security | Edit secure communications | Disable SSL

    SSL Disabled
  2. Next is to enable SSL ONLY for Web Interface and every other site/folder you like.
    IIS Manager | Default Web Site | Citrix | MetaFrame | Directory Security | Edit secure communications | Enable SSL

    SSL Enabled
  3. Redirect user to Web Interface via secure channel
    When Web Interface 3.0/4.x was set as default Web Site, then the file webinterface.htm is placed in the IIS root (default %RootDrive%\Inetpub\wwwroot). Now the following line needs to be changed:

    window.location="Citrix/MetaFrame/";

    to

    window.location="httpS://FQDN_WI_SERVER/Citrix/MetaFrame/";
This way user can connect to FQDN_WI_SERVER using port 80 (HTTP) but they will be redirected to WI using HTTPS. Direct connection to http://FQDN_WI_SERVER/Citrix/MetaFrame/ will fail, since SSL is required. If direct connect should also supported, then a bit more scripting is required.

Sunday, 25 December 2011

Nondisruptive upgrade of VMFS-3 to VMFS-5

In vSphere 5 the VMFS filesystem has been updated to version 5 (currently 5.54). In vSphere 4.1 update 1 the VMFS version was 3.46.

In earlier versions of ESX, live upgrades of VMFS, or in-place upgrades, haven't been an option so to upgrade VMFS, basically a new LUNs had to be created and then VMs could be migrated to these new LUNs.

With vSphere 5, VMFS can be upgraded nondisruptively. This is done for each LUN by going to:

Datastore and Datastore Clusters -> Configuration -> Upgrade to VMFS-5.

It is a prerequisite that all connected hosts are running vSphere 5. The upgrade itself takes less than a minute (at least in a small test environment).

In VMFS 5, there is only one block size which is 1 MB. However, when upgrading from v3 to v5, the block size remains what it was before (see the last screendump). In the example below, the 8 MB block size is retained.

The new maximum LUN size is 64 TB - but a single .vmdk file can still not exceed 2 TB minus 512 bytes. The only way to have larger .vmdk's than 2 TB is to create an RDM and mount it as a physical device (as opposed to virtual).




How to force the Application details description in Citrix

Edit applist.cs in site/serverscripts

-- find --
viewControl.setShowAppDetails( !java.lang.Boolean.FALSE.Equals( userPrefs.getShowDetails() ) );

-- change to --
viewControl.setShowAppDetails( true );

Saturday, 24 December 2011

How to enable "Show current folder location" for all users and always in Citrix

As a default Web Interface doesn't show the current folder location and the user has to set it by him self. To force the setting for all users, again two things need to be changed
  1. Show folder as default

    Edit applist.cs in site/serverscripts

    -- find --
    toolbarControl.setShowCurrentFolder( !java.lang.Boolean.FALSE.Equals( userPrefs.getShowFolder() ) && (currentFolder != null) );

    -- change to --
    toolbarControl.setShowCurrentFolder( currentFolder != null );
  2. Remove or Disable option from the presentation settings

    Edit presentationSettings.inc in site/include

    -- find --
    value="<%=VAL_ON%>" <%=viewControl.getShowFolderCheckedStr()%>>

    -- change to --
    value="<%=VAL_ON%>" <%=viewControl.getShowFolderCheckedStr()%> checked disabled>

    before Image after

    To remove the option from the presentation settings

    Edit presentationSettings.cs in site/serverscripts

    -- find --
    bool bCustomizeFolderDisplayOption = true;

    -- change to --
    bool bCustomizeFolderDisplayOption = false;

    before Image

Friday, 23 December 2011

How to Disable "Remember folder location" and start always in the root

Web Interface "remembers" (in a cookie) the folder location by default where users exit Web Interface and at the next login starts automatically in that folder. To overwrite the default of remembering folders and starting always in the root, two things need to be changed.
  1. Start always in the root

    Edit applist.cs in site/serverscripts

    -- find --
    currentFolder = userPrefs.getCurrentFolder();

    -- change to --
    currentFolder = "";
  2. Remove or Disable option from the presentation settings

    Edit presentationSettings.inc in site/include

    -- find --
    value="<%=VAL_ON%>" <%=viewControl.getRememberFolderCheckedStr()%>>

