Quick Launch and ICA file creator for XenApp

The QuickLaunch bar has for some time been the main use I’ve had for the old Program Neighborhood and the only reason I didn’t want to lose it by updating to client v11.2, so this free tool released late in 2009 from Citrix is an essential part of replacing the old client…

http://support.citrix.com/article/CTX122536

Not only does the QuickLaunch tool replicate the functionality of the Quick Launch bar of the old PN client, it also acts as an ICA file creator.  Note the ICA files it makes do not have usernames and passwords by default, so you can edit them to include the necessary fields – for example (passing the password in plain text!)…

[WFClient]
Version=2
TcpBrowserAddress=servername.domainname.local
[ApplicationServers]
Word 2007=192.168.1.1
[Word 2007]
Address=Word 2007
TransportDriver=TCP/IP
InitialProgram=#Word 2007
WinStationDriver=ICA 3.0
Username=username
Domain=DOMAINNAME
ClearPassword=password
DesiredColor=8
DesiredHRES=1024
DesiredVRES=768
AutoLogonAllowed=On

Office 2010 – 64 bit edition?

Interesting article on TechNet about the two versions of Office 2010…

http://blogs.technet.com/office2010/archive/2010/02/23/understanding-64-bit-office.aspx

I greeted the news that there was going to be a 64-bit edition of Office with a moderate amount of interest, mainly because this might be useful to deploy on our planned 64-bit XenApp farm.  This article does mention though that for most users, Microsoft actually recommend installing the 32-bit version, even if you use 64-bit Windows, the reason being “compatibility with existing 32-bit controls, add-ins, and VBA”. 

That sounds mighty ominous to me.  I think I will take their advice and just keep a 64-bit stream handy in case some user (there’s always one) wants a million row spreadsheet or something.  Of course you don’t really want a XenApp user taking up over 4gb of memory by opening hundreds of Office documents, so I don’t see any reason to encourage them!

I’ve had no success so far with streaming Office 2010 using the XenApp on Windows 2008 R2 tech preview, it just exits saying that “Setup has encountered an error”, and it is a no-go on the XenApp 5 version of the Streaming Profiler since it does not support Services, which Office 2010 needs.  Hopefully this will all be sorted out when the final versions of XenApp 6 and Office 2010 are out this summer.

Kerberos and pass-through authentication

This post could have been called “the curse of the second login box”.

I’ve just spent a frustrating few days trying different ways of installing a v11.2 Citrix client that let pass-through authentication work on web and the agent.  This all appeared to make no sense – some clients inexplicably worked, but most did not.  I was sure the server was configured fine, no errors in the event logs, apps enumerated fine in the client, yet every application I launched gave one of these lovely Windows Server logon boxes.  And on some installations it just worked.

I compared a working client and a broken one.  The only difference was in C:\Program Files\Citrix\ICA Client\wfclient.ini – the broken clients had an extra line:

UseSSPIOnly=On

This line is the equivalent in the installation of the “Use Kerberos only” checkbox.  Without it (even if your web interface server is configured to “Use Kerberos only”), pass-through authentication will work using NTLM if Kerberos fails.  With this line, Kerberos authentication is forced – and if it fails, you get your second Windows log in box.  So in other words, in my case Kerberos was failing. 

After more research (http://support.citrix.com/article/CTX121918) the glaring omission was that I had not set the checkbox on the AD Computer account of the web interface and Citrix servers to “Trust this computer for delegation”.  I was worried about this step without even researching it since activating it causes a popup every time warning that this was a “security-sensitive operation” and alarmingly “should not be done indiscriminately”. 

So I’ve changed my standard 11.2 batch install to ENABLE_KERBEROS="No" and taken the UseSSPIOnly=on line out of the existing clients, and its all good.  I think for now I would rather stick to disabling the Kerberos requirement than performing an indiscriminate action on my servers!

Notes on the Citrix Client 11.2

I’m currently trying to persuade my highly doubtful colleagues to move all our clients to client 11.2, partly to break our addiction to the now discontinued Program Neighborhood.  In testing this new beast I’ve found a few things of “interest”…

• It doesn’t include Program Neighborhood at all – no big surprise, it was dropped from 11.1 as well.  What is more interesting is that XenApp for Windows 2008 R2 doesn’t support it.
• It comes in two flavours, “full” (PN Agent and Web) and just web.  But you can use the full version to just install the web client if you use the right switches.
• If you use the web installer you can’t use pass-through authentication!  Link…
• It is built in a completely different way to every previous version I have seen going back to v6.  Its not an MSI you can pre-configure, its an EXE that you configure with switches.  See the switches here.  If you just double click it you get default values for everything, so you really want to use the switches.  So we go from a remotely deployable configured MSI to a batch file calling an EXE.  Great.
• If you have to use it as an MSI, you can extract about 6 MSI’s from the EXE. But installing these doesn’t support upgrading at all and you have to create their directories for them.

