Hyper-V cluster shows “Needs Attention” in SCVMM

I had a situation that all Hyper-V hosts (Windows Server 2012R2) in a failover cluster are on “Need Attention State” in System Center Virtual Machine Manager 2012R2. A reboot of those servers or refresh the servers in SCVMM doesn’t put those servers back in an “OK” state.

In the job event log of SCVMM you can find the following warning:
A Hardware Management error has occurred trying to contact server servername.domain.com :n:CannotProcessFilter:HRESULT 0x8033801a:No instance found with five property values.

Check WinRM

A Hardware Management error has occurred

The recommended action of Microsoft is to check whether WinRM is installed and running on that server… (See http://social.technet.microsoft.com/wiki/contents/articles/4902.system-center-2012-virtual-machine-manager-vmm-error-codes-2500-2999.aspx)

What I suggest to check is the following:

  1. Check whether the SCVMM agents on those hosts don’t require an update via the SCVMM server.
  2. When all agents are up-to-date, then the following you should do…
    The problem can occur if the shared svchost.exe process that hosts the Windows Remote Management (WinRM) service is experiencing issues.
    Use the following command in an elevated command prompt: sc config winrm type= own
  3. Increase the default values for the WinRM service with the following command in an elevated command prompt (when having Error 0x8033803b):
    Increase the time out value for the Agent to contact the VMM Server by using this command:
    winrm set winrm/config @{MaxTimeoutms = “1800000”}
    Increase the number of threads that can be sent to the VMM Server by using this command:
    winrm set winrm/config/Service @{MaxConcurrentOperationsPerUser=”400″}
    net stop winrm 
    net start winrm 
    net start scvmmagent

SCVMM depends on the Windows Remote Management service for host communication. Therefore, the “Not Responding” status is very likely to occur because of an error in the underlying Windows Remote Management communication between the VMM server and the host computer.

  •  
  •  
  •  

AppSense AM OnDemand authentication problem (Policy Change Request)

What’s the Policy Change Request feature?

On a recent project we decided to use the recent Application Manager feature: Policy Change Request. This feature allows for temporary elevated (admin) rights on a specific executable or process. It’s useful if you want users to be able to temporary perform elevated actions without granting them full local admin privileges: e.g. adjusting the time, installing a specific application….

This feature consists of two components:

  • A client interface which allows the user to request temporary elevated permissions for a specific process.

AppSense Application Manager OnDemand authentication problem (1)

  • A web portal for your helpdesk (Installed on your AppSense server) to allow these requests. This portal is reachable on http://<ServerName>/OnDemand . This portal has 2 roles: as an operator, you’ll only see the first tab “Config Request”. Administrators also see the “Administration” tab. In this tab you configure access to this portal and your shared key, which needs to correspond with the key you set in your AM configuration.

AppSense Application Manager OnDemand authentication problem (2)

 

Problem logging on to the console

At the customer where we evaluated this feature, we were unable to logon to the OnDemand portal. At first logon you need to use the same account you performed the installed (of the AppSense Application Manager Web Services) with. I got this logon prompt every time again:

AppSense Application Manager OnDemand authentication problem (3)

When I had a look at the configuration file (located at: “C:\Program Files\AppSense\Application Manager\Analysis Service\AMAnalysisServiceCore.dll.config”) and changed the “ON_DEMAND_AUTHENTICATION_TYPE” to Windows instead of Basic, I was able to logon.

AppSense Application Manager OnDemand authentication problem (4)

The following topic on AppSense Exchange seems to address the same issue: https://forum.appsense-exchange.com/forums/showthread.php?172-Help-Desk-Portal-with-AM-8-8-Issue

 

High availability for the OnDemand portal

The two configurations made in the OnDemand Administation section (the Shared key & Role Access) are saved in a local sqlite file:

“C:\ProgramData\AppSense\Application Manager\Analysis Service\On Demand\HelpdeskDatabase.sqlite”

At this moment there’s no supported way to copy this file to another server, for instance if you want to load-balance the OnDemand portal. If you want to copy the file you first need to force ownership & remove the Deny permission for “everyone”. After having replaced the file on a second server, the “AppSense Application Manager Web Services” was unable to start.