    -- change to --
    value="<%=VAL_ON%>" <%=viewControl.getRememberFolderCheckedStr()%>" disabled>

    before Image after

    To remove the option from the presentation settings

    Edit presentationSettings.cs in site/serverscripts

    -- find --
    bool bCustomizeRememberFolderOption = true;

    -- change to --
    bool bCustomizeRememberFolderOption = false;

    before Image after

Tuesday, 20 December 2011

How to create a simple website in Citrix

Sometimes a simple website is needed to launch a Publish Application. The option to create an html file with a linked ica file has been in the CMC since day one.

Open CMC | Applications | Application property | Create html file
create html file

Monday, 19 December 2011

How to set per Application settings in Citrix

edit the default.ica file loacted by default in /Citrix/MetaFrame/Conf

In the [wfclient] section add the AppDN of your Publish Application, like [notepad] but remember the value is case sensitive to what you have used in the CMC!
Now add any Application specific setting you like. For instance adding TWIMode=Off will result in a none seamless session for the Publish Application notepad
default.ica

Sunday, 18 December 2011

How to use the multilanguage footer function in citrix

Close any Access Suite Console (ASC) that might be open and enabled the footer manually through the webinterface.conf file that is located by default in /Citrix/MetaFrame/Conf

Change the following lines
# FooterTextDefaultLocale=[language code]
# FooterText_<lang-code>=[Customized footer text in the specified language]

to something like

FooterTextDefaultLocale=en
FooterText_en=This is a example.
FooterText_de=Dies ist ein Beispiel.
FooterText_fr=Cela est un exemple.

Saturday, 17 December 2011

How to speed-up Web Interface logins in Citrix

When somebody tries to open the Web Interface login page early in the morning, then it might take some time before the page is loaded. Additional requests are fast and is due to the fact that in the background the worker processes needed to be started. If they are idle for 20min, then they get closed and new logins will again take some time. Now this behaviour can be disabled.

This can be done with the Internet Information Server (IIS) that comes with Windows 2003. Open the IIS Manager | Application Pools | Disable idle timeout for “worker processes”  for CitrixWebInterface4.xAppPool.


worker processes

Friday, 16 December 2011

Citrix XenApp failed to connect to the Data Store

We had an issue with one of the Citrix servers in our farm after a reboot. The server came up fine, however, the IMA service would not start. The following errors showed up in the event log in succession every time we tried starting the service.
  1. Citrix XenApp failed to connect to the Data Store. ODBC error while connecting to the database: S1000 -> [Microsoft][ODBC Microsoft Access Driver] Cannot open database ‘(unknown)’.  It may not be a database that your application recognizes, or the file may be corrupt.
  2. Failed to load plugin C:\Program Files\Citrix\System32\Citrix\IMA\SubSystems\ImaPsSs.dll with error IMA_RESULT_FAILURE
  3. Failed to load plugin C:\Program Files\Citrix\System32\Citrix\IMA\SubSystems\ImaRuntimeSS.dll with error IMA_RESULT_FAILURE
  4. Failed to load initial plugins with error IMA_RESULT_FAILURE
  5. The Citrix Independent Management Architecture service terminated with service-specific error 2147483649 (0×80000001).

The reason why the IMA service would not start was due to an issue with the Local Host Cache database. The Local Host Cache database is used in a Citrix farm to allow a Citrix server to function even if it loses temporary access to the data store. It is an MS Access database named lmalhc.mdb and is stored by default in <ProgramFiles>\Citrix\Independent Management Architecture\ folder.
The solution for this issue was to recreate the LHC database using the dsmaint command. Before you run the dsmaint command, double check and ensure the following is true:
  1. The Citrix IMA Service isnt running (duh!)
  2. The datastore is available.
Once you have checked both the above, run the following command to recreate the LHC database.

dsmaint recreatelhc

This command performs the following:
  1. Renames the existing LHC database.
  2. Creates a new database.
  3. Modifies the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired key to 1. Setting the value PSRequired to 1 forces the server to establish communication with the data store in order to populate the Local Host Cache database. When the IMA service is restarted, the LHC is recreated with the current data from the data store.
Once the command has been run, restart the IMA service and it should start normally now.

