Group Policy

Multi-homed server, lock ICA and RDP to a specific NIC

2016-04-21
/ /
in Blog
/

We implement a multi-homed setup with Citrix Provisioning Services.  We have all of our production traffic on one NIC and all PVS traffic on a second nic.  This helps us in troubleshooting when doing packet captures but does introduce other sets of challenges.  One of these challenges is when I uninstalled and then installed updated VMWare tools on one of our vDisks it caused the NIC’s to renumber and reorder themselves.  You’ve probably read some articles saying to ‘show hidden devices’ and uninstall any ‘ghost’ devices; with a multi-homed setup this may not resolve your issue.  My specific issue is my NIC’s now went from “0x1 and 0x2” to “0x3 and 0x4” in the LANATABLE.  We apply a GPO to the ICA-TCP and RDP-TCP to force them to only utilize our ‘Production’ NIC which we decided was going to be the second NIC.

Provision = 1st Nic, Production = 2nd Nic

I uninstalled the ghost devices but because this change is all ‘in the registry’ it wasn’t immediately noticeable by myself that the LANATABLE and NIC ordering had changed.  I promoted my vDisk and then tried to RDP into it:

Well…  I knew this wasn’t right.  So I logged onto the server and checked the LANATABLE values:

Provision NIC
Production NIC

 

Provision NIC LanaID = 0x3 after the VMWare Tools upgrade

 

Production NIC LanaID = 0x4 after the VMWare Tools upgrade

 

RDP targets LanAdapter 0x1 (!?)

 

ICA targets LanAdapter 0x2

A couple issues popped out.   The first was that the LanaID’s were wrong.  I *thought* Provision should be #1 and Production should be #2, but we apply our LanAdapter ID’s via GPP so these values are correct for our other systems.  I know both RDP and ICA need to be locked to the Production NIC and the order is *correct* but I’m a bit confused to why the numbers are different between RDP-TCP and ICA-TCP.

So I started on getting the issues resolved.  First, I was going to resolve RDP.  If it is targeting 0x1 that means that I need the Production NIC (VMWare Network Adapter #2) needs to be set as 0x1.  So I edit the LanaId of the Production NIC to 0x1 and the Provision NIC to 0x2.  I rebooted the box and I could RDP into it without issue.  I then checked the Remote Desktop Session Host Configuration:

This is the correct value.

OK, so RDP is set correctly and works.  I then tried to launch a Citrix application.

It failed.

It generated an event on the server:

Unable to connect to the CGP tunnel destination

Looking at the ICA Listener configuration showed me the following:

The value is wrong.  It should be #2

So the ICA-TCP listener was set to the ‘Provision’ NIC.  So our production traffic was not getting to it. This is the wrong value.  My first thought was the LANATABLE would make sense here…  We have the LANADAPTER key is set to 0x2 which would equal the ‘Provision’ NIC under this configuraiton…   So I changed the LANATABLE to be the reverse.  0x1 = Provision NIC and 0x2 = Production NIC.

The results:

Now both are wrong!

Jeez.
I reverted the LANATABLE to 0x1 = Production and 0x2 = Provision.  Again, only the RDP-TCP connection changed.  At this point the ICA Listener *must* be looking at another place…  I used Procmon to trace the registry when I opened the ICA Listener Configuration and noticed it did NOT query LANATABLE but did go through and look and query this key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipLinkage
The BIND order is set as Production (#2 NIC) first and Provision second in this order…  To change this order you need to go to Advanced Settings and modify the connection order:
Provision *should* be the top NIC here…
So I used the arrows on the side and moved Production to be second in this order:
Rebooted and I checked the ICA Listener:
Hurray!
I then tried both RDP and ICA traffic and both now worked correctly.
So, the lesson learned here is that this registry key:
Targets the BINDING order of the NIC’s.
And this registry key:

Targets the LANATABLE and the values specified within.

