How to enable Host to Client redirection for Server 2012 R2 VDA on XenApp 7.x

August 16, 2017

These are the essential steps:

  1. Enable the Citrix Studio Policy: Host to Client Redirection (on the Deliv. Controller)
  2. Copy the file further below into a notepad text file to generate a reg file (On SVDA)
  3. Copy the file further below into a notepad text file to generate a xml file (On SVDA
  4. Perform a gpupdate /force on a elevated CMD prompt (on the Server VDA)
  5. To test, publish the ICA Desktop for the Server VDA
  6. Launch the SVDA and open a Wordpad document
  7. Type http://www.google.com and click on it
  8. It will open the website on the local browser where you launched the ICA Desktop
  9. If it did. Congratulations! You are done!

Variation:

Let’s say you want to open two web sites on the client and and all other websites on the Server VDA. That is simple:

  1. Log on to the Server VDA  (via RDP or Hypervisor console) and open the registry
  2. Create this key: HKLM\Software\Wow6432Node\Citrix\SFTA
  3. Create a Type: REG_MULTI_SZ  – Name: ValidSites
  4. Click on Modify and type: http://www.google.com or *.google.com also type msn.com
  5. Note: Make sure you completed steps 1 to 9 above before creating this Variation
  6. Repeat steps 6 to 9 above; both sites (google and msn) will open locally on client
  7. If you type a different site in your Wordpad: ex: cnn.com it should open on SVDA
  8. If it did, congratulations! You just completed a “white list” variation with 2 sites.
  9. Citrix call it: “Enable host to client redirection for a specific set of web sites”

Source: Citrix E-Docs

Reg file to be created as described in step 2 of the “Essential steps” above

Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\ServerFTAHTML\shell\open\command]
@=”\”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe\” %1″
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA]
@=”ServerFTA”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA\Capabilities]
“ApplicationDescription”=”Server FTA URL.”
“ApplicationIcon”=”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe,0”
“ApplicationName”=”ServerFTA”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ServerFTA\Capabilities\URLAssociations]
“http”=”ServerFTAHTML”
“https”=”ServerFTAHTML”
 
[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
“Citrix.ServerFTA”=”SOFTWARE\\Citrix\\ServerFTA\\Capabilities” 

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTA.reg.
  3. Double click the ServerFTA.reg file on the Server VDA to import into its registry
  4. You are done with this part

 

XML file to be created as described in step 3 of the “Esential steps” above

<?xml version=”1.0″ encoding=”UTF-8″?>
<DefaultAssociations>
<Association Identifier=”http” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />
<Association Identifier=”https” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />
</DefaultAssociations>

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTAdefaultPolicy.xml.
  3. The XML file should be saved in to Windows\System32 folder in the SVDA
  4. From the current Group Policy Management Console, navigate to: Computer configuration >Administrative Templates Windows Components > File Explorer > Set a default associations configuration file, and provide the ServerFTAdefaultPolicy.xml file you created.
  5. You are done with this part too!

 

Additional notes:

  • If the server VDA is Windows Server 2008 R2 SP1, you do not need to set registry keys or Group Policy.
  • If the server VDA is Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016, you must set registry keys and Group Policy on the Server VDA (as described in this blog post)
  • This blog post is our version of the official Citrix E-Docs. This blogger tested the above steps and they worked fine in lab environment
  • Good luck testing and using it!

 

Notes of a App Layering presentation

June 6, 2017

The user layer is married to the OS layers

It is a stack of image templates.

When you publish it all you get is a single VHD image

The elastic layer doesn’t show up until user logs on

We only track the ID of the OS layer

Elastic Layer will work on Windows 7 build 1507 and Windows 7 build 1603

Layers  have an intrinsic priority

The Elastic Layer assigned app has a unique priority based on the the P# or PAckahe ID #

App layer is above  NTFS level

PVS is below NTFS level

CLI command: FLTMC will list the the filter drivers:

  • FSDepends
  • UPMjit (UPM driver)
  • Unitfltr

Version 12.1.6 – It is the most recent version of Symantec EP tested. Version 14 has not been tested

VHD is read in the context of the user

It has Elastic layer but no user layer

Once our filter driver is in we add a 2nd partition

The user writable partition is 10 gb

Unidesk has some internal tools but we also need to know what kind of ammunition our clients have meaning what tools that are available to them

Muting the camera shutter in the Iphone 7

April 9, 2017

It appears that it is illegal to turn off the shutter when you take a picture using a digital phone in the US; I have read that the law states that cell phones containing digital cameras must make a sound when taking a picture (need validation) but there are two easy ways to minimize the annoyance of the shutter:

  1. Put your phone in Mute
  2. Lower the volume to the lowest possible settings

There you have it!

 

Some components of the Logon process in RDS/Citrix environments

January 30, 2017

smss.exe – Session Manager subsystem – As the name suggests, this process is in charge of  managing the session creation and logoff

Winlogon – “Winlogon handles interface functions that are independent of authentication policy. It creates the desktops for the window station, implements time-out operations, and provides a set of support functions for the GINA.” source: Microsoft MSDN

userinit.exe ( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ): it specifies the programs that Winlogon runs when a user logs on. (https://technet.microsoft.com/en-us/library/cc939862.aspx)

mpnotify.exe ( C:\WINDOWS\system32\mpnotify.exe ): is responsible for loading network providers including the single sign on network provider (pnsson.dll) for the ICA client.

These are not the only processes invoked during logon process.

 

Read the rest of this entry »

The three types of caches used by IE 10 and IE 11 on Windows 8 and later and Saved Passwords in IE

January 7, 2017

IE 10 and 11 have thre types of cache to be aware:

#1 AppData\Local\Microsoft\Windows\INetCache (temporary Internet files)

#2 AppData\Local\Microsoft\Windows\WebCache (IE browser cache)

# 3 Password folders

#1 The Temporary Internet Files for Windows 8 and later are located here:

AppData\Local\Microsoft\Windows\INetCache

This folder contains all the temporary Internet files from Microsoft Windows computers. It  contains files – such as images, HTML pages, executable and script files – that Internet Explorer has downloaded from websites visited by the user.

#2 The WebCache is located here: AppData\Local\Microsoft\Windows\WebCache

It contains the browser cache history and it can grow in size very rapidly

To delete the cache history you can use the Ctrl-Shift-Delete to open the browsing history window

For a complete list of items in the cache check this Microsoft  article.

#3 Password folders –  Internet Explorer contains folders related to Saved passwords

These are the folders for the passwords:

AppData\Local\Microsoft\Credentials
Appdata\Roaming\Microsoft\Credentials
Appdata\Roaming\Microsoft\Crypto
Appdata\Roaming\Microsoft\Protect
Appdata\Roaming\Microsoft\SystemCertificates

Licensing Diagnosis in 2012 R2

January 7, 2017

Unlike 2008 R@ RDS servers where the RDS Session Host Configuration contains the Licensing diagnosis screen, on 2012 R2 RDs servers , in order to check RDS licenses you need to issue this command:

%windir%\system32\lsdiag.msc

 

source: Citrix article

Deleting the WebCache database – The IE browser cache

January 7, 2017

How to delete the webcache file:

Read this blog for a clever way of deleting the webcache file Database, the WebCacheV01.dat file located in the %LocalAppData%\Microsoft\Windows\WebCache\ folder

Create a batch file and paste the content below

echo OFF

net stop COMSysApp

taskkill /F /IM dllhost.exe

taskkill /F /IM taskhost.exe

taskkill /F /IM taskhostex.exe

del /Q %LocalAppData%\Microsoft\Windows\WebCache\*.*

net start COMSysApp

echo ON

Save the batchfile as “ClearIECache.cmd” and add it to the logoff script

Side note: The AppData\Local\Microsoft\Windows\INetCache is where the IE temporary files are located

 

Reason: Read on:

 

“…Starting with IE10, IE moves the browser cache to a Jet Blue database(also known as ESC database or .edb file), and the old index.dat memory-mapped file is obsoleted. You may read this blog to learn the benefits of this change, this is not the key topic in our article. With the new cache implementation, the cache files are saved in %LocalAppData%\Microsoft\Windows\WebCache\ folder. And, the cache files will be created when a new user logs on.

Actually, the database is a file named WebCacheV01.dat in the cache folder, and its initial size could be around 20-32MB. The size of this file will keep increasing along with you browse more and more websites. Unfortunately, there’s no way to control the initial size of this database, in another word, the minimal size of this file could be >20MB. Now, let’s suppose there are 1000+ users for this terminal server, then totally >20,000MB space is required for every user’s cache database file at least. In this situation, your C drive space will be probably used up as time goes on.

Then, how to avoid the happening of the subjected issue? Maybe you are thinking about deleting the cache files, right? Exactly, this is the only way to resolve the issue. However, the problem is, you are unable to delete the cache files manually even you are a local admin of this server. Don’t worry, here’s a batch file which can help to delete the cache files. Please save the below contents into ClearIECache.cmd file and try to fun this file.” 

source: AsiaTech: Microsoft APGC Internet Developer Support Team

The Boot Time components of a PVS server

December 27, 2016

Boot time is when you Turn on the target device up to the point where it downloads the bootstrap file. The bootstrap file contains the BOOTSTRAP PROGRAM

But what is a BOOTSTRAP PROGRAM?

A target device initiates the boot process by first loading a bootstrap program. A bootstrap program is a small program that runs before the operating system is loaded. Provisioning Services uses a special bootstrap program that initializes the streaming session between the target device and the Provisioning Server. After this session starts, the operating system begins to be streamed and loaded from the vDisk that was initiated.

There are three ways that a target device may load the bootstrap program.

  • Over the network, via Preboot eXecution Environment (PXE)
  • From a boot device stored on attached media
  • From a BIOS Embedded bootstrap (OEM versions only)

Source: Citrix DOCS – BootStrap Program

BOOT TIME COMPONENTS

TFTP

PXE

TSB

TFTP Explanation:

TFTP Service is a basic TFTP you can see anywhere else – Just sits there with the boot strap file, waits for someone/somebody to request it . When somebody (usually a target device) requests it, it uses the TFTP protocol to deliver the bootstrap file

Now, in order to get the bootstrap file when you perform a PXE booting, you need two pieces of information

  1. The IP Address of the Server or [Server name]
  2. The name of the bootstrap file [filename of the bootstrap file

So in order to do a Network boot via PXE, those two pieces of information have to be provided for, to accomplish that

There a couple ways of doing that:

  1. Using Option 66/67 in your DHCP server. So when you use option 66/67:
    1. a target with PXE enabled, boots up
    2. It will send out a DHCP discover packet
    3. DHCP will respond to that discover packet with the offer that can contain all the normal DHCP information (IP, subnet mask, gateway, DNS, domain, but in addition to that information, it will also provide the IP address and the filename for the boot strap. It will then, with that information in hand go to the TFTP server and download the bootstrap file
  2. Using PXE

PXE explanation

Q. So, do you know what PXE service is used for?

A. It replaces Option 66 and 67

So, in a environment where you don’t want to use Option 66 and 67, you can enable the PXE Service in all your PVS servers. What happens here is the target boots up, and does a DHCP discovery (It will send out a DHCP discovery packet)

PXE services listens on port 67 which is the same port that DHCP listens on. So that discovery goes out and hits the DHCP server and will hit all PXE Services. DHCP will respond with the basic  DHCP information (IP, subnet mask, gateway, DNS, domain). It will NOT have in this case (since it was not configured) the option 66 and 67. However, all the PXE servers will respond with the IP of themselves and the boot strap file name. So when you use PXE services you use both PXE service and TFTP on the same server. The way this works i: if you have multiple PXE services, the first one that gets received by the target devices is the one being used; it  will contact the TFTP server and download the bootstrap

 

More to come:

TSB explanation:

Q.

A.

Using ADSI Edit to validate an object SID such as an user or a computer

December 4, 2016

Scenario

Let’s say you found an object SID but need to validate if that object SID is related to a AD component  Canonical Name (CN) . Example: Domain users have a object SID attribute like:

S-1-5-21-3292383464-3806668890-3618075406-513

Using “ADSI Edit” on your Domain Controller, you can check if the object “Domain Users” have a object SID that matches the attribute above. Note that the “Object SID” and “Object GUID” are not the same thing and don’t have the same numbers, but they are listed next to each other in the attributes table of the object “Domain Users” in the ADSI Edit snap-in console

But in order to use ADSI Edit, you need to register the DLL first by typing on a command prompt:

regsvr32 adsiedit.dll 
Ideally you want to be on the same folder or the DLL is located. Normally if you download
the Support Tools, this is already done for you. But, if not, you need to make sure this
command works properly so you can register the DLL and start the ADSI EDIT snap-in)

On the Domain controller or on the server where you have access to AD Users and Computers, 
after registering the DLL you can start:

Using the ADSI Edit

ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or just open the Adsiedit.msc file from Windows Explorer. The following figure illustrates the ADSI Edit interface. In the console tree on the left, you can see the major partitions Domain, Configuration, and Schema.

So by typing ADSIEDT.msc on a elevated command prompt you should be able to launch the snap-in

Right click and select Connect to… and take the default value to load the “Default Naming Context”

Something like this: LDAP://DC1.[domain name]/Default naming context where DC1 is the hostname of  the Domain controller

In the Advanced button you can specify the Port Number. When using ADSI Edit Type a port number if you do not want to use the default port for the LDAP or the LDAP Global Catalog protocol. The default LDAP port is 389. The default port for the Global Catalog is 3268.

Review this Microsoft Technet article on ADSI Edit for detailed information on the use of the tool

In my case I  expanded the Domain Name of my domain and expanded the CN=Users folder and located the “Domain Users” object and right click on it and selected the option “Properties”

One of the attributes listed was the object SID. I was able to validate that the object SID I found earlier matched the object SID of the object “Domain Users”

 

Unable to RDP to a 2012 R2 server

December 4, 2016

I have a Citrix Delivery Controller (DDC) and a Server VDA (SVDA)  in my lab, as part of my XenApp 7.11 environment. Both servers are 2012 R2 servers. I have Terminal Services role enabled by default on my SVDA because when you install Citrix software (Virtual deliver Agent or VDA) on a Server 2008 R2 or 2012 R2, the Terminal Services (TS) role is automatically installed, since it is a pre-requisite for the VDA. The DDC doesn’t have the Terminal Services Role installed by default (unless you install the VDA software on it, which is not considered Best Practices by Citrix), but Microsoft allows two RDP connections to a Server even if the Terminal Services role is not installed. Of course it is limited to local or domain administrators. One of the reasons this is possible is to allow either the local admin or the domain admin to install the full blown Terminal Services role if needed. Recently, I have been unable to RDP into the  DDC but had no problems RDP-“ing” to my SVDA.

After checking firewal settings and making sure they were disabled, I tried tel-netting via port 3389 from my SVDA to my DDC and was unable to do so. However, I was  able to telnet from another server to my SVDA via port 3389. So I suspected that my RDP listener on the DDC had an issue.

Sure enough, I compared the RDP listener registry key settings between the SVDA and the DDC. On my DDC there were a few binary values that did not match my SVDA. Obviously some of the values should be different since one server has the TS role installed (SVDA) and the other (DDC) doesn’t, but the vast majority of the binary values on the RDP listener registry  key should be quite similar on both 2012 R2 servers. The registry key for the RDP listener is located here:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

These two keys particularly intrigued me:

fDisableExe -> set to 1 on the working SVDA but set to 0 (zero) on the non-working DDC

User Authentication – set to 1 on the working SVDA but set to 0 (Zero) on the non-working DDC

Solution:

I changed both flags to 1 on the non-working DDC, to mimic the SVDA and VOILÁ, the RDP connection started to work again, MAGICALLY!

Note 1: After changing the two binary values on the registry, I rebooted the DDC for the changes to take effect.

Note 2: I did not test the behavior by only changing one binary value entry due to my own laziness, so it is quite possible that only one binary value change could have done the trick as well. If I were to guess I suspect the User authentication binary value could be the one, but that is only my guess!

Conclusion:

Microsoft installs the RDP listener on all Windows machines by default when the Windows software is installed on a computer. This is for management purposes in case you want to manage the computer remotely.

So you should be able to see RDP listener registry key on all  Windows computers regardless of being a Server or Desktop OS. The RDP listener is not a very popular component and most end users don’t really know much about this component or that it even exists (unless you are an IT administrator). However, when corrupted, modified or customized , it will cause disruptions to a remote connection to the computer, like the disruption I had, so beware!

The only mysteries I did not solve was

  1. How the binary values changed on the DDC (since I’ve never touched that registry key myself before)?, or
  2. If it did not change (which is quite possible as well) what triggered the issue then? and
  3. What roles do those two binary values (User Authentication andfDisableExe)  have?
  4. Why did I decide to choose those two binary values since there were other values that also did not match. Was it my gut, my instinct? or pure luck? or would any value change do it?

These are all answers to be discussed and hypothesis that could be tested and discussed on another blog article . If you know the answer please share!

Additional Tip:

This is a good command to test if the RDP protocol is listening on port 3389, the default RDP port:

Telnet [hostname or ip address or FQDN] 3389 – If you get as an answer the cursor blinking on the top left of the CMD prompt screen, that is a good thing. That means the connection to that computer via RDP is enabled and the RDP protocol is listening on that port. If you get an message: “Connecting to [hostname]…could not open connection to the host, on port 3389: Connect failed” it really means that port 3389 is not opened on the destination host name

During my troubleshooting, telnetting within the server itself  it worked (telnet localhost 3389) but it failed from any other computer telnetting into the DDC

Some IT shops change the default port of RDP from 3389 to another number to prevent  end users from accessing the computer remotely or to prevent intrusions

I hope this helps!

JP

*** === ***

side note:definition of voilá

used when something is being presented or shown to someone