Thursday, 15 December 2011

The qfarm /load Command Displays the Server Load Level Value as 20000

Symptoms

When you run the qfarm /load command from the command prompt to verify the load of a server, the value of the load that is displayed is 20000.
The following is the sample output of the qfarm /app command for your reference:
The following is the sample output of the qfarm /load command for your reference:

Resolution

The following are the causes for the error in the value of the server load and the probable resolutions for the error:
  • Cause: A MetaFrame Presentation Server 3.0 server, Standard Edition does not contain the Load Balancing functionality. Load balancing is only available with the Advanced and Enterprise Editions. Therefore, when you run the qfarm /load command from the command prompt of a Standard Edition server, the expected server load is 20000.


    Resolution: A server load value of 20000 indicates that a Load Balancing license is not available. This is as expected for a Standard Edition server.


  • Cause: There might be an error in the server load value if the Citrix Management Console contains an incorrect product code, a Product License mismatch, or an incorrect value for both the product code and the product license.
  • A server load value of 20000 indicates a Load Balancing license is not available. Therefore, this is expected on a Standard edition server.
    Resolution: Remove the product code from a server and run the qfarm /load command


  • Cause: The MetaFrame XP Product License might not have an unlimited server count.
  • Resolution: Contact the Citrix Technical Support team and provide details of the License Sets, as shown in the following screen shot:

Posted in Citrix

Load Manager values
  • 0 to 9998: This is the normal range for Load Manager.
  • 99999: No load evaluator is configured.
  • 10000: Load is at 100 percent (full load).
  • 20000: The Presentation Server Console contains an incorrect server edition or a license mismatch.
  • 99990: Results when a custom administrator with restricted rights runs the following QFARM commands:

    QFARM SERVER /APP
    QFARM /APP
    QFARM /APP <appname>
    QFARM /ZONEAPP

    Note
    : The QFARM command may not return any results when a custom administrator runs the following queries:

    QFARM /DISC
    QFARM /LOAD
    QFARM /ZONELOAD
The following are explanatio
ns of the load levels:

9999 = No load balancing installed

0 to 9998 = "normal" load level

10000! = Applicatio
n is disabled for this server

10000 = Load is at 100%

10001 = Out of licenses

10002 = Indicates that no ICA connection
s are available on that server. A
few other conditions
also cause this code to be returned:
If logons have been disabled on the server

If the server is out of swap space

If the applicatio
n is disabled

Wednesday, 14 December 2011

MFCOM Service

In our Citrix Enviornment, we have two servers(for example). Both the servers will be up and running fine but one of the server's status in citrix access management console will be Unavailable, whereas the server will be up and running. Now if we check the services.msc in second server(which one is showing as unavailable in citrix access management console), citrix MFCom Service status will be starting.. This is the problem.

Now follow the below steps:
Start Task Manager
kill mfcom32(or mfcom) process

Go to Services
Take Citrix MFCOM service to MANUAL

Open CMD and run followings:
dsmaint recreatelhc
dsmaint recreaterade

Go to Services
Start Citrix IMA Service

Open "Citrix Delivery Console" and check if it's ok or else manually start MFCOM service.
Wait until Citrix MFCOM starts (it will go to stopping status and will start but it takes time, after it does take it to Automatic)

Reboot the server

If you still face the issue, follow the below process:
IMA and MFCOM services are unresponsive during the Starting state due to data store corruption.

Cause

This issue occurs when there is a corrupt data store. Database corruption can be from a hard reboot of the XenApp server with an open connection to the data store.

Resolution

Verifying the Issue
To analyze the issue, you must verify the following:

  1. Verify in the event log if the IMA or MFCOM service is unresponsive(hanging), as shown in the following screen shot:


  1. You notice that the services, which are in the Starting state, are in an unresponsive state.


  1. You can also verify it by opening the registry and navigating to HKLM>SOFTWARE>Wow6432Node>Citrix>IMA>RUNTIME and observe the CurrentlyLoadingPlugin key. If no details are displayed, then it might be a datastore corruption, or a service issue.
Note: An admin can verify if the database is corrupt.