Read More

Group Policy Preferences – Scheduled Task fails to apply

2014-10-03
/ / /
We had a couple issues with scheduled tasks not applying when submitted as a GPP (Group Policy Preference).  We turned on tracing via local gpedit.msc (Administrative Templates > System > Group Policy > Logging and tracing).  From here we turned on the Scheduled Task logging and events were then stored in the eventvwr.msc (we also turned on tracing which stored a computer.log file here: C:\ProgramData\Group Policy\Trace)
The first error we got was:
So it can’t map between user ID’s.  It’d be nice if it told us which mapping failed, but it gives us a pretty good hint. Looking at the XML file the GPP creates (stored here:  “C:\ProgramData\Microsoft\Group Policy\History\\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml” )
We saw the following:
Everything validates.  Googling for BUILTIN\SYSTEM brought up that several people were getting the same error when using BUILTIN\SYSTEM.  Which makes some sense as “BUILTIN\SYSTEM” isn’t a real account.  We renamed it to NT AUTHORITY\SYSTEM.  This time we got a new error message:
This doesn’t tell us a whole lot of information.  What is the unexpected node? Looking again at the XML file it looked like so:
The difference that I can see:
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
The SYSTEM account is NOT a group.  We changed how we selected the SYSTEM account by “Browsing” AD, going into the root of the domain, going into the Builtin OU, and selecting SYSTEM.  This populated as “NT AUTHORITY\Well-Known-Security-Id-System”.  This will fail because there is no such user account called “Well-Known-Security-Id-System”.  At this point we renamed it to “NT AUTHORITY\SYSTEM”.
Boom, GPP Scheduled task now worked without issue.  Checking the XML the difference by manually selecting the SYSTEM account changed
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
To
<UserId>NT AUTHORITY\SYSTEM</UserId >
SO.
If you are having issues with your GPP Scheduled task item running as the SYSTEM account I would HIGHLY recommend you check your XML file and confirm it is set as “NT AUTHORITY\SYSTEM” and it is surrounded by UserId NOT  GroupId.
Read More

Troubleshooting Audio issues in Citrix XenApp

2013-07-10
/ / /

We recently ran across an issue with XenApp 6.5 where we were publishing an application that required the “Beep” but it wasn’t working.  The following is the troubleshooting steps I did to enable audio to work on that application.

First we created a Citrix policy to enable audio.  This policy looked like so:

We filtered on a user security group to enable the client audio redirection and added that filter group to the application.  From the original appearance of things, this should have been sufficient to enable client redirection.  But it did not.  So I wanted to verify that the policy was actually applying to the user account.  To do that, you login to the system with a user account and check in Regedit for the value “AllowAudioRedirection”.  If it’s set to 0x1 then the Citrix group policy has evaluated that client redirection should be enabled for your session.

Unfortunately, I still did not have audio redirection working…

Citrix advises that you can use dbgview.exe to further troubleshoot the Citrix Receiver to assist.  I launched dbgview.exe and started the trace and launched the application from the Webinterface.

“00000043 0.60113800 [7752] CAMSetAudioSecurity: Wd_FindVdByName failed”

CAM is a virtual channel (Virtual Channel Priority for Audio) and we can see it’s failing.  I then used the Citrix ICA creator and launched the application using that.  The dbgview for that output looks like so:

00000013 0.44386363 [4496] CAMSetAudioSecurity: success

We can see that the audio virtual channel was able to successfully latch and I confirmed I had audio in the application.

From here the issue appeared to be when I launched the application from the webinterface or desktop shortcut.  I then compared the two ICA files, the one from the web interface and the one I created separately to see what was different.  The difference was glaringly obvious.  The working ICA file had “ClientAudio=On” and the broken one had “ClientAudio=Off”.

Curious, I launched AppCenter and clicked through the applications settings and saw the following:

“Enable legacy audio” was unchecked.  I checked it and then logged off and logged back on the web interface and when I downloaded the ICA file, “ClientAudio=On” and I had audio.  I then unchecked that setting and confirmed it manipulated the ICA file as with it unchecked the ICA file generated had “ClientAudio=Off”

Who knows why it’s called “legacy audio”.  May as well just call that option “Enable audio” as that would be more accurate.  The Citrix documents on this setting says the following:

http://support.citrix.com/proddocs/topic/xenapp6-w2k8-admin/ps-sessions-en-dis-aud-pubapp-v2.html
To enable or disable audio for published applications

If you disable audio for a published application, audio is not available within the application under any condition. If you enable audio for an application, you can use policy settings and filters to further define under what conditions audio is available within the application.

  1. In the Delivery Services Console, select the published application for which you want to enable or disable audio, and select Action > Application properties. 
  2. In the Application Properties dialog box, click Advanced > Client options. Select or clear the Enable legacy audio check box.

Emphasis is mine.

Anyways, and now we have our applications with working audio and everything seems to be good again 🙂

To summarize the enable audio for a XenApp application you must:
1) Enable “legacy” audio
2) Enable a Citrix policy to configure audio redirection
3) Done.

Read More

How to enable “Adaptive Display” in XenApp 6.5

2013-06-11
/ / /

Contrary to the documentation in the Group Policy settings for Citrix, XenApp requires the following settings configured for Adaptive Display to be enabled:

User settings
Minimum Image Quality
This setting specifies the minimum acceptable image quality for Adaptive Display. The less compression used, the higher the quality of images displayed. Choose from Ultra High, Very High, High, Normal, or Low compression.
By default, this is set to Normal.

Moving Image Compression
This setting specifies whether or not Adaptive Display is enabled. Adaptive Display automatically adjusts the image quality of videos and transitional slides in slide shows based on available bandwidth. With Adaptive Display enabled, users should see smooth-running presentations with no reduction in quality.
By default, this is set to Enabled.

Target Minimum Frame Rate
This setting specifies the minimum frame rate you want. The minimum is a target and is not guaranteed. Adaptive Display automatically adjusts to stay at or above this setting where possible.
By default, this is set to 10 frames per second.

Progressive Compression Level
Set to Disabled

Even though the GPO’s state these only apply to XenDesktop, they also apply to XenApp and can be confirmed if you publish HDX Monitor 3.0 on a XenApp server and monitor the ICA session, you can see the transient quality increasing or decreasing depending on your scenario.

Read More

Manually add Windows startup scripts (or inject startup scripts into an offline image)

2013-05-29
/ / /

Due to the CGP issue, our solution is to add a startup script to each vDisk.  Since I don’t want to make a version of each vDisk than attach it to a server than boot it up than gpedit.msc…  We have around 10 vDisks and that process would be annoying and take a while.  So I decided to investigate doing it offline as mounting a VHD using cvhdmount.exe and then injecting the startup script would be a lot easier.

To do that, one simply needs to browse to:
“C:\windows\system32\GroupPolicy\Machine\Scripts\Startup” (for machine startup script, aka, a script that starts when your computer starts up) or “C:\windows\system32\GroupPolicyUsers\Machine\Scripts\Startup” (for all users startup script [I’m assuming since I actually didn’t go through and test the user portion]) and copy your script file there.
Then, back out one level to C:\windows\system32\GroupPolicy\Machine\Scripts and edit Scripts.ini to include your new script file; incrementing the last line.
To:
Read More

(OS 10061)No connection could be made because the target machine actively refused it. : Unable to connect to the CGP tunnel destination (127.0.0.1:1494)

2013-05-27
/ / /

 

This has been an ongoing problem for us (Unable to connect to the CGP tunnel destination (127.0.0.1:1494)

I may have found out why it was happening in our environment.  We are using Provisioning Services and with it we are using two NIC’s, one for the Provisioning Services and one for Standard networking.

It appears the XTE service became configured to use the Provisioning Services NIC.  This was verified in the httpd.conf in the C:\Program Files (x86)\Citrix\XTE\conf folder.

Provisioning NIC and Production (network) NIC

 

httpd.conf as was when the system booted (and non-functional)

When I traced the XTE service using procmon.exe and wireshark with this non-functional conf this is what I saw when I attempted to launch the application:

You can see it attempt to connect to itself via 1494 but then nothing else happens
Wireshark shows virtually nothing on the network and nothing related to IMA
When I edited the file to have the Production NIC…

 
then restarted the XTE service and retraced via Procmon and Wireshark…
We now see tons of activity and the application now launches without issues.

================EDIT===============

We have now found why we are getting this error, and why we are getting it intermittently.  The issue is we are using PVS with multi-homed NIC’s.  One NIC (LanAdapter 1) is the “Provisioning” network, and the second NIC (LanAdapter 2) is the “Production” network.  The Provisioning network is on a completely seperate vLan and sees no traffic outside of it’s little network.  The ICA Listener was attaching itself to the Provisioning network instead of the production network, so when we tried to connect to the server it would fail with the CGP tunnel error because the outside network cannot talk to the Provisioning network.  To attempt to resolve this issue one of our techs (Saman) created a group policy preference registry key that set the following value (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-TCP – LanAdapter):

By setting it to “2” we could ensure the ICA listener is always listening on LanAdapter 2, our production network.  Unfortunately, a Windows Update appears to have caused either Group Policy Registry Preferences to execute (sometimes) *after* the IMAService service started, or allowed the IMAService service to start *before* Group Policy Registry Preferences.  IMAService will recreate that file every second restart.  To resolve this issue I created a startup script that executes after 65 seconds, deleting the httpd.conf file and restarting the appropriate services until the httpd.conf file is recreated.

