Tuesday, 31 December 2013

Enable or Disable Logon for Citrix XenApp Servers via Citrix Console

After we talked on how to disable logon using command, this post will show on how to disable logon using Citrix Console.

Note that :-
  • Users are not able to remote to the server, no RDP, no ICA, nothing.
  • Once logon disabled, users only able access the server via virtualization Console like VMware Client or XenCenter (Virtual server). For physical server, it is either physically sitting before the server, KVM or Remote Access Card (DRAC, or HP iLO)
  • For Command Line, it only can be used locally. I haven't try using PSTOOL yet, but I will update this post whether I can access the server using PSTOOL after logon disabled.
  • For GUI, as we will use Citrix Console, hence it can be done remotely from other Citrix XenApp servers, within the same farm. Hence, if the farm only has one Citrix XenApp server, then you need to get in the box via physically there or virtualization client.


Description
  • Disable / enable logon for Citrix XenApp servers via Command Line.



How To Do :

  1.  From Citrix Console, you can easily spot whether the server is having the session login disabled, or enabled. If it shows Disable Logon, it means current status is Enabled, and vice versa.
    Currently Disabled



    Currently Enabled


  2. To disable logon, from Citrix Console, right click at the server name, go to All Tasks, and choose Disable logon.




  3.  Hence, when users try to RDP the server, they will see this. For ICA connections, this server will not be used. If one published application was published only to that server, then users will not be able to access that application.




  4. To enable the logon back, from Citrix Console, right click at the server name, go to All Tasks, and choose Enable logon.
Share:

Enable or Disable Logon for Citrix XenApp Servers via Command Line

Well, as a Citrix Admin, you are able to prevent any users from accessing your Citrix XenApp servers, especially when the server is under maintenance mode, or you purposely want to put the server out-of-loads. there are 2 ways to do this; GUI or command. 

But bear in mind that :-

  • Users are not able to remote to the server, no RDP, no ICA, nothing.
  • Once logon disabled, users only able access the server via virtualization Console like VMware Client or XenCenter (Virtual server). For physical server, it is either physically sitting before the server, KVM or Remote Access Card (DRAC, or HP iLO)
  • For Command Line, it only can be used locally. I haven't try using PSTOOL yet, but I will update this post whether I can access the server using PSTOOL after logon disabled.
  • For GUI, as we will use Citrix Console, hence it can be done remotely from other Citrix XenApp servers, within the same farm. Hence, if the farm only has one Citrix XenApp server, then you need to get in the box via physically there or virtualization client.


Description
  • Disable / enable logon for Citrix XenApp servers via Command Line.



How To Do :
  1. RDP to the Citrix XenApp server, and open Command prompt. firstly, you may want to type Change Logon in order to know what commands can be used.

    These are commands that can be used :
    CHANGE LOGON {/QUERY | /ENABLE | /DISABLE)
    /QUERY     Query current session login mode
    /ENABLE    Enable user login from sessions
    /DISABLE   Disable user login from sessions

Share:

Monday, 30 December 2013

Cannot Find a Valid Terminal Services License Server for Server 2003

Previous post explained on how to configure Terminal Services License server for server 2008. For this time around I will show on how to configure Terminal Services License server for server 2003. Basically, it is more or less the same, just the interface is different.

Note that this is for Windows Server 2003. For Windows Server 2008, please go to here.




Description :
  • You want to specify Terminal Services License server, so Terminal Services role can be used by servers.



How To Do :

  1.  RDP to the server, and go to Start > Administrative Tools > Terminal Services Configuration. Or, go to Start > Run, and type tscc.msc
  2. On the left pane, click at Server Settings option. At the right pane, right click at License Server Discovery Mode, and choose Properties. 
  3.  From this screen, put the TS CAL server name, and press Check Names button.
Share:

Friday, 27 December 2013

What Is Local Host Cache?

In previous post I wrote about what will happen if the Citrix XenApp farm lost connection with its datastore. Well, because of Local Host Cache, users will still be able to access the applications without too much issue. But, what is Local Host Cache (LHC)?