Verifying for Data Store Corruption

To verify if it is a data store corruption and resolve it, complete the following procedure:

  1. An admin can typically verify a data store corruption by completing the following tasks:
    - Running the dsmaint recreatelhc from the command prompt
    - Starting the service
    If you still experience issues, you must check for corruption in the datastore.


  2. Create a new database and point the server in question to a new farm using the new database. If the server does not change the farm, you might have to check the data store integrity.

  3. Run dscheck to get more details such as, where the corruption occurs. Refer to the Knowledge Center article CTX124406 – DSCHECK - XenApp Data Store Checker Tool Commands for more information about running dscheck command.

    In the following sample, you can observe that the dscheck /full servers was run and stopped prematurely at server Prod4. You can also observe that the following server after Prod4 is Prod6. In this example, you can notice that Prod6 has been powered down in the event viewer manually, potentially still having an open connection to the datastore, causing the corruption when it was rebooted. The Local Host Cache might have updated with the corrupt information. Therefore, the grace period of the IMA service is not activated because the system can still partially read the LHC file.


  1. After restoring the datastore from a back up , run the dscheck /full servers once again. You can notice from the output that Server Prod6 is now displayed. This server had caused the corruption.


The IMA and MFCOM services are in Started state on all the servers.

Tuesday, 13 December 2011

Licensing: vSphere 5 Enterprise and 8 way VMs

In my experience, more and more customers are asking for multiway VMs with more than 4 vCPUs. For my company, an IT service provider, this is a little problematic as most of our licenses are vSphere Enterprise - not Enterprise Plus.

With vSphere 5, 8 way VMs are now possible both in the Standard edition and Enterprise edition. For up to 32 way VMs, the Enterprise Plus license is required.

See link for more info, page 6.

Only Some Applications open for only some users and others work fine...

We are having a strange issue. When trying to launch one of our published applicatio
ns from citrix on certian computers the connection will intialize but as soon as it goes to load the applciation, citrix disappears. This only happens on certian computers regardless of who is logged into them. We have tried deleting the microsoft store registry key as stated in other resolutions to this problem with no luck. What makes it even stranger is it only affects one of our applications that are published. All others work fine.

Our enviroment
is Xen app 5 FP 3 with users connecting to WI 5 using the latest web citrix client.

The strange part is only some users are experienci
ng this issue with loading the application. Some users it works perfectly fine but on others you click and nothing loads up. The users affected can launch any other citrix program with no problems.

The path is correct and works when put into the run command.
Ans:
Please try the following:

1. If you are running a client lower than 12.1 test upgrading to 12.1 .

2. Disable antivirus on the workstatio
ns


3. Look for commonalit
ies for instance is this only happening to workstations that are running win7 and not XP or does this happen to workstations in a specific OU.

4. Verify on these workstatio
ns whether any info is being captured in the event logs for the client

5. Are all the apps that do not launch written in a specific language?

6. Although other Workstatio
ns can connect what happens if you republish one of those apps?
Possible reasons could be:

When applications won’t launch in Citrix Xenapp or Presentation Server, you can get a multitude of error messages.  Most are guaranteed to tell you little to nothing about the actual cause of the issue.  Sometimes the app will appear to launch, and then nothing will happen.  Error codes can range from SSL Error codes 1-29, or more generic errors like “There is no Xenap server available”.   What can cause applications not to launch through the Citrix Web Interface?  Let’s take a look at a few possible causes…

Citrix Secure Gateway or Netscaler in the way? Maybe a firewall problem?

Does the problem exist only for external users coming in from the Internet, or does it also impact internal users?  You can usually test for this pretty well by installing the Citrix client directly on your web interface server.  If you can connect directly to the WI from itself and launch applications on itself, but you get errors when coming in from outside – chances are, you are dealing with a CSG or Netscaler issue.  Make sure that the CSG passes its internal diagnostic tests, and make sure the Netscaler has a valid route through to the Web Interface and each Xenapp server in the farm.  Make sure that the STA servers used on the Netscaler match exactly the STA servers specified on the Web Interface. Sometimes the network team can make a change to the inside facing firewall on the DMZ, and your users will suddenly experience the inability to launch applications via Citrix.  Remember that traffic must be able to pass on 1494 or 2598 (Depending on if you are using session reliability).

