Thursday, August 28, 2014

How to Change the Server Base URL from HTTP to HTTPS on Citrix StoreFront

Complete the following steps to change the base URL:
  1. Go to StoreFront and click Server Group on the left panel.
  2. Click Change Base URL on the right panel.
  3. Type the base url and click OK.

XenApp or XenDesktop applications fail to launch

When accessing my StoreWeb URL, I clicked on an application icon and it would never launch, and at the bottom of the icon the circle would spin continuously. Citrix article CTX128009 fixed the issue.

Use the following registry key that allows you to configure the time-out as follows:
Name: ApplicationLaunchWaitTimeoutMS
Data: <required additional time-out, in milliseconds>
Note: Specifying a value of less than 10000 reverts to 10000 because 10 seconds is the minimum override.
Create the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
Value Name: LogoffCheckerStartupDelayInSeconds
Value: An integer that denotes the time to wait for the application to start (10 Hexadecimal recommended)
Note: Setting this value also increases the time it takes for a user to log off the server.It is more useful as a troubleshooting step to confirm that the issue is due to the length of time required for your application to launch.

No certificate templates could be found Server 2008 R2

While attempting to request a web server certificate for my XenApp/XenDesktop Delivery Controller for use with Storefront, I get this error from the CA: "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."

I found this gem from John Nobile on
Instead of using IIS Manager to generate the request, you can do so manually. Opening the machine certificate MMC snap-in (mmc.exe -> File -> Add/Remove Snap-in ->Certificates -> Add -> Computer Account -> Next -> Local Computer -> Finish -> OK). Right click on the Certificates node under the “Personal” store. Select All Tasks -> Request New Certificate. When selecting the Web Server template from the enrollment wizard, open the template details and add both the machine name and fully qualified machine name of the web server as Common Names to the certificate subject.

Sunday, August 24, 2014

Slow XenApp 5 logons on Server 2008

My XenApp 5 farm published desktops running on Windows Server 2008 x86 had logon times averaging 69 seconds. Group Policy Registry items were taking 40 seconds as seen in the event logs.

I found Citrix article CTX128749. I added a new GPO with a scheduled task containing:
rd "C:\ProgramData\Microsoft\Group Policy\history" /s /q
I ran the above command and restarted all servers and then timed logons and they had decreased from 69 to 33 seconds. I can live with 33 second logons.

Thanks and a shout out to robissimo for pointing the Citrix article out to me.

Thursday, August 21, 2014

Creating Mandatory profiles

Over time I've noticed that as the number of GPO settings applied to my Citrix servers grow, so does the user logon times. I'm using XenApp to provide shared hosted desktops, and the logon times have grown to around a minute.

The solution is to use Mandatory profiles ( and redirected folders ) as long as you don't need for users to be able to save changes. That fits the bill for shared hosted desktops on a server. Instead of having a large number of user GPO settings applied at logon, we're going to customize the profile and save it to a network share, then set a GPO to use this profile for all users. Now you have a profile with all settings applied and you can eliminate many of those GPO's you were previously waiting on to apply. You can use Mandatory profiles along with redirected folders so that users can still get their own desktop and documents folders as well.

Instead of creating yet another tutorial, I'm going to point you to Rob Beekman's excellent blog post on how to create a Mandatory profile.

XenDesktop and XenApp black or frozen screen

This issue affects XenApp 7.5; XenDesktop 7.1 and 7.5 VDA Core Services for Windows Server OS (64-bit). After launching a published desktop or application, the screen may be completely black, or it may freeze.

Since this issues affects the default graphics mode, I'm scratching my head, amazed that Citrix doesn't include this fix in the ISO download of XenDesktop/XenApp 7.x. To make matters worse, you can't just visit the Citrix site and download this hotfix, you have to open a support ticket and they must email you a download link.

See CTX139901 for more info.

How to disable Citrix desktop auto launch in StoreFront

I'm not sure why Citrix thought it would be a good idea to automatically launch a published desktop in the Citrix Receiver for Web (StoreWeb) site in StoreFront and assumed that users wouldn't want to launch an application instead. It seems logical to not auto launch a desktop and have the administrator edit this config file value if they DO want it to auto launch.

To disable desktop auto launch:
Complete the following steps to disable the desktop launch:
  1. Go to C:\inetpub\wwwroot\Citrix\StoreWeb directory.
  2. Open the Web.config file with notepad.
  3. Set the autoLaunchDesktop parameter to “false”.
  1. Save the web.config file.

Tuesday, August 19, 2014

XenApp and XenDesktop 7.5 MCS creating Machine Catalogs and can't add VM's from vCenter 5.5

I'm building a XenApp 7.5 (Same code as XenDesktop 7.5 only a different license) environment, and hitting a wall when creating Machine Catalogs. Under the step "import or add virtual machines", I click on the "Add VMs" button, and can't browse past the top level of my vCenter cluster and can't see any vm's. I checked and the account I'm using meets the permissions requirements. I know that the issue isn't with this XenApp DC because I am able to connect to our secondary data center and browse vm's from this same DC.