You could of course, repeat the configuration manually on all other portals. Depending on your environment, this might be sufficient.

A Feature Request has been created at AppSense support to research this.


 

Continue reading

  •  
  •  
  •  

Troubleshooting Scripts in Appsense Environment Manager

When you deploy a script with environment manager it is not easy to check if it has run successfully or not. In my situation I had to set a REG_NONE value in HKCU so that SAP files would open instead of the save as option. I exported the registry key, imported it into Environment Manager and ran the action but the subkey SAPGUI.Shortcut.File was not created.

A Reg_None value is not recognized because you can’t set or create it with Windows Group Policy. So I created a script that would create the key and set the value; as shown in the figure below:

Untitled

If you are deploying the script with the condition desktop created and the user has to input data you need to uncheck “Prevent script from running interactively” option. If you check this option the script will run hidden in the background.

When I first ran the script the key was not created. I checked the Appsense logs and the Windows Event Viewer but no errors or warnings were logged. I added the Powershell code below to my script:

Write-Host
Write-Host “Press any key to continue …”
$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)
Write-Host

This code adds the function that a key has to be pressed to end the script.

So my new script was:

cd hkcu:
$Params = @{
 Path =’\Software\Microsoft\Windows\Shell\AttachmentExecute\{0002DF01-0000-0000-C000000000000046}’
Name =’SAPGui.Shortcut.File’
PropertyType =’None’  # Microsoft.Win32.RegistryValueKind
Value =[System.BitConverter]::GetBytes(0)
 }
New-ItemProperty @Params
Write-Host
Write-Host “Press any key to continue …”
$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)
Write-Host

 When I ran the script again and the script waited to finish for the key press I saw the problem. The starting directory was H:\ instead of C:\. I added the command cd C:\ to the first line of the script, ran it again and the key created successfully.

Sources: Colleague Kid Kooijmans, http://appsensebigot.blogspot.be/

 

 

 

 

 

  •  
  •  
  •  
caatl4

Chromebook as a thin laptop

Introduction

Google Chromebooks are becoming more and more common. The devices are simple and relatively cheap.  The Chrome OS on which it is running is based on the equivalent browser and the Linux kernel.

The Chrome browser is the key component within the OS.  Applications in Chrome OS run using the Chrome browser, sometimes with their own GUI. In fact, the apps are extensions of Chrome.

Because of these specifications (cheap, simple, basic OS) the device might seem suitable as “thin laptop”. We try to find out if this is true.

We installed the latest available Citrix Receiver and VMware View client from the Google store and started testing with it.

Continue reading

  •  
  •  
  •  

AppSense Configuration deployed with SCCM not detected by AppSense Management Console

For day to day management our AppSense clients are managed through the AppSense Management Console. Configuration changes are pushed to the clients using this method.

To perform the upgrade to the latest agents version (CCA 8.7SP1, EM 8.6 SP1,AM 8.9 SP1) we decided to use SCCM 2012. Using the SCCM Distribution Points the bandwidth consumed is reduced between the main and branch offices.

The agent deployment works fine but there is a strange behavior with the configuration deployment. The agent installation is detected by the AppSense management console but the configuration is not. In the management console the configuration is showing as “Pending Install”, on the client the configuration is installed. If a new configuration is deployed with the management console, the configuration is placed beside the configuration installed by SCCM. The client then has two configurations installed.

pendinginstall

Solution: import the msi configuration used in SCCM into the AppSense Management Console using the “add package” functionality. The configuration will be available in the Packages and can be linked to the required Deployment Groups.

In this scenario we only used SCCM for the initial configuration deployment. Configuration updates are deployed using the Management Console. These updates are running fine, only one configuration is installed on the stations.

If configuration updates will be installed using SCCM, the system will install the update as a new package and previous installed packages will NOT be uninstalled from the client.

Remark, the AppSense configuration is not uploaded to SCCM using the integration in the AppSense Management console. The configuration is placed in SCCM using an msi-file.