Licensing issues?

While Citrix does occasionally present valid licensing error messages during application launch, I’ve seen many cases where licensing problems caused error messages that don’t mention licensing at all.  In order to verify if you have a licensing problem, log into one of the Xenapp servers in question and drop to a command prompt.  Type “Qfarm /load” and look at the load on each server.  If a server is showing a load of “20000”, then it is experiencing a licensing problem.  Make sure that the license server is up, and licenses are showing in the console appropriately.  Occasionally you may have corrupt license files, and you’ll need to re-download them from MyCitrix along with a new startup license.  Take this opportunity to upgrade your license console to the latest version.

In addition to Citrix license issues, be sure you have enough licenses for terminal services or remote desktop services.  I’ve seen issues with these licenses that will causes Citrix apps to act like they are launching, but never open properly.

XML Errors?

If you are having problems with XML, chances are you’ll see some XML errors in the event viewer on either the Web Interface or the farm XML broker.  Make sure that the port you are using for XML is open between the Web Interface and the farm.  You can test this from the CLI by doing a “telnet <xmlbrokerserver> #”, using the server name and xml port # from your farm.  If it connects and gives you a blank black screen, then traffic is flowing properly.  If it hangs on a blinking cursor, then you should check your firewall settings.
If XML traffic is OK, your next step should be to re-register the XML service on the XML broker.  Use the command syntax below:
CTXXMLSS [switches] [/Rnnnn] [/Knnn] [/U] [/?]
Parameters:
/Rnnnn – Registers the service on port number nnnn
/Knnn – Keep-Alive nnn seconds (default 9).
/U – Unregisters the service.
/? (help) – Displays the syntax for the utility and information about the utilities options.

Corrupt Local Host Cache?

As with most Citrix issues, the local host cache is one of the usual suspects.  If an application won’t launch, you can recreate the local host cache quickly and safely as a first stab at the issue.  Use the command: “DSMaint recreatelhc” from the CLI on each Xenapp server in your farm.

Corrupt Published Apps?

This doesn’t seem to happen as often as it used to, but it can still come into play occasionally.  If you have ruled out other causes and you still can’t figure out why an app won’t launch – Try publishing it again from scratch in the DSC and seeing if the newly published icon works.  If it does, you can delete your old icon and point users to the new one.

Datastore Corruption?

You may want to check that the datastore isn’t showing any corruption.  Specifically I would recommend running the “DSCHECK /full applications” command to check the apps section of the database for errors.  Look for any verbage like “error”, “missing” or “not found” – and if you see that, run the same command again with the “/clean” switch appended to it.  Be sure to always back up your datastore before running this command, as it will make changes.

Load Balancer Issues?

Occasionally, applications won’t launch in a Citrix environment because of load balancer issues.  There could be issues where Citrix is “black holing” new users into a single server, overloading it, or problems where Citrix mishandles the load balancing completely.  The first step in troubleshooting a load issue is going to be using the “Qfarm /load” command.  If you notice any servers in the farm with a value of “10000” – that means they are at 100% load and can’t accept any new connections, typically. Once you know if load is being equally distributed throughout the farm, you can take action.  If you find that load is not being distributed correctly, check to make sure that your application is published to multiple servers and that it is in fact enabled.  If all other measures have failed, sometimes the Microsoft performance counters that Citrix relies on have been known to go corrupt and need to be rebuilt.

Is it limited to a specific server?

In a large Citrix farm environment, you won’t spend time looking at the load balancer or Netscaler device if you’ve been able to limit it to a specific server.  If you are sure it’s only one server in the environment, make sure that all of the Citrix services are started.  Sometimes it can be helpful to pull up the services console on the non-working server and compare it to a server that is working.  When you do a “Qfarm /load” command, does the problem server even report in?  If it’s missing from the Qfarm, then perhaps the IMA service is not started (See my other blog entry on why IMA won’t start).  If you exist all options, it may be necessary to restore the server from a snapshot (ideally), or run a Citrix repair from the install media.

Hotfix and Patch Level?