Pass-through Authentication woes

Passthrough authentication is a great feature of the XenApp Agent and Web Interface – users don’t like having to type the same password three times when they log on and anything that makes it easier for them to use Citrix means they’re less likely to find ingenious ways of avoiding it and so is good for us admins.
I found though that users fall into two categories – those who think auto logging in is a mission critical feature that they need to work and those that absolutely insist on explicit credentials (probably because they use some nasty shared login to get into Windows.
Anyway, I’ve found that both on Presentation Server 4.0 and XenApp 6 beta there are several things that can doom passthrough to either not work at all, or look like its going to work and then display a second Windows Logon box when you actually launch an app.
These are some of the elephant traps that can scupper passthrough:
Client Problems

1. Generally, on a client with malfunctioning passthrough look in Task Manager at the running processes. If SSONSVR.exe is not in the list there is a problem with that client and it might need a reinstall. Make sure you
2. SSONSVR.exe can fail to start on computers using Intel Credentials Manager – see the fix here.
3. There is an ADM installed on clients from v10 – it will be at:
   C:\Program files\Citrix\ICA client\Configuration\icaclient.adm
   You can import this ADM into Active Directory for the OU containing your client PCs and configure it to allow single sign on using these instructions from Citrix. This will mean less messing about with appserv.ini files.
4. Some people report you can’t easily use passthrough from a published desktop if using the v11.0 client. Update to the latest client, v11.2 is now available.
5. Especially if not using the above ADM, check your appserve.ini (in C:\Users\%username%\AppData\Roaming\ICAClient, or c:\documents and settings\%username%\application data\icaclient\, or c:\Program files\citrix\ica client\) for the following line. It needs to be present and on and needs a reboot to take effect.
   SSOnUserSetting=On
6. Check the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PNAgent. It should have EnablePassThrough set on and a Server URL (which might well begin http://…) and so look something like this:
   
7. I saw a report on a forum post that a client installed pointed to a web interface server with passthrough disabled will never be able to use SSO (single sign on) unless the client is reinstalled, even if its been enabled on the server subsequently. You also need to reinstall if you chose not to use passthrough when you installed the client.
8. v10.1 and v10.2 of the client might need modification or switches to be able to use SSO – see this for more details. I had success with a v10.2 client installed with the following switch (obviously put in the right path for your client):
   msiexec /i c:\ica32pkg.msi enable_sso=YES
   
9. One problem we saw was that pass-through (without Kerberos) can fail if a client has logged on before the network was ready.  If you boot the PC, leave it on the CTRL-ALT-DEL screen for about 60 seconds, and then log in, it might work.  If this is the case, configure the group policy setting to wait for the network before logon (confirmed on Windows 7).

Server Problems

1. Obviously your Web Interface server should be configured to allow Passthrough under Authentication Methods. Use Kerberos only, especially if you are not using HTTPS. You could try specifying the domains allowed explicitly, that can have an effect.
2. Check in Terminal Services (or RDS…) Configuration and the properties of the ICA protocol. Make sure “Always prompt for password” is not checked.
3. Some people have reported on XenApp 5 that they need to install the XAE500W2K8042 hotfix if they are not using Kerberos. I say they should be using Kerberos!
4. On a Windows Server 2008 (or R2) server you have to make a group policy change here (I’ve not found the ADM was needed):
   Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\
   Double click “Allow Delegating Default Credentials”. Set it to Enabled and click Show. Add in a list of all your Web Interface servers. On the server do a “gpupdate /force” and reboot.

Resources:

• Troubleshooting: http://support.citrix.com/article/CTX076838
• Using the ADM: http://support.citrix.com/article/CTX112957

Gotchas installing XenApp 6 Beta for Windows 2008 R2

Had a fun day or two installing the new Beta for XenApp 6, the Windows 2008 R2 only version.  This is an version I had been waiting for for a while since I've found XenApp 5's performance on Windows 2008 to be rather underwhelming unless its installed on a beast of a server.

Anyway, XenApp 6 (okay, so Citrix aren't calling it that at yet officially, but its plastered all over the thing under the hood and in the documentation - its XenApp 6, honest) is still a Tech Preview and is a little fiddly.  I fell into the following elephant traps while installing it.

• License server.  I didn't have a Windows 2008 R2 License Server (only R1), which Terminal Services (sorry, RDS, Microsoft have been at the renaming juice too) wasn't impressed by.  Turns out Windows Server 2008 R2 makes quite a good Terminal Services License server since it can serve licenses for all the server versions from 2000 up to 2008 R2, so we now have a new License server for all our TS servers!  The Tech Preview DVD image comes with the latest full version of License Server, 11.6.1, which finally has a user interface written this century.  Sometimes Citrix change things for the sake of change, but this is a very welcome refresh.
• XenApp 6 Tech Preview licenses.  In my simple way I thought I could just use actual Citrix licenses for the Tech Preview - nope, it needs fake ones!  Could not find the things anywhere (they're not part of the download, annoyingly) so posted the question to the Citrix Forums site and got a response within about 2 minutes!  That's service.  Anyway, they're here:
  http://www.citrix.com/English/mycitrix/resources.asp?contentID=1860995#top
• Mixed Farms.  Yes, I tried to join my XenApp 6 servers to my XenApp 5 farm.  No joy.  No mixed farms.
• Program Neighbourhood.  I was using this to test my apps but could not connect to the new farm - old habits die hard!  Anyway, unless I am being a muppet, XenApp 6 does not support Program Neighbourhood - makes sense since it has been officially dropped for all products by Citrix and is not part of the client download since v11.1 last year.  Connected with the XenApp Agent and Web Interface fine.
• License Server (again).  Needs specifying for all the servers - and its not where it used to be.  There is now a new "Policies" node in the XenApp Management tool which is basically a version of the Group Policies Management Console and this needed configuring.  Entered my server name in the Unfiltered policy and finally was able to launch applications!
• Streamed Apps.  Oh yes, and I wanted to use my existing streamed profiles.  No joy, had to install ANOTHER 2008 R2 server (now up to 4 for this test environment - XenApp server, License Server, Profiler and Web Interface - oh, and a database elsewhere!) and the exciting beta of the new version of the Streaming Profiler.   Okay, its not exciting, though I like the fact it supports services. 

Anyway, its all up and running now and looking very nice.  Its already performing better than our XenApp 5 Farm on the same standard hardware - specifically it does not have the same problems with ever expanding logon times above about 75 users per server.  Its lovely.  I want the full version now!