  •  
  •  
  •  

Whitepaper How to install Dragon Speech Medical on VMware App Volumes

This white paper will guide you how to install Dragon Medical Speech on a VMware App Volume. The App Volume will be connected to a VMware Horizon View Random Desktop Pool. The Microphone that will be connected is a Philips Speech Mike III.
In our setup we implemented a mandatory user profile which improved logon times significantly. When a user logs off from his VMware Horizon View session, the VM is reset and his user profile and application settings are not saved. We saved the users Dragon Medical Speech profile and other settings with the Appsense Desktop Now suite. When the users connects to a new VM, his Dragon Medical Speech profile and other user settings are available as on a client PC.

Continue reading

  •  
  •  
  •  

SCCM 2012 R2 issues after upgrade to R2 SP1

After my latest encounter with a few software updates causing my OSD Task Sequences to fail, due to the dreaded unexpected reboot issue, I called it time to upgrade to SCCM 2012 R2 SP1, coming from R2 with CU5.

Determined to avoid the well known pitfalls, I checked the latest backup was OK, the overall status of my site was healthy and I also ran a test of the upgrade on a copy of the database. See this TechNet article and Nickolaj’s great post for step-by-step instructions on that. It’s a must! And I’ll throw in a note for when you’re setting up your test VM: regardless of your SQL instance being SQL 2008 R2 or 2012 or whatever, be sure to also install the SQL 2012 Native Client or the test upgrade wizard will fail! It does tell you why, but I failed to see I had the wrong version of the Native Client, until I read it for the third time… So don’t be as daft as I was.

The actual Service Pack upgrade didn’t take more than half an hour in my production environment with a database close to 30 GB in size. No errors in the ConfigMgrSetup log and all was good! Checked the build numbers, upgraded the console (you need to or you won’t be able to connect to the upgraded site!) and had a look around for new features and options. First thing I did was to check the preferred Management Points option in the Hierarchy settings. Read about it and other new SP1 features over at systemcenterdudes.com.

Then for the main reason why I made the SP1 upgrade a top priority: unexpected reboots during Task Sequences, due to certain software updates. Let me tell you: it still ain’t fixed! At least not in my experience. And I’m not the only one to report this, as seen here. The updates do get installed successfully, but the Task Sequence comes to an early end. Will update when I know of a fix.

And then for another issue I had with 2 out of 5 management points. They showed up as critical in the Site Status overview. The error, as stated in the Status Message Viewer:

“MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 500, Internal Server Error.”

This is an often talked about error in blog posts and forums, all with solutions ranging from registering ASP.NET v4.x on IIS to reinstalling the Management Point altogether. After trying that first suggestion and not seeing the desired result, I looked at the MP installation logs, but they were clean. So were other SMS and CCM logs. All except the mpcontrol.log:

Call to HttpSendRequestSync failed for port 80 with status code 500, text: Internal Server Error
Http test request failed, status code is 500, ‘Internal Server Error’

Solution

Eventually, the System and Application logs in Windows’ Event Viewer provided the key to my solution:

Application Error – Event ID 1000:
Faulting application name: CcmExec.exe, version: 5.0.8239.1000, time stamp: 0x552cf4e3
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18229, time stamp: 0x51fb1677
Exception code: 0xc0000005
Fault offset: 0x000000000000940d
Faulting process id: 0x1028
Faulting application start time: 0x01d0bed5e6c93139
Faulting application path: D:\SMS_CCM\CcmExec.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 274239f9-2ac9-11e5-a783-22b3b07b2546

Service Control Manager – Event ID 7031
The SMS Agent Host service terminated unexpectedly.  It has done this 194 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

So the CCM agent was broken. A simple push installation initiated from within the SCCM console, a few minutes later, and the agent was fixed and upgraded to build 5.0.8239.1000. Another look at mpcontrol.log, to my relief, showed

Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK

and my site status showed up green after some time. All good! FYI, the other 3 MP’s got their client auto-upgrade at random times, but never did they manifest the MP status 500 error nor did the CCMExec service crash.

As for the issue with the cursed software updates causing my Task Sequences to trip over themselves, I’m back to disabling the Install Software Updates step until there’s a solid fix.