When all other options are exhausted, I’ve sometimes seen issues arise after Microsoft updates have run on a server, causing past Citrix patches or updates to get partially overwritten or corrupted.  I’ve seen cases where a client has been running fine on Roll-up 4 for years, and after we upgraded him to Roll-up 7, suddenly applications will launch again.  For these reasons, I’d always recommend checking that you are at current patch levels, and even consider reapplying a roll up pack on a test server as a last resort in such cases.  In cases where you suspect that a Microsoft update may have changed the fundamental way that Citrix and Windows Server communicate or work together, I’d recommend experimenting with rolling back a recent patch or update and judging the result.

References:
http://support.citrix.com/article/CTX711855

http://support.citrix.com/article/CTX104063

http://support.citrix.com/article/CTX112082

http://support.microsoft.com/kb/300956

http://citrixtechs.com/blog/?p=8

Monday, 12 December 2011

"The Supplied Credentials could not be validated.Either they are invalid or there is a problem with the authentication system. Try again or contact your help desk." Error in Citrix

When we try to access any applications with citrix web interface, we ll see the above error after providing our username and pwd. If yes, follow the below procedure. If still not working, readd the machine in which presentation server is installed to the same domain.
1. Use the Services Control Panel to stop the Citrix XML Service.

2. At the command prompt, type ctxxmlss /u to unload the Citrix XML Service from memory.

3. Type ctxxmlss /r8080. This forces the Citrix XML Service to use TCP/IP port 8080.

4. Restart the Citrix XML Service in the Control Panel.

After restart, open the Management Console for MetaFrame Presentation Server, go to your server’s Properties > MetaFrame Settings, and verify that the specified port is seen in the TCP/IP port of the Citrix XML Service section.

Sunday, 11 December 2011

Zones Architecture & Design

Zones within Citrix infrastructures are logical segments within a Citrix farm. Every zone has a data collector (described in the next paragraph). Servers in a zone will communicate with his zone data collector where the data collectors of every zone will exchange information which each other about his zones.
When determine the needs for zones and the amount of zones used the following considerations:
  • Available bandwidth
When there is limited bandwidth available the traffic between the servers within one zone can be too much for the network link. If this is the case it is a good idea to create zones to regulate the traffic of the Citrix infrastructure.
  • Amount of changes in the Farm
Every change made in the farm is logically distributed to the Citrix server to reflect the changed settings. How more changes are made logically more traffic is generated between the Citrix servers. Together with the available bandwidth the amount of changes can be a reason to divide the farm into zones.

  • Citrix advices a maximum of 25 zones
There is a limitation on the amount of zones. Citrix advises not to create more than 25 zones.
  • Citrix Policy "Zone Preferences"
Within the enterprise edition there is a policy available that makes it possible to route users automatically to another (set of) server(s) if the Published Application is not available on the first group. This policy based on zones, so if you would like to use this policy zones are necessary.
  • Load Sharing between servers
When using zones load sharing between servers can be arranged in two ways. There is a possibility to share the load over all servers despite if there are zones configured or the load is shared between servers in de zone only.  Using the first method the session of the user can be started on any server, while using the second methodology the users will be redirected to the server in the zone of the data collector, which handled his request.
  • Each zone needs to have a Data Collector
Remember that each zone needs a data collector. Although every server can facilitate the role of data collector logically this role requires some resources available to carry out the tasks. Keep this in mind when determine the amount of servers to host the applications and check the considerations in the next paragraph about the data collector.
Best practices concerning the zones are using as less zone as possible, use zones only when low bandwidth connections are available between servers and/or if the zone preferences policy is necessary for your environment (for example when using a back-up/disaster site).


Data Collector Architecture & Design


The data collector is a role on a Citrix XenApp server which is collecting, maintaining and managing dynamic information about the farm and zone. The data collector also passes the user to the least busy server. Every Citrix XenApp server can be facilitating the server role, but of course some resources are needed for this role.
When creating the design the following topics should be considered.
  • Dedicated Data Collector versus Non Dedicated Data Collector
Dependent on the size of the Citrix infrastructure (based on the amount of server, amount of users and logon/logoff activities) a decision should be made to use a dedicated server or a non dedicated server. A dedicated data collector is a server with Citrix XenApp installed, but the server is not hosting any Published Applications or Desktops. When using a Non Dedicated Data Collector think of using a different Load Evaluator with lower values. Also do not remember that data collector role should be assigned within the farm settings.
  • Back-up Data Collector
When the primary data collector fails or is unavailable the Citrix farm will organize an election to select a new data collector. The election is primary based on settings about the data collector role, but also on the version of the software and (some) hot fixes. Again dependent the back-up data collector can be dedicated server or a shared server.
  • Amount of Zones
As mentioned earlier in the zones part every zone has a data collector. When you have lots of zones you probably will choose for a non dedicated data collector in comparison with situations when there is/are just one or two zones.

