During the last weeks I did a lot of testing with Citrix XenDesktop 7. There was one thing which was quite hard to figure out why it wasn’t working:
A connection from Citrix Receiver 4.X to StoreFront always failed while I was using the Domain-Credentials (or Domain-Pass-through). No Single-Sign-On (SSON) – even for the configuration of the store – was possible. I was only able to connect the Receiver to StoreFront using the Authentication-Methods “Username and Password” or “Smartcard”. If I tried to configure a Store I always received the message “Select an account to continue”.
The problem with this message was that I didn’t receive a Dialog to choose a Store…
After a lot of testing’s I found the necessary steps so that SSON was working.
3. Open “Internet Options” in Internet Explorer an switch to Security.
Choose “Trusted Sites”, “Sites” and add the StoreFront FQDN (beginning with https://)
After adding the StoreFront-Address to the "Trusted Sites” open “Custom Level” to change the “Security Settings”. Scroll down to “Authentication” and activate“Automatic logon with current user name and password”,
Instead of adding the StoreFront-Adress to the Trusted Sites you can also add it to the “Local Intranet” Zone –than you don’t need to edit the Security Settings. Thanks to Neal Dolson (
@ndolson816) for the tip.
5. That’s it – you can now configure your Store and connect to the store using Domain Pass-through,
If it’s still not working you can configure a Group Policy to activate SSON on your clients. Create a new Policy and add the adm file icaclient.adm. You can find the file on a client with an installed receiver in the folder “C:\Program Files\Citrix\ICA Client\Configuration” or “C:\Program Files (x86(\Citrix\ICA Client\Configuration” on 64Bit systems.
Link the group policy to your client OU and reboot your clients to apply it. That’s it.
SSONSVR is not starting
If the ssonsvr process is not starting you have to check the network provider order. Open the registry and navigate to
Edit “ProviderOrder” and make sure that “PnSson” is the first entry.
Reboot your system – after login the process is started.
Published Desktop shows logon screen or connection is directly closed
Another problem that might happen is that a pass-through login to Citrix Receiver is working – but after starting a published desktop the logon screen appears or the connection is directly closed. Furthermore you may find the following error in the event-log:
Source: ICA Service
Description: ICA connection is cancelled because auto-logon is enforced and auto-logon failed.
To fix this you have to add another setting in the above created GPO. Open “…,Citrix Receiver, User Authentication” and enable “Kerberos authentication”.
Wait until your clients applied the updated GPO (or do a “gpupdate /force”) – starting a published desktop now works without pass-through authentication.
In one of our customer environments I found a really interesting error – the mapping of a printer from a Citrix Universal Print Server failed if we tried to use the Citrix Universal Printer Driver in XenApp. We always received the error message “It was not possible to create a connection to the printer. Check the printer name….” and so on.
Now we started to check if the necessary Citrix policies have been activated:
Computer: Printer => Universal Print Server => “Universal Print Server enable”
User: Printing => Drivers => Universal Printer driver usage
Both policies had been configured correctly.
Everything seemed to be correct and working – but printer mappings still failed.
After searching more and more into different directions (not worth to mention here) we found the problem – the customer has a big active directory and his users are member of many security groups. And this caused the problem. In CTX134758 you can find a solution for this. You have to modify the Apache webserver configuration on the Universal Print Server to accept bigger Kerberos tickets.
Open “C:\Program Files\Citrix\XTE\conf\httpd.conf”
Add the following line:
It’s extremely important that you add this line either directly as a first line – or at the end of the file – otherwise it’s not going to work. And don’t choose a higher value
Save the file and restart the UPS-Server-Service.
That’s it – now mapping of printers using the “Universal Printer Driver” from a “Universal Print Server” shouldn’t fail any longer.
One of the biggest challenges in the Mobile World is to secure the company data on the user device. Especially mails and contacts are often directly synced to the user device and if the device gets stolen it’s really easy to get this data. To fix this problem Citrix created the MDX format. The MDX format is kind of a secure box on the mobile device. The data inside is decrypted and even if the device is stolen the data is secured. Until now Citrix published two applications for securing your company’s data – both applications are available for iOS and Android:
Like the name says this application is a replacement for the “native” mail applications on the user device. Furthermore it supports the calendar and contact synchronization.
This is the second application published by Citrix. You can use this application to allow the user a secure access to internal Webservers.
If you now would like to deliver these applications (or any other) to the user Android device you need to finish the following steps:
1. Convert the applications to the MDX format
2. Publish the applications on your Citrix AppController
The Citrix AppController can be integrated into your “normal” Citrix world – but that’s another topic and I’m not going to cover this in this blog article.
First of all you need a Computer with Mac OS X installed – there’s no windows application available to convert an application into the MDX format – hopefully Citrix will publish one in the near feature. Secondly you need the “MDX Toolkit”. You can find this in your Citrix Account.