LHC is like a mini-DB of the farm, and created on all Citrix XenApp servers. Why I said mini-DB? It is because it contains a portion (subset) of Data Store information. 


There are 4 main information stored in the LHC :

  • All servers in the farm, and their basic information.
  • All applications published within the farm and their properties.
  • All Windows network domain trust relationships within the farm.
  • All information specific to itself. (Product code, SNMP settings, licensing information)



There are 2 primary functions of LHC :

  • Redundancy - a Citrix XenApp still function as normal if connection to datastore losts.
  • Performance - LHC cache information used by ICA clients for enumeration and application resolution. By having this, a faster response to ICA client request is provided, as the server does not need to contact other member servers about published applications.

LHC info is stored in Imalhc.mdb (an Access database). By default, it is stored in %ProgramFiles%\Citrix\Independent Management Architecture folder.

IMA service is heavily related to LHC. IMA service is responsible to get LHC synchronzied with the data store. Hence, restarting IMA service during DB server outage will cause the service can't be started.



Reference :

Share:

Wednesday, 25 December 2013

Change Farm Utility ( CHFARM) Has Stopped Working

Well, this issue was occurred to me last weekend, when I was busying myself changing my Citrix XenApp servers from farm A to farm B, using GUI. Why? because I have nothing to do (on weekend? seriously??). Please put my forever alone life aside, shall we? Well, this issue occurred to my XenApp 5 for Server 2008 farm. Hmm, Server 2008 is the keyword there... :)


Issues :
  • Citrix Admins received below screen after putting the credential for ODBC Driver Access.
  • Citrix Admins can't move forward, as the GIU will froze just after putting the credential.



Troubleshooting 
  1. Go to Start > Run, and type SecPol.msc

     
  2. You will be prompted with all UAC permission, so just proceed accordingly
    Click at I want to complete this task

    Press Ctrl + Alt + End
    Press Continue


  3. After that, you will see this console. Our focus is on Security Settings > Local Policies > Security Options

  4. On the right column, find this configuration, and check the setting configured



Resolution :

  • Right click at the configuration item, and choose Properties

  • From this box, change the option from Enabled to Disabled

Share:

Tuesday, 24 December 2013

What Happen If My XenApp Farm Cant Connect to the Citrix License Server?

Okay this is interesting. In my previous post, I said some candidates did not manage to get the answer correct. But for this question, they got all correct! they even mentioned how many hours rather than how many days. ( how they maange to calculate that fast? Did they have calculator in hand? ahh! smartphones!)

Again, back to the real business. if it happens that the Citrix farm lost connectivity with Citrix license, users still be able to launch the Citrix published application. However, there is 30 days / 720 hours grace period. After this grace period, users won't be able to launch any Citrix published applications.

Question... If my Citrix XenApp servers lost connections to DataStore, I can't reboot my Citrix XenApp servers. But what if the servers lost connections to Citrix License server? The answer is, no problem! it will not give any impact on the grace period or Citrix functionality within grace period. The information stored  in mps-wsxica_mps-wsxica.ini, thus rebooting Citrix servers won't delete the file.



Reference : 
Share:

What Happen If My XenApp Farm Cant Connect to the Data Store?

This is one of my favorite interview question, I just don't know why. it seems simple, but some candidates failed to give a proper answer (poor them). I wish all of them better luck next time.

Okay, now back to the real business. From Citrix Administrators Point-of-View, losing a DB may cost chaos, depending on how severe the issue is. However, from user perspective, nothing is different. Users wont really impacted of this. They still be able to launch Citrix published applications and works as normal. Thanks to Local Host Cache (LHC), it eases the burden of Citrix Admins (oh really?)

However, although all Citrix XenApp servers have LHC, there are some conditions that Citrix Admins need to remember :
  • There is no grace period for this (MPS 3.0 and above). Users still be able to connect to the Citrix farm (lucky!)
  • Only static information  available to users. No new info can be added and current info cannot be changed (not really...)