In my testing it appears you need to restart the “IMAService” service twice to get it to recreate the httpd.conf file.  Because of this, I created the script to retry up to 3 times to try and regenerate the file.

Read More

Slow Group Policy Client Side Extensions login with Windows 7

2013-03-05
/ / /

We experienced an issue when we modified a GPO to include item-level filtering on an AD group.  The issue was that Windows 7 machines with this GPO applied to where suddenly taking minutes to login.  Windows XP machines, however, logged in almost instantly.

When going through the event logs for group policy on Windows 7 we were able to identify the CSE causing this issue.  For us it was the “File processing extension”.

When we looked at the group policy we saw that the item-level filtering was filtering on a group with 11,000+ objects in it.  We had two tasks in the GPO that were filtering on that group.  When I attempted to open the group utilizing ActiveRoles Server (ARS) it was taking 40-50 seconds to populate each object in the group.  I theorized that it appeared Windows 7 was iterating through each object like ARS was.  To test this I installed Wireshark on the Windows 7 and XP machines and ran “GPUPDATE /FORCE”.  This triggered the CSE to execute.  The following are the traces:

XP Capture.  It queries (highlighted) the group then continues on.

 

Windows 7 Capture.  It queries the group then all objects within the group.

Obviously, with 11,000+ objects in the AD group Windows 7 will have a significantly slower logon if it’s querying every object within the group.  Fortunately, Microsoft has put out a fix for this:

You experience a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

So if you are experiencing slow login times with Windows 7 it maybe worth it to try this fix.

Read More

Powershell script to find user login times

2013-02-01
/ / /

With Windows Server 2008 and on the event log “Group Policy” will track how long it takes a user to login. I’ve created a script that will pull all this information into a file.

 

 

Read More

Registry keys needed to set a default server Exchange server for Outlook

2012-02-16
/ / /

We recently upgraded our Exchange infrastructure from 2007 to 2010. During this we changed the host name of the server from an internal name to a nice, easy to remember one (outlook.company.corp). But, we did not update our Outlook’s defaults to this server, so when you open Outlook for the first time you are presented with this message:

Microsoft Exchange is unavailable.

With the options:
Retry, Work Offline, and Cancel. If you choose Work Offline you are given this error message:

“—————————
Microsoft Office Outlook
—————————
Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
—————————
OK
—————————

then the opportunity to enter the server name to connect to:

If you correct the name here you will get an error where you can close Outlook then reopen it for it to operate. Another option is to change the default of that server to the correct one. I figured out the registry keys to do those so you can place in a GPO object.

Here are the keys:

The last key is a REG_BINARY of the server name (outlook.company.corp). If we make this into a GPO object then these keys can be placed in and users can connect to Exchange without the messages above.

The GPO object needs to look like so:

Notice the %LogonUser% variable.

Each “Key Path” requires your username substituted for the %LogonUser% variable as well:

Set this GPO with a loopback processing setting and you’re rolling. The negative that I’ve seen with this approach is that it will set the registry keys on a new login, but launching Outlook for the first time will overwrite them with the defaults set in the PRF. If you cancel out and relaunch the registry keys will apply again and the server you specified in them will work.

Or you can setup a DNS Alias, but this was an interesting exercise anyways 🙂

Read More

Cool tool!

2011-10-25
/ / /

Mariano Sergio Cosentino created a script that will convert registry keys into ADMX template files. This is awesome as the alternative to deploying large number of registry keys and values is typically a startup script with regedit.exe /s %regfile%.

http://mscosentino-en.blogspot.com/2010/02/convert-registry-file-to-admx-policy.html

Tool is available here:
http://www.mscosentino.com/desarrollos/reg2admxl/reg_2_admx.vbs

Usage is: CSCRIPT REG_2_ADMXL.vbs registry-file language [name]

I used this tool to create a ADMX template of the following registry key:
KEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Messaging Subsystem

We use Microsoft fRX and it utilizes this key to determine your mail prefences if you’re using exchange. If you have the old Office 2000/2003 (IIRC) you should have this key. 2007 and greater now use a different method of storing email account information (apparently). This content is generated by using the “Mail” control panel icon. We used this tool to prestage the server name and a “Windows Messaging Profile” so that when you try to email from fRX you don’t go through a complicated wizard asking for things like “server name”. If you’re organization is like ours, your internal email server name is something users won’t know and won’t be able to guess (eg, 3-digit-company-abbr,3-digit-code-for-prod-or-dev,3-digit-code-for-virtual-or-physical,3-digit-code-for-server-role(eg EXC-exchange),3-digit-code-for-number).

Read More