  •  
  •  
  •  

Some more troubleshooting with AppSense EM tools

Recently I wrote a blog about a slow logon process that I could troubleshoot with the EM Tools (http://blog.raido.be/?p=752) This time I have a user who logs on but does not receive any of his stored profile settings. Obviously the problem is that the personalization does not work. So I got the EM tools out again, to discover what the problem was.

I am assuming that you already know where to find the EM tools and how to install it. But if you don’t, I suggest that you read my previous blog. After installation I started the debug logging and logged on with a copy of the account of the user that did not have any personalization. Then I opened the EMmon tool to analyze the configuration. The pre-defined option “View personalization server latency statistics” is a good option to choose:

20150708 - 02And I quickly discovered that the first connection to the personalization server went wrong:

UntitledSo let’s look at the details to discover what exactly went wrong:

Untitled

What is important in the above details?

  • Server URL = correct, so it did receive the configuration through the EM policy.
  • Result = failed
  • Configuration Request = It knows the personalization server and is requesting the configuration file (ProfileConfig.xml) to the personalization server.
  • Duration = 27ms, so that’s to fast to be a timeout.
  • Description = Incorrect function – HTTP Status Code 400. Mmm… let me Google that. And the result is: “The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.”
  • Time = 11:14:20

Obviously this is an error that happened on the IIS site of the server, so I go and look at the IIS log (default path for this is: C:\inetpub\logs\LogFiles\W3SVC1). It is important to know that the IIS logfile defines the date and time to always be in GMT. This behavior is by design. So, it’s summer, I’m in Belgium, conversion of 11:14:20 would mean that GMT is 9:14:20. After analyzing the IIS log on the Personalization Server, I discovered that the “anonymous” attempts always reach the personalization server, but give a 401 error (This is because I had disabled anonymous logons on the personalization server). But the named attempts only reach the IIS server when it is successful (there is never a failed attempt when the user credentials are not provided)

My Failed attempt:

2015-07-09 09:14:19 10.190.9.244 POST /PersonalizationServer/config.aspx – 80 – 10.191.101.13 AppSense+WinHttpClient 401 2 5 0

A successful attempt:

2015-07-09 09:47:10 10.190.9.190 POST /PersonalizationServer/config.aspx – 80 – 10.191.101.13 AppSense+WinHttpClient – 401 2 5 15
2015-07-09 09:47:10 10.190.9.190 POST /PersonalizationServer/config.aspx – 80 <domain>\tst2 10.191.101.13 AppSense+WinHttpClient – 200 0 0 46

I compared my test account with the failing account. After some research I discovered that the token size of the failing account was too high:

The account that does not work:

  • Domain local groups: 248
  • Global groups: 144
  • Universal groups outside the domain: 0
  • Universal groups inside the domain: 2
  • Kerberos token size: 12288

My test account

  • Domain local groups: 23
  • Global groups: 13
  • Universal groups outside the domain: 0
  • Universal groups inside the domain: 0
  • Kerberos token size: 2224

If you also wish to analyze your token sizes in your domain, I suggest that you use following article http://www.jhouseconsulting.com/2013/12/20/script-to-create-a-kerberos-token-size-report-1041

By default the maximum token size of Windows is 12000 bytes. You can alter this number by configuring the MaxTokenSize registry key, but I would not suggest it because it brings extra complexity and slows down the logon process. If you wish to know more about tokens and token size, there is a very interesting article on the website of Windows IT Pro: http://windowsitpro.com/identity-management/care-and-feeding-active-directory-security-access-token

In case your environment needs to work with larger token sizes, here is what you’ll have to do:

  • On your endpoint and Personalization Servers, set the registry key HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize (DWord) to a value between 12000 and 48000
  • On your Personalization Servers, set the registry key HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength (DWord) to a value of ((4/3) * MaxTokenSize)
  • On your Personalization Servers, set the registry key HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes (DWord) to a value of ((4/3) * MaxTokenSize)
  •  
  •  
  •  

How to troubleshoot the logon process with AppSense EM tools

There are a lot of different scenarios that can happen when it comes to logon process, so I will take the example of this customer for the blogpost. A customer has some performance issues during logon. The good thing is that this customer just moved to the latest version of AppSense Environment Manager (8.6) and this version includes the latest EM tools which have a much improved view while debugging.