In any circumstances, DO NOT :
  • Restart / reboot the Citrix XenApp servers. it will cause the server to contact DB server. This will result IMA service won't started.
  • Restart IMA service (same reason as above).
  • Re-create LHC (in order to re-create LHC, we need to stop IMA service).



Reference :


Share:

Sunday, 22 December 2013

Error on Citrix Web Interface - Credential Error

This time, I want to discuss on an error occurred when users want to access Citrix Web Interface. This may happen for new farms or when new XML servers added to the farm. 



Issues :
  • Users received below error when accessing Citrix Web Interface :




Troubleshooting 
  1. From Citrix Web Interface server, go to application log, and search for Event ID 31003 and Event ID 30110.
  2. Those Event IDs indicates that XML service transition failed.

    Event ID 31003 in Application Log

    Event ID 30110 in Application Log

  3. Check which server(s) is/are configured as XML Service servers for the farm, and RDP to the server(s). 



Resolution :
  1. go to Start > run, type regedit and press Enter.



  2.  browse to HKLM\Software\Citrix\IMA

  3. Add a new registry value (ensure it is DWORDS (32-bit) Value)

  4. Set the name as UseNetworkLogon




  5. Right-click at the newly created key, and click Modify...

  6. Change the value data to 1. Ensure the base is Hexadecimal.

  7. This is the final outcomes :

  8. Go to Services, and restart Citrix Independent Management Architecture service.
Share:

Monday, 9 December 2013

AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes.

Some lesson learnt :-
  • Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
  • For Global groups, you only can add accounts from its domain and its parent Global groups
  • In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
  • Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
  • Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.

Group scope
Group can include as members…
Group can be assigned permissions in…
Group scope can be converted to…
Universal
·      Accounts from any domain within the forest in which this Universal Group resides
·      Global groups from any domain within the forest in which this Universal Group resides
·      Universal groups from any domain within the forest in which this Universal Group resides
Any domain or forest
·      Domain local
·      Global (as long as no other universal groups exist as members)
Global
·      Accounts from the same domain as the parent global group
·      Global groups from the same domain as the parent global group
Member permissions can be assigned in any domain
Universal (as long as it is not a member of any other global groups)
Domain local
·      Accounts from any domain
·      Global groups from any domain
·      Universal groups from any domain
·      Domain local groups but only from the same domain as the parent domain local group
Member permissions can be assigned only within the same domain as the parent domain local group
Universal (as long as no other domain local groups exist as members)


noteNote
The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.


Share:

Sunday, 8 December 2013

XTE Service Cannot be Started


Citrix XTE Server service is one of the essential service in Citrix XenApp. it is directly relates to Session Reliability. What is Session Reliability? Please read from here and here. Is Session Reliability Goood? Hmm, read this article and go figure it out. (such a lazy bum of me, huh?)

It might occurred in your environment that XTE Server service can't be started at one server, while the rest are fine. Session Reliability option is enabled from Citrix Console.  So, what's next?  


Issues :

You may received below error when you want to start XTE Server service.

 



Troubleshooting 

browse to %programfiles%\Citrix\XTE\Conf, check whether file httpd.conf is existed / is there any content inside the file.



Resolution :
  1. Copy the file from server that is working fine. 

Share:

Friday, 29 November 2013

No Printers Listed in Citrix XenApp Session - ICA-tcp Listener Configuration Error

Users reports that they are not able to perform printing. Services are up and running, but issue still persist, although after you restarted those Printer Spooler and Citrix Print Management services. 

In addition, required Service IDs are properly configured. Users reboot their workstations, but to no avail. So, what is next?


Issues :
  • Users may received one or more errors regards to printing. Below are some of the error examples :


 - or - 


  • Meanwhile from server perspective, no printers listed in Printer and Faxes

  • Upon checking the services, both Printer Spooler and Citrix Print Management services are started. Issue remains although those services restarted. Required Service ID (ctx_cpsvcuser) is in place.