After downloading and installing the application you need to download the “WorxMail” or “WorxWeb” Application. If you would like to publish your own application make sure that you have access to the .apk of the application.
Possibly you may need to install the Android SDK onto your Mac. (I am not quite sure about this point – the past versions of the converter needed the SDK and asked for the path to the SDK. This did not happen in the newest version – either it’s detected automatically or it’s not needed any longer – but I didn’t test this….)
In the next step you need to choose a keystore, You can either choose the option “Use debug keystore” or buy your own public Android publishing certificate. If you would like to use a public certificate read the following document inside the android developer portal – this describes everything around signing android applications. Otherwise choose “Use debug keystore”.
If the conversation fails with an error message you have to copy the /build-tools/appt file to /platform-tools/aapt and /tools/aapt.
After copying the file everything should work without any problems.
The Application is now in the correct format for publishing it to the user. Therefore you have to log on to the administration panel of your AppController (the URL is: https://IPofAppController:4443/ControlPoint)
In the next step you can configure the application details and restrict the OS Versions. Furthermore you can choose the Category – the applications are grouped inside categories so that it’s easier for the user to find a specific application. Also you can restrict the application access by changing the “Assigned role”. Only users inside the configured role will have access to the application.
Now you have the opportunity to activate a Workflow approval. This means if a user would like to use an application he can choose the application in his Receiver, then the “Approver" (e.g. Manager) has to allow the application for the user and after this the user is allowed to open the application.
Your users can now access this native application on their Android Device using the Citrix Receiver.
There’s only one more thing you should now: It’s not enough to install the Citrix Receiver on the user device. It’s also required to install the “Worx Home” Application from the Google Play Store. Otherwise the user will be able to install the published application but if he opens the application he receives a message to install the “Worx Home” application. The problem is that this application is not yet available in the Market Store (08 July 2013). Google is still in the proving process. Hopefully it will be available soon.
If you would like to publish an application for iOS devices a lot of the steps are similar – but there are some more things you should now – however that’s stuff for another blog post
Hopefully this post was helpful to publish secured Android applications and makes the required steps more clear.
I have written another article for the May edition of the magazine IT-Administrator. This time I describe the features and functions of the Citrix Cloud Gateway. Hope you enjoy reading the article. And here is the german teaser:
“Ein neues Produkt aus dem Hause Citrix ist das CloudGateway. Damit möchte Citrix Administratoren die zentrale Bereitstellung aller Enterprise-Anwendungen ermöglichen. Hierzu gehören sowohl klassische Windows-, als auch Software-as-a-Service, sowie Web- und native iOS- und Android-Anwendungen. Ebenfalls ist es hierüber möglich, die von den Benutzern benötigten Daten gesichert bereitzustellen.”"
If you try to configure the Citrix AppController this may fail with the following message:
The administrator’s email address does not exist in Active Directory. Please enter a valid email address.
This error might also occur if you have entered an existing email address. The configuration not only checks if it’s an valid email address for an Active Directory User – it also checks if the corresponding user has a first and a last name. So if you see this message just open the corresponding user and enter a first and last name. After this the error message should be gone.
For the March edition of the IT-Magazine “IT-Administrator” I have written an article about managing Office licenses with the help of the AppSense Application Manager. The Magazine was released yesterday. Hopefully you will like the article. (Sorry for the german teaser – but the article is also in german…. )
“In Zeiten von BYOD und virtuellen Desktops besteht neben den technischen Herausforderungen auch eine große organisatorische Hürde: die Lizenzierung. Denn nach wie vor gibt es nicht wenige Programme, die pro Gerät zu lizenzieren sind. Angesichts der Fülle an Geräten, mit denen Benutzer auf zentral bereitgestellte Anwendungen zugreifen, ist mit explosionsartig steigenden Lizenzkosten zu rechnen. Um hier für mehr Kontrolle zu sorgen, erlaubt es der AppSense Application Manager, den Start einer zentralen Applikation auf bestimmte Geräte einzuschränken. Wir zeigen Ihnen in diesem Workshop, wie das geht.”
One of our customers recently upgraded his VMWare enviroment from Version 4 to Version 5.1 He is using Provisioning Services to deploy some of his servers.
In the past it was necessary to use the "E1000” Network-Adapter to start the PVS Target Devices. With release 5 of VMWare this changed and it’s now necessary to use the VMXNet3 Network-Adapter. Thus we changed the network adapter (which are saved in the image) from E1000 to VMXNet3 – following these steps:
1. Re-image the PVS-vDisk to a local Hard-Drive from a Virtual-Server
2. Uninstall Citrix PVS Target Device Tools
3. Update of the VMWare Tools
4. Remove the E1000 Network Adapater and add the VMXNet 3 Adapter
5. Reboot the server
6. Install PVS 6.1 Hotfix 16 Target Device Tools
7. Create a new PVS-vDisk (with the updated settings and drivers)
Until now everything worked fine – but if we tried to start any server (except of the master) with this PVS vDisk a blue