The first thing I have to do is select the endpoint on which I want to do my tests. I start to debug on an environment where I have no impact of other users, so I select a computer that is not being used by someone else. On that computer I install the EM tools, which can be found in the setup folder under \Software\Products\EnvironmentManagerTools64.msi. After the installation of those tools I look for the Client Logging Setup.

20150708 - 01The easiest way to start with this tool is to just switch it on and keep the default values. By default it will write the “etl” log-file under c:\logs. After that, I log on and off to the computer with my test user.

Now I will need the EmMon.exe tool to see what has happened. I browse for the etl-file, let it load and then click on “Analyze user-activity”.

20150708 - 02This will open the analysis tool, but as you can see on the filter on the left, everything is switched on. You can see that the session I wish to analyze has a count of 2343 events. This is a bit too much information to start analyzing.

20150708 - 03What I like to do now is “Deselect All”, and then only leave the “Pre-Desktop” trigger on and the “Policy Nodes”. Now I have 79 events left to analyze. And to make it easy to find the bottlenecks I sort the whole list by duration.

20150708 - 04When I analyze the first 5 lines, I discover that all of those have something to do with file-actions on the file-server of the customer (the one taking more then 5 seconds only had to copy 350 kb). It then did not take me much time to discover that the disk activity and the wait-time on the file server were exceptionally high.

  •  
  •  
  •  

Citrix XenApp 7.6 Published Applications – Sync Admin Folder with Client Folder

Since XenApp 7.6 Citrix introduced the possibility to have a folder structure in Citrix Studio for creating some structure in your massive amount of published applications.

Overview PAHowever this is used for administration purposes and is not visible as a folder structure in Storefront for the users.

If you would disable User Subscriptions to have all published applications visible in Storefront you would have a view like this by default:

Storefront DefaultIn this view, it is possible to add categories to an application in order to create folders instead of a giant list of all your applications.

Application Properties - CategoryHere you have the possibility to add something like DEV or DEV\Microsoft Office.

The following powershell code will copy the folder structure of you Studio console into those Application categories automatic, having a graphical overview in Citrix Studio that will match the view in Storefront. Offcourse you would need to run this code everytime after you added a new application.

Get-BrokerApplication -AdminAddress “<controller address>”| ForEach {Set-BrokerApplication $_ -ClientFolder $_.AdminFolderName }

Example after running the code:

result1 result2

 

  •  
  •  
  •  

Citrix Director shows no logon performance data and speeding up logon times

Recently I built a brand new XenApp 7.6 environment for one of our customers. During the testing phase I noticed Citrix Director was not showing any information regarding logon performance (Average logon duration).

There are a few posts describing the same problem on the Citrix support forums, but most of them were for older versions (7.1 or 7.5) of XenApp or XenDestkop, and none of them were providing a real solution.

When looking in the SQL database, both the ClientSessionValidateDate and InteractiveEndData colums from the MonitorData.Connection table were empty (NULL value) whilst other columns had correct values. Citrix Director uses the values in these columns to calculate logon duration.

Screen Shot 2015-06-16 at 15.45.45

After doing some research I learned that a process from Citrix User Profile Manager, which is installed by default when installing the XenApp/XenDestkop VDA, is responsible for monitoring the end of the logon process, and registration of these values in the database. This process, UpmUsrMsg.exe, is called from the run key (HKLM\Software\Microsoft\Windows\CurrentVersion\Run):

Screen Shot 2015-06-16 at 15.46.00

This registry key dates from Windows NT 4.0 and earlier, and was used to create a customized list of programs that the system starts automatically after system start (or user logon, for values in HKCU).

Since the customer environment is restricted, we also restricted running applications from this registry key through the GPO setting ‘Disable legacy run list’ under Computer Configuration\Administrative Templates\System\Logon. (This setting also exists in the same location in User Configuration.)

Screen Shot 2015-06-16 at 15.48.46

As soon as I changed the policy setting ‘Disable legacy run list’ from ‘Enabled’ to ‘Not Configured’ and did a computer policy refresh, the XenDesktop VDA started registering the necessary values in the monitoring tables and a few minutes later Citrix Director was showing Logon Performance data!