Troubleshooting 
  1. Press Start, hover to Administrative Tools, click at Terminal Service Configuration. Or, press Start, choose run type tscc.msc, and press enter.
  2. Right click at ICA-tcp listener, and choose Properties
  3. Inside ICA-tcp Properties, focus on Permission tab. Ensure Service ID ctx_cpsvcuser is listed, with proper permission. If it is not, follow below steps.

Resolution :


  1. Click at the Advanced button.

  2. Click Add... to add new user
  3. Add this user (ctx_cpsvcuser), press Check Names and OK
    \
  4. For the Permission Entry, Clear the Logon permission and Add Query Information and Virtual Channels with Allow permission.
  5. Ensure you will see the user (ctx_cpsvcuser) added, press Apply and OK.

  6. You will see the ID added to ICA-tcp properties, as below.
Share:

Monday, 28 October 2013

Cannot Find a Valid Terminal Services License Server

After installing Terminal Services Role to a server, you may want to specify the license server. The Terminal Server will make an attempt to locate the Terminal Service License servers first, before make an attempt to follow automatic license server discovery process. You may see below balloon :


Note that this is for Windows Server 2008. For Windows Server 2003, please go to here.




Description :
  • You want to specify Terminal Services License server, so Terminal Services role can be used by servers.



How To Do :

  1. Go to Start > Administrative Tools > Terminal Services > Terminal Services Configuration. Or you can type tscc.msc in Run box.

  2. Right click at License server discovery mode, and click at Properties.

Share:

Wednesday, 23 October 2013

How To Auto-Create and Configure ctx_cpsvcuser

As mentioned in previous post,  ctx_cpsvcuser can be created and configured with a tool, but it is limited to certain Citrix XenApp versions only :
  • Feature Pack 1 for Presentation Server 4.5
  • Presentation Server 4.5 for Windows Server 2003
  • Presentation Server 4.5 for Windows Server 2003 x64 Edition
  • XenApp 5.0 for Windows Server 2003 x64
  • XenApp 5.0 for Windows Server 2003 x86


Description :
  • Using tool to create Service ID ctx_cpsvcuser in Citrix XenApp servers.



How To Do :
  1. Download the re-creation tool here.
  2. Upload the files to Citrix server.
  3. Run command prompt, browse to the uploaded folder, and run below command.
    32-bit : CtxCpsvc10.exe –install | 64-bit : CtxCpsvc10_x64.exe –install

    1. once done, double check the Citrix Print Management service. Ensure it can be started and set to Automatic.



    Reference :
    Share:

    Monday, 21 October 2013

    No Printers Listed in Citrix XenApp Session - Required Service IDs Missing

    Previously we talked about printing issue due to missing service / services not started. However, there is another possibility of printing issue to occur, which related to required Service IDs. From Citrix technical article, below IDs are needed and must be configured accordingly.
    Account Name
    Permissions
    Notes
    Local Service
    Minimal
    NT AUTHORITY\LocalService
    Network Service
    Minimal, network resources
    NT AUTHORITY\NetworkService
    Local System
    Administrator
    NT AUTHORITY\System
    ctx_cpsvcuser
    Domain or local user
    Acts as a power user
    Ctx_StreamingSvc
    Domain or local user
    Acts as a user
    Ctx_ConfigMgr
    Domain or local user
    Acts as a power user
    Ctx_CpuUser
    Domain or local user
    Acts as a user


    Issues :

    • Users may received one or more errors regards to printing. Below are some of the error examples :


     - or - 


    • Meanwhile from server perspective, no printers listed in Printer and Faxes

    • Upon checking the services, both Printer Spooler and Citrix Print Management services are started. Issue remains although those services restarted.





    Troubleshooting 
    1. Right click at My Computer, and click at Manage

    2. From Computer Management Console, browse to Local Users and Groups > Groups and check whether required Service IDs for both Power Users and Users local group are properly configured.
    No required Service IDs configured. It might be accidentally removed by Admin / Monitoring System.




    Resolution :
    • Add required Service IDs to their respective groups.
    Needed IDs : ctx_cpuuser & Ctx_StreamingSvc
     
    Needed IDs : ctx_cpsvcuser & Ctx_ConfigMgr

    Share: