ServicePrincipal Name how to register after event id 1067

April 18, 2018

Sometimes you boot a member server, e..g a Terminal Server, but the Domain controller (DC)  is not available (rebooting, shutting down, etc) and you only have one DC (not a good idea BTW). What could potentially happen if the  DC is not up during the registration of the Terminal Server with the DC? You can probably logon to the server via console but not via RDP. If you open the Event Viewer logs in the Terminal Server, you will see the following warning:

Event Id 1067 Log Name: System
Source: Terminal Services-Remote Connection Manager
“The RD Session Host server cannot register ‘TERMSERV’ Service Principal Name to be used for server authentication. The following error occurred. The specified domain either doesn’t not exist or could not be contacted”

You then try to register the SPN using the CLI command:

setspn -A host ServicePrincipalName (where host is the name of the terminal server and ServicePrincipal Nameis the SPN to register), and then press ENTER.

For example, to register the SPN for ServerA, type the following at the command prompt: setspn -A TERMSERV/ServerA ServerA

You mat get the following error:

***

Ldap Error<0x51 — Server Down> ldap_connect

Failed to retrieve DN for domain “” : 0x00000051 Warning: No valid targets specified, reverting to current domain.

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Unable to locate account ServerA

***

SOLUTION:

You need first to flush the DNS:

ipconfig /flushDNS

followed by the same command as before:

setspn -A TERMSERV/ServerA ServerA

Result: This time it should register successfully:

“Registering ServicePrincipalNames for CN=ServerA, OU=2012R2-VDAs,DC=MyDomain,DC=COM
TERMSERV/ServerA
updated object”

thumbnail

 

Advertisements

Citrix StoreFront WCF Windows Communication Foundation (WCF) and Net.TCP Port Sharing

April 12, 2018

WCF  – Windows Communication Foundation  is a new  framework for building service-oriented applications. Using WCF, you can send data as asynchronous messages from one service endpoint to another.

WCF  provides a new TCP-based network protocol (net.tcp://) for high-performance communication. WCF also introduces a new system component, the Net.TCP Port Sharing Service that enables net.tcp ports to be shared across multiple user processes. Net.TCP Port Sharing.

Citrix StoreFront leverages WCF. Some StoreFRont services takes advantage of Net.TCP Port Sharing. One of the services is the Citrix Credential Wallet service

See this Citrix CTX article for a typical use case:

https://support.citrix.com/article/CTX205170 – Credential Wallet Service Will Not Start

Pasted:

Symptoms or Error
In Services, the Citrix Peer Resolution Service and the Citrix Credential Wallet services would not start.

Solution
In Local Users and Groups > Groups, right-click on Administrators and choose Properties.
Verity that the following accounts are listed:
– NT SERVICE\CitrixClusterService
– NT SERVICE\CitrixConfigurationReplication
If they are not, then add them.
Go to Services and attempt to restart the Citrix Peer Resolution Service and Citrix Credential Wallet services.
If they still do not start, run the following command on the server(s):
sc.exe config NetTcpPortSharing start= demand
Go to Services and once more attempt to restart the Citrix Peer Resolution Service and the Citrix Credential Wallet services.

 

More about WCF

While creating such applications was possible prior to the existence of WCF, WCF makes the development of endpoints easier than ever. In summary, WCF is designed to offer a manageable approach to creating Web services and Web service clients.

Features of WFC

WCF includes the following set of features. For more information, see WCF Feature Details.

other url links:

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing

 

to be continued on another post…

SSL connection between Citrix Delivery Controllers and VDA’s with Receiver for HTML 5 or not

March 8, 2018

We live in a very insecure World…wide web. Therefore the Internet police academy created something called SSL Secure Sockets Layer which is “a protocol  which creates a secure connection between a client and the server over which to send information “(source: Lea Pachta)

In a Citrix environment you can launch resources (Desktops and applications) via a client-server model. The client is usually a Windows end point device (Windows 7, 8.1, or Windows 10), a Mac computer, a Linux Desktop, a Thin client device with Windows embedded or not (ThinOS) or even a “Zero Client” and some mobiles devices (iOS and Android devices primarily). In order for a client to launch the resources hosted in a server, you need to install a client software called Citrix Receiver. The Citrix Receiver  (CR) client software is responsible for connecting to the server OS (and also Desktop OS) using an ICA file sent via a Web server (StoreFront for internal connections and Netscaler for external connections). The CR software is also in charge of opening the virtual channels in the client side that are  needed for the communication flow between server and client. There are 32+ virtual channels. The most important ones are keyboard, mouse, and video display, but other channels include print, audio, USB, etc. Another explanation coming from the horse’s mouth is “A virtual channel consists of a client-side virtual driver that communicates with a server-side application” (source: CTX116890)

There may be situations in which the end user is unable to install the CR in the end point device (lock down environments, kiosk devices, non supported OS, etc) In this situations, Citrix developed a “clientless” Receiver solution. It nicknamed “Receiver for HTML 5”. Basically the way it works is this: when an end user connects to a Citrix web server (nowadays it is called “StoreFront” Server) via an URL, and this client doesn’t have the CR software installed, The StoreFront queries the client and if it doesn’t detect the CR software, it automatically activates the Receiver for HTML 5 client (if you configured your StoreFront server to “fall back” to Receiver for HTML 5 (R4H5).  This clientless Receiver is actually an executable  stored in the StoreFront server. It is a java based client and will basically encapsulate all the traffic coming from the end point device to the server and vice versa. The R4H5 is periodically updated by Citrix. Currently as of March 2018 as this post is being written, the current version R4H5 is version 2.6.4. You can check the current version here.  Now the fun part.

I could write you a long story about securing a ICA connection using R4H5, but since I am lazy and ignorant, I am going to point you to a “Must read” blog post from a guy name “Spiers”. It is called “Secure ICA connection to VDA using SSL“.

 

Now that you are an expert on securing the connection between your Delivery Controller and your VDA, you can also review this Citrix documentation on the same:

SSL Configuration on  VDA

How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic

We will revisit this topic on another post. There is so much to talk about securing connections in a Citrix environment, this is only the tip of the Iceberg.

Cheers!

 

Using Netsh command to view TCP Chimney Offload in the operating system

February 26, 2018

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer (source: Microsoft)

How to configure TCP Chimney Offload in the operating system

  • To enable TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp set global chimney=enabled
  • To disable TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp set global chimney=disabled
  • To determine the current status of TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp show global

These are the results on Windows 10 version 1709 OS Build 16.299.248:

netsh command to show chimney offload state

 

On another note

The registry key : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters   will display

tcpip parameters

 

Further inside of the TCPiP hive you can see the same information and more details about the DHCP stack associated with the interface ID:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03dc51ef-d26e-4e33-9c84-319046c9c133}

Where the long number starting with 03dc… is the interface id of the NIC . The registry key will display the DHCP information of r card in use:

dhcp domain

additional recommended reading on the topic: https://support.microsoft.com/en-us/help/951037/information-about-the-tcp-chimney-offload-receive-side-scaling-and-net

List of Hotfixes for 2008 R2 Servers with RDS Role installed applicable for Citrix environments

November 7, 2017

KB2775511 – KB2647753 – KB2871131 – KB2728738

KB2896256 – KB2778831 – KB2748302 – KB2908190

KB2920289 – KB917607 – KB3014783 – KB2878084 (conn-disc)

 

Reference Document: https://support.citrix.com/article/CTX129229

How to enable Host to Client redirection for Server 2012 R2 VDA on XenApp 7.x

August 16, 2017

These are the essential steps:

  1. Enable the Citrix Studio Policy: Host to Client Redirection (on the Deliv. Controller)
  2. Copy the file further below into a notepad text file to generate a reg file (On SVDA)
  3. Copy the file further below into a notepad text file to generate a xml file (On SVDA
  4. Perform a gpupdate /force on a elevated CMD prompt (on the Server VDA)
  5. To test, publish the ICA Desktop for the Server VDA
  6. Launch the SVDA and open a Wordpad document
  7. Type http://www.google.com and click on it
  8. It will open the website on the local browser where you launched the ICA Desktop
  9. If it did. Congratulations! You are done!

Variation:

Let’s say you want to open two web sites on the client and and all other websites on the Server VDA. That is simple:

  1. Log on to the Server VDA  (via RDP or Hypervisor console) and open the registry
  2. Create this key: HKLM\Software\Wow6432Node\Citrix\SFTA
  3. Create a Type: REG_MULTI_SZ  – Name: ValidSites
  4. Click on Modify and type: http://www.google.com or *.google.com also type msn.com
  5. Note: Make sure you completed steps 1 to 9 above before creating this Variation
  6. Repeat steps 6 to 9 above; both sites (google and msn) will open locally on client
  7. If you type a different site in your Wordpad: ex: cnn.com it should open on SVDA
  8. If it did, congratulations! You just completed a “white list” variation with 2 sites.
  9. Citrix call it: “Enable host to client redirection for a specific set of web sites”

Source: Citrix E-Docs

Reg file to be created as described in step 2 of the “Essential steps” above

Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\ServerFTAHTML\shell\open\command]
@=”\”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe\” %1″
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA]
@=”ServerFTA”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA\Capabilities]
“ApplicationDescription”=”Server FTA URL.”
“ApplicationIcon”=”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe,0”
“ApplicationName”=”ServerFTA”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA\Capabilities\URLAssociations]
“http”=”ServerFTAHTML”
“https”=”ServerFTAHTML”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
“Citrix.ServerFTA”=”SOFTWARE\\Citrix\\ServerFTA\\Capabilities” 

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTA.reg.
  3. Double click the ServerFTA.reg file on the Server VDA to import into its registry
  4. You are done with this part

 

XML file to be created as described in step 3 of the “Esential steps” above

<?xml version=”1.0″ encoding=”UTF-8″?>
<DefaultAssociations>
<Association Identifier=”http” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />
<Association Identifier=”https” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />
</DefaultAssociations>

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTAdefaultPolicy.xml.
  3. The XML file should be saved in to Windows\System32 folder in the SVDA
  4. From the current Group Policy Management Console, navigate to: Computer configuration >Administrative Templates Windows Components > File Explorer > Set a default associations configuration file, and provide the ServerFTAdefaultPolicy.xml file you created.
  5. You are done with this part too!

 

Additional notes:

  • If the server VDA is Windows Server 2008 R2 SP1, you do not need to set registry keys or Group Policy.
  • If the server VDA is Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016, you must set registry keys and Group Policy on the Server VDA (as described in this blog post)
  • This blog post is our version of the official Citrix E-Docs. This blogger tested the above steps and they worked fine in lab environment
  • Good luck testing and using it!

 

Notes of a App Layering presentation

June 6, 2017

The user layer is married to the OS layers

It is a stack of image templates.

When you publish it all you get is a single VHD image

The elastic layer doesn’t show up until user logs on

We only track the ID of the OS layer

Elastic Layer will work on Windows 7 build 1507 and Windows 7 build 1603

Layers  have an intrinsic priority

The Elastic Layer assigned app has a unique priority based on the the P# or PAckahe ID #

App layer is above  NTFS level

PVS is below NTFS level

CLI command: FLTMC will list the the filter drivers:

  • FSDepends
  • UPMjit (UPM driver)
  • Unitfltr

Version 12.1.6 – It is the most recent version of Symantec EP tested. Version 14 has not been tested

VHD is read in the context of the user

It has Elastic layer but no user layer

Once our filter driver is in we add a 2nd partition

The user writable partition is 10 gb

Unidesk has some internal tools but we also need to know what kind of ammunition our clients have meaning what tools that are available to them

Muting the camera shutter in the Iphone 7

April 9, 2017

It appears that it is illegal to turn off the shutter when you take a picture using a digital phone in the US; I have read that the law states that cell phones containing digital cameras must make a sound when taking a picture (need validation) but there are two easy ways to minimize the annoyance of the shutter:

  1. Put your phone in Mute
  2. Lower the volume to the lowest possible settings

There you have it!

 

Some components of the Logon process in RDS/Citrix environments

January 30, 2017

smss.exe – Session Manager subsystem – As the name suggests, this process is in charge of  managing the session creation and logoff

Winlogon – “Winlogon handles interface functions that are independent of authentication policy. It creates the desktops for the window station, implements time-out operations, and provides a set of support functions for the GINA.” source: Microsoft MSDN

userinit.exe ( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ): it specifies the programs that Winlogon runs when a user logs on. (https://technet.microsoft.com/en-us/library/cc939862.aspx)

mpnotify.exe ( C:\WINDOWS\system32\mpnotify.exe ): is responsible for loading network providers including the single sign on network provider (pnsson.dll) for the ICA client.

These are not the only processes invoked during logon process.

 

Read the rest of this entry »

The three types of caches used by IE 10 and IE 11 on Windows 8 and later and Saved Passwords in IE

January 7, 2017

IE 10 and 11 have thre types of cache to be aware:

#1 AppData\Local\Microsoft\Windows\INetCache (temporary Internet files)

#2 AppData\Local\Microsoft\Windows\WebCache (IE browser cache)

# 3 Password folders

#1 The Temporary Internet Files for Windows 8 and later are located here:

AppData\Local\Microsoft\Windows\INetCache

This folder contains all the temporary Internet files from Microsoft Windows computers. It  contains files – such as images, HTML pages, executable and script files – that Internet Explorer has downloaded from websites visited by the user.

#2 The WebCache is located here: AppData\Local\Microsoft\Windows\WebCache

It contains the browser cache history and it can grow in size very rapidly

To delete the cache history you can use the Ctrl-Shift-Delete to open the browsing history window

For a complete list of items in the cache check this Microsoft  article.

#3 Password folders –  Internet Explorer contains folders related to Saved passwords

These are the folders for the passwords:

AppData\Local\Microsoft\Credentials
Appdata\Roaming\Microsoft\Credentials
Appdata\Roaming\Microsoft\Crypto
Appdata\Roaming\Microsoft\Protect
Appdata\Roaming\Microsoft\SystemCertificates