SSL Certificate in Citrix

Install SSL Certificate

First follow the below process to install the certificate to your server. Then using citrix secure gateway console, we need to configure the new certificate.


Download and copy your certificate files to your server

 

Download your SSL certificate and support files by clicking on the download link in your fulfillment email or from your GeoCerts SSL Manager account. Download the PKCS#7 formatted version of your certificate.
  1. Rename the file your_domain_com.p7b to your_domain_com.cer

Install the PKCS#7 Certificate File

  1. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
  2. Right-click the Web site for which you want to install the SSL certificate on and then click Properties. By default it will be Default Web Site, yours may be different.

    Select Default Web Site
  3. Select the Directory Security tab and click Server Certificate in the Secure communications section.
  4. Click Next in the Welcome to the Web Server Certificate Wizard window.
  5. Select Process the pending request and install the certificate, Click Next.
  6. Browse to locate the PKCS#7 file (your_domain_com.cer) when prompted to locate your web server certificate. Click Next.
  7. Verify SSL Port 443 in the SSL Port dialog box.
  8. Review the Certificate Summary screen and ensure that you are processing the correct certificate. ClickNext.
  9. Click Finish to complete the IIS Certificate Wizard.
  10. Again, Right-click on the site in IIS and click Properties.
  11. Select the Web Site tab. In the Web Site Identification section make sure that your site has an IP address (or all unassigned) and that the SSL port is 443. Click OK.
Now install the certificate using secure gateway console in citrix using below process:

Assign the certificate to Citrix

  1. From the Desktop, click Start > Programs
  2. Select Citrix > Secure Gateway > Secure Gateway Service Configuration
  3. Select Metaframe Server XP
  4. Select OK
  5. Select Typical for Configuration level and click Next
  6. Select the certificate you want to assign from the certificate list
  7. Click Next and complete the Wizard
  8. Restart your Secure Gateway Service

Verify Installation

New To verify if your certificate is installed correctly, use our Certificate Installation Checker.
Test your SSL certificate by using a browser to connect to your server. Use the https protocol directive. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com into your browser.
Your browser's padlock icon Browser padlock will be displayed in the locked position if your certificate is installed correctly and the server is properly configured for SSL

Saturday, 10 December 2011

How to publish specific drives and folders because it is not recommended to publish EXPLORER.EXE directly.

The method of copying and renaming the EXPLORER.EXE to, for example, EXPLORER2.EXE is a widely used but not a suggested or supported method by the Citrix Development Team. When doing this, there might be other side effects like session hangs or slow sessions when launching several instances of the renamed EXPLORER2.EXE. These issues are the result of internal EXPLORER.EXE dependencies that cannot be resolved without rewriting large parts of the operating system kernel.
Instead, Citrix recommends you publish IEXPLORE.EXE, with the -e parameter, to provide the functionality of a published EXPLORER.EXE.

Procedure

Publish an application with a command line of:
<path to IEXPLORE.EXE>\IEXPLORE.EXE [–e <Initial drive/directory>|<URL>] (specify %windir% for the working directory).

Example:

“c:\Program Files\Internet Explorer\IEXPLORE.EXE" -e c:\

- Or -

“c:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.citrix.com
Note: Internet Explorer 7 and its later version have phased out several command line options for iexplore.exe. Obsolete as of Internet Explorer 7. - See Microsoft Development Network for more details: http://msdn.microsoft.com/en-us/library/ee330728(VS.85).aspx See CTX112195 – Error: Windows cannot find '(null)' ... when Launching Internet Explorer 7 in Explorer Mode 
for other options.
Next previous home