I opened a support ticket with Citrix and VMware and after two weeks it still wasn't working.

While I was looking at the differences between the working and non working data centers, I noticed that in the data center that's working, I can only see vm's that are not part of a vApp in the Citrix Studio Console. I moved my XenApp 7.5 vm's out of the vApp and I can now connect to them with Citrix Studio.

If you are connecting XenApp or XenDesktop 7.5 to VMware vCenter 5.5, don't place your Citrix virtual machines to be managed inside of a vApp. I can't verify this issue on other versions of Citrix XenDesktop/XenApp or VMware vCenter.

The system cannot find the file specified failed to resolve the source 0x80070002

Some days SCCM will have you pulling your hair out in frustration. I frequently get errors when my OSD TS are installing programs or applications. It will work fine one time then fail the next.

This is the error I'm talking about:
Severity,Type,Site code,Date / Time,System,Component,Message ID,Description
Error,Milestone,NFK,8/19/2014 11:56:08 AM,COMPUTERNAME,Task Sequence Engine,11135,The task sequence execution engine failed executing the action (Run Command Line Copy default backgound image) in the group (Setup Operating System) with the error code 2147942402  Action output: ... 02 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3273) TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=80070002 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)cmd.Execute(pszPkgID, sProgramName, dwCmdLineExitCode), HRESULT=80070002 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372) WinHttpSendRequest failed. SendWinHttpRequest failed. 80072ee2. DownloadFile() failed for http://SERVER -FQDN:80/SMS_DP_SMSPKG$/NFK00079/sccm?/backgroundDefault.jpg, C:\_SMSTaskSequence\Packages\NFK00079\backgroundDefault.jpg. 80072ee2. Error downloading file from http://SERVER -FQDN:80/SMS_DP_SMSPKG$/NFK00079/sccm?/backgroundDefault.jpg toC:\_SMSTaskSequence\Packages\NFK00079\backgroundDefault.jpg  DownloadFiles() failed. 80072ee2. Download() failed. 80072ee2. Failed to resolve the source for SMS PKGID=NFK00079, hr=0x80070002 Install Software failed to run command line, hr=0x80070002. The operating system reported error 2147942402: The system cannot find the file specified.
To fix this, add the following Task Sequence Variables to the top of your TS.
SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Configuring Automatic Deployment Rules for Software Updates in SCCM 2012

In deploying Microsoft updates, it's equally important to delay the updates as it is to apply them in order to prevent applying bad updates that cause unintended consequences, including the dreaded BSOD. In this post I'm going to show how to deploy MS updates using an Automatic Deployment Rule (ADR) in System Center Configuration Manager 2012 R2.

I have experimented with different patch schedules and methods over the years, and I'm going to outline what works best for me. Every month, I wait until a week after Patch Tuesday (Waiting a week gives bleeding edge users time to report issues and for Microsoft to pull the patch if necessary.) and deploy updates to my computer. If there are going to be any BSOD's, I would rather I catch it first instead of a few hundred or thousand of my users. After I let the updates "bake" on my computer for a week and don't encounter any issues, I deploy them to a small group of users. I pick a small group of people that are generally easy to work with and usually don't have any pressing deadlines to meet. I sometimes refer to this group as "The canary in the coal mine", because coal miners used a caged canary back in the old days to alert them to the presence of toxic gases because it would kill them before affecting the miners. If the canary drops dead, back out quickly! After the "canary" group bakes with these updates for a week without issue, its time to deploy the updates to the rest of your computers, including laptops. Some users will take their laptop home nightly and they may miss the collection's maintenance window of 4 to 7 AM. For these offsite laptops, I deploy updates a week after the bulk of the users. This gives the laptop users a chance to return to the office and pick up updates during the maintenance window. If this window is missed, the only effective way to get it done is to push the updates during working hours during lunch time, and suppress a restart. This may not be ideal, but what else are you going to do if they take the laptop home every night?

In the SCCM console, select Software Library, expand Software Updates and select Automatic Deployment rules. Click the button for "Create Automatic Deployment Rule".

Name your ADR and provide a description if you desire. Select a Deployment Template if you have created any. Select your collection, and select Create a new Software Update Group, and click Next.

On the Deployment Settings dialog, select "Use Wake-on-Lan if you desire. I don't use this feature as all of my computers automatically power on for the 4 AM maintenance window via BIOS settings. Click Next.

On the Software Updates dialog, set your property filters to select the updates you want. In my case I exclude a particular Bulletin ID that we have found to cause problems with our deployed applications by preceeding it with a minus.

Specify the Evaluation Schedule.

Specify the Deployment Schedule.

Specify the User Experience. I prefer to select "Hide in Software Center", and leave all boxes unchecked so that they only deploy during the collection's maintenance window. Click Next.

Specify an alert of 90 percent and 7 days, unless you prefer otherwise.

I leave the defaults selected on the Download Settings dialog, and click Next.

Select a Deployment Package if one exists, otherwise create a new deployment package and specify the source, then click Next.

Select a your Distribution Points or Distribution Point Group.

Accept the default on the Download Location dialog, and click Next.

Make the appropriate language selection, and click Next.

Carefully review the Summary page, click Save as a Template, and click Next if you don't need to make any changes, then click Close.

Repeat this process and for any other operating systems you manage and make changes as necessary.

Monday, August 18, 2014

Citrix products at a glance...

How to Configure Citrix Receiver Pass-Through Authentication for StoreFront or Web Interface

How to Configure Citrix Receiver Pass-Through Authentication for StoreFront or Web Interface

Desktop Virtualization Deployment Insights eBook

Printing IS important in the VDI environment

I manage a Citrix XenApp system. Recently during a business lunch our sales rep told us that his customers have had "great success" with VMware Horizon View as a Citrix replacement.

From what I've been reading on comparisons of VMware vs Citrix VDI, VMware is a little immature at the moment. I consider Citrix XenDesktop and XenApp to be mature and complete end to end products. Profile management? Check. Universal Printing? Check. Remote access? Check. (Netscaler) Then you also have GoToMeeting, GoToWebinar, Sharefile, and MDM. At first glance it looks like it would be easy to upgrade a Citrix environment with VMware Horizon View 6. VMware's webinar I watched recently said you just install the Horizon agent on your Citrix server to publish apps and you don't even have to uninstall Citrix.

The reality is that VMware Horizon View 6 lacks some key features, including universal printing and profile management. To be fair, if you are doing VDI on a Windows desktop OS, VMware has universal printing. However if you are publishing a desktop or application on a server OS, no universal printing. I think I'll stick with Citrix, thank you.

Here's a good summary of the differences between Citrix and VMware VDI client printing support.

Sunday, August 17, 2014

User changed password in AD and keeps getting locked out

I've noticed that Active Directory account lockouts seem to be more common these days. I believe this is a result of the use of mobile devices, with some users having multiple mobile devices.

The most common cause of account lockout is when a user changes their password and doesn't immediately update their password on a mobile device with an email account configured for ActiveSync. I've even had one person tell me that they did update their password on their iPhone, then after repeated account lockouts they remembered the iPad they left at home that also had their company email account on it.

If mobile devices with ActiveSync accounts isn't the cause, I recommend using Account Lockout Examiner, a freeware tool from Netwrix.

Netwrix Account Lockout Examiner: Alert your help desk staff about lockout events and troubleshoot account lockouts, analyzing potential causes. Accounts can be unlocked within the console, a Web-based interface or via a mobile device.

Download it here.

How to determine when a user changed their AD password with Powershell

Open the Powershell console as admin and type:

Import-Module ActiveDirectory
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List

Pretty simple.

Friday, August 15, 2014

Best sales pitch ever!

Yesterday I attended a sales pitch for Barracuda backup appliances, hosted by SLAIT Consulting at Colonial Shooting Academy in Virginia Beach, VA. I always enjoy attending these events, if nothing else you always meet new people and get some lunch while learning about new technology.

What made this event so awesome is the fact that I love to shoot guns, and the event was at a gun store and shooting range. After lunch and the sales pitch we were given a safety brief and headed to the range. In addition to a selection of pistols, they laid out a couple of AR-15's and an AK-47 and all the ammo you could shoot. This was the first time I had ever shot an AR or AK. It was a BLAST!

First lonely post

Today I'm recovering from a very simple mistake that could have cost me weeks of work if I hadn't made a backup copy in VMware of my application server I am building for XenApp 7.5. I painstakingly installed and tweaked a long list of applications on Server 2008 R2 to be used for the master image in XenApp 7.5 Machine Creation Serices (MCS).

I hit a wall with an issue connecting my XenApp 7.5 DC to vSphere for the MCS connection. I submitted traces to Citrix support, who eventually called it a VMware issue. While waiting for VMware support, I decided to manually create the servers in VMware instead of using MCS so that I could forge ahead in the Citrix upgrade. I can always go back and integrate MCS after the VMware issue is resolved. I sysprepped my application server and created a vm template. After creating my first server from the template, I realized that I FORGOT TO UNCHECK "User cannot change password" for the administrator account before shutting the server down after running sysprep. Great, now I can't login since it forces you to set the administrator password on first login, and the password can't be changed.

What I SHOULD HAVE DONE is to clone my app server, then sysprep the clone and leave the original server intact. Thankfully I had created a backup copy of this server in the lab, so with a few clicks and a short delay I'm making progress again.

Sometimes its the simple things that can cause you the most pain.