Speeding up logon times

Since Windows 8, Microsoft introduced a delay of 5 to 10 seconds for starting up applications or executables at startup. Due to this delay the logon process takes longer then it should, and Director also shows longer logon times since the process responsible for measuring the end of the logon process is also started with a delay.

This delay can be removed by setting the registry value StatupDelayInMSec (REG_DWORD) to 0 in HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\Serialize. If this key does not exist, it can be created manually.

Screen Shot 2015-06-16 at 15.53.22

  •  
  •  
  •  

Using session variables in AppSense Environment Manager

In AppSense EM policy configuration you can work with environment variables and session variables. Using variables enables you to add a more complex logic to your policy configuration than you would be able to achieve with default actions and conditions. While both can be set or deleted, environment variables can also be appended. The scope and lifetime of these variables also differs.

An environment variable is local to the operating system and saved in the registry. When set, it can be used inside the policy configuration (child actions and future triggers) but is also available by other programs.

Session variables are local to the policy configuration and only exist during the user’s session. You can compare it with a variable created in a PowerShell or Visual Basic script. It only exists during the execution of the script. They can be used anywhere inside Environment Manager and are particularly useful when used in custom actions and conditions. You can even use them in Windows Personalization. I prefer using session variables when a variable does not need to be persisted and also think it is a clean way to use variables inside a policy configuration.

Session variables in actions and conditions

In this part I would like to demonstrate how session variables can be used in actions and conditions. You first have to set the variable. From then on the variable exists and can be used.

I have created a small configuration that sets the “Department” variable and uses it to map the correct drive and printer.

1

First create the variable and give it a value according to the OU membership of a user. Because it is a session variable, nothing is written in the registry of the user.

2

After that I am able to use the “Department” variable in a “Map Drive” action. You can reference it by enclosing round brackets and preceding it with a $. In this case, drive E:\ is mapped to \\FileServer\sales if the user AD object is a member of the Sales OU or to \\FileServer\finance if the user is a member of the Finance OU.

3

You can also use session variables inside conditions. In the next example every user would get a specific printer depending on the department.

4

Starting with EM 8.5 you are able to insert session variables into a custom action or condition. This way you are able to import previously created session variables and modify its value.

In the next example I will log on as a user of the sales department. A custom action that imports and modifies the department session variable is launched. After that a second custom action will launch to show the session variable on condition that the value has changed.

5

To be able to show what happens I need to uncheck “Prevent script from running interactively” under options.

6

Then I need to insert the session variable in to the script by clicking “Insert” and selecting the variable. Some PowerShell code is automatically added.

7

The department variable is altered by using following code:

$Temp = New-Object -ComObject “EmClient.SetValue”

$Temp.Name = “Department”

$Temp.Value = $Department

$Temp.Apply(“”)

I also need to add the PowerShell equivalent of “pause” to the end of the script to keep the powershell window open to see what has happened:

Write-Host

Write-Host “Press any key to continue …”

$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)

Write-Host

So the content of the custom action would look like this:

#============================================================

#EM Auto Generated Start

#This code was automatically inserted and should NOT be modified

import-module ((Get-ItemProperty ‘HKLM:\SOFTWARE\AppSense\Environment Manager’).ClientPath + ‘EmCmdlet.dll’)

#EM Auto Generated End

#============================================================

(Get-SessionVariable “Department”)

$Department

$Department = “finance”

$Temp = New-Object -ComObject “EmClient.SetValue”

$Temp.Name = “Department”

$Temp.Value = $Department

$Temp.Apply(“”)

Write-Host

Write-Host “Press any key to continue …”

$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)

Write-Host

The second custom action only shows the value of $Department on condition it has been altered to finance.

So when all actions launch, the first powershell window is shown:

8

When I press a key, the next window is shown:

9

This shows the session variable has been changed and used in a condition.

Session variables and personalization

Another interesting application of session variables is in EM Windows Personalization. Using session variables in a condition on a Windows personalization group, you can switch personalization on or off depending on the value of the session variable.

The screenshot below shows the Windows Personalization group “Test” that personalizes “Taskbar” settings. A condition has been added to have personalization work on the condition that the variable Department has the value finance.

10

If the value is something else, personalization will not work for this group. Please note that if you want to prevent Windows Personalization from happening at logon using session variables, you will have to define the variable at the “Pre-Session” Trigger. Else it will only prevent personalization from happening at logoff.

  •  
  •  
  •  

Netscaler : Add a maintenance page for a website

A common request from customers during Citrix Netscaler reverse proxy and load balancing implementations is to show the visitors of a website a user friendly maintenance or error page when the website is offline or manually put in maintenance mode.  This can off course be handled by the application itself, but with the Netscaler appliances it is also possible to show a maintenance page hosted on the Netscaler itself. This can be used as a fallback regardless of the backend application.

This blog post will show one of the methods how this can be achieved.  In this method, we will use a dummy load balancing virtual server that is always responding with a maintenance page. The maintenance page itself is located on the Netscaler so no separate web server is required.

  1. Create a dummy Load Balancing service. The service can point to e.g. 1.1.1.1. The service will in reality never be used. The reason we need the dummy service is to make sure we have a dummy load balancing virtual server that is always UP. To make sure the Netscaler detects the service as UP, edit the service and disable health monitoring.

  2. Create dummy Load Balancing Virtual Server. This virtual server does not need an IP Address assigned, so choose “Non Addresssable”.

  3. Bind the dummy service to the dummy LB Virtual Server.

  4. Create a responder action (AppExpert > Responder > Actions ).

  5. Responder action type= “Respond with HTML Page”. HTML Page = Create from Text/Html. (See below for examples)

  6. Create a responder policy with expression “true” and the just created action linked.

  7. Edit the dummy load balancing virtual server and assign the responder policy.

 Now for every ‘normal’ load balancing virtual server that is used by clients, the dummy load balancing virtual server can be assigned as the backup virtual server (using the ‘protection’ settings).  As soon as all backend services are offline or the LB VS is disabled manually on the Netscaler, the netscaler will respond with the configured HTML page.

 

Here are some example HTML pages that can be fully customized to your liking. To simplify hosting the HTML pages on the Netscaler the images are embedded in the HTML code using Base 64 encoding.  The examples can be saved as .HTML file, edited and uploaded to the NS.

Example 1 : Download Link (txt format)

 

Example1

Example 2 : Download Link (txt format)

Example2

Example 3 : Download Link (txt format)

Example3

  •  
  •  
  •  

Configuring Trend Micro Deep Security Agent on a PVS Golden Image

Configuring an Anti-Virus product on a Golden image always requires some special attention. Various problems can occur when such a product is installed using default options in a Golden image. The booted target devices can end-up multiple times in the Anti-Virus management console, they can end up inactivated and thus unprotected.

To resolve such issues, each target device booted from a Golden Image needs to have a unique ID related towards the AV management product. How this is achieved depends upon the product itself. Some products need to have some registry keys, files or computer certificates deleted before ‘sealing’ the Golden Image.

Trend Micro Deep Security Agent (version 9.5.2754 was used in this case) uses a different approach. After the Anti-Virus agent has been installed, it needs to be activated on a per computer basis. This can be done manually in the management console of the product. Obviously, when speaking about VDI/SBC environment this is not ideal. For such environment, this can be executed from the Anti-Virus client side.

To allow the product to have unique devices in the console, the activation needs to occur after the Golden Image has been sealed when a device is booted in standard mode. Using this method, activation of the Anti-Virus product occurs at each boot. The devices will appear unique, and only once, in the console.

Using our deployment framework (Raido Taskflow) we configured this as such:

Installation of the Agent: (Deployment flow)

The product was installed using a normal msi installation during the deployment flow. This is executed during the build of the Golden Image.

Activation of the Agent:

The activation is a command which is executed during the startup flow. It’s a batch file which contacts the Anti-Virus management server on a specific protocol (dsm://). The action is executed by default.

Configuring Trend Micro Deep Security Agent on a PVS Golden Image - 1

Unless the VDisk is in Private Mode, the command is not executed. This is achieved by configuring an override “Private mode” on the “Default” action which unticks the “Enabled” flag. The Anti-Virus client won’t be activated in Private mode.

Configuring Trend Micro Deep Security Agent on a PVS Golden Image - 2

Using this approach, the Deep Security Agent is installed and configured correctly in an automated way.

  •  
  •  
  •  

Persisting black screen at ICA logon

During a recent XenApp 7.5 / PVS 7.1 implementation we had to upgrade the PVS Target device software.

After the reverse imaging/upgrade/imaging of the vdisk, we ran into the following issue. When starting an ICA session, the session was showing up in Taskmanager, but the Receiver showed a persisting black screen.

Persisting black screen at ICA logon - blackscreen Continue reading

  •  
  •  
  •  

Citrix Receiver for Mac can have keyboard layout issues

It is known that the Apple keyboard layout is different from the Windows keyboard layout. This can cuase unexpected behavior when connecting from a Apple Mac device to a Citrix XenApp/XenDesktop session. When installing the Citrix Receiver, the default behavior for the keyboard layout is pass-through, which makes the keyboard of the client the same in the Citrix session. There are two unexpected behavior’s:

  1. Connecting to a new session

Most of the keyboard keys will be in the same keyboard layout as on the client except for some punctuation. You can notice this into the language bar of your session (will show EN). The IBM AS400 Client Access Emulator only checks the language settings in the control panel, so this will always be English.

  1. Connecting to an existing session initiated from a Windows client

Keyboard layout changed into English, even the language bar shows your normal language. The IBM AS400 Client Access Emulator only checks the language settings in the control panel, so this will always be English. A work around is to change the language in the language bar to EN and you will have the same keyboard layout as the client, except for the IBM AS400 Client Access Emulator. Continue reading

  •  
  •  
  •  

Troubleshooting an App-V issue on a PVS image

During a recent application implementation project, we ran into the following issue. Some App-V applications, which were installed locally in the PVS image, were unable to start or they were throwing various error messages. One of the applications which were showing errors, was MS Office (Word, Excel, Powerpoint) viewer. The error thrown at startup of the application was the following: “The operating system is not presently configured to run this application.”

App-V applications not starting on PVS Target Devices - 1

The App-V client was 5.0 SP2, but App-V 5.0 SP3 was also used as a troubleshooting step. The PVS target devices were configured as such: Continue reading

  •  
  •  
  •  

Error for reused Windows logon name in Personalization

When a Windows logon name is reused that user won’t be able to access the AppSense Self Service Portal. The user will receive the message “The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.”.

Vincent-01The reason is, when a user is deleted from Active Directory that user will still exist in the AppSense database even if we delete all the personalization data for that user.
When a new user is created with the same Windows Logon Name as the deleted user, AppSense will create a second entry in his database with LoginName “username (2)”. For that user to be able to access the Self Service Portal we have to delete the old user from the User table in the AppSense personalization database. Continue reading

  •  
  •  
  •  

Whitepaper AppSense DesktopNow Versus RES Workspace Manager

banner-whitepaper-Appsense

AppSense DesktopNow and RES Workspace Manager are competing products to virtualize the user environment. At Raido we created 2 environments, one with AppSense and one with RES. Then we created a head to head battle to understand the flaws and the strengths of both products. This document describes our findings and intends to compare both products. It will help you in making an informed choice. The document only focuses on the technical differences, it does not take any financial, contractual or other parameters into account.

The document contains following chapters: Continue reading

  •  
  •  
  •  

Citrix Provisioning Server – Cache in device RAM with overflow on hard disk statistics

Last year Citrix released two blogs about the (relatively) new “cache in device RAM with overflow on hard disk” feature:

In these blogs Citrix talks about the performance gain you have when configuring the write cache in RAM with overflow on disk. It was already possible to configure the write cache in RAM (without overflow) but the downside to this write cache type was that you could not configure the amount of RAM used for this. When RAM was completely full the target device would have a blue screen of death. The memory used for write cache is not available for the system and not given back when freed. Also, the new driver architecture created for the new cache to RAM write cache type appears to be a lot faster than the old cache to RAM write cache type. Continue reading

  •  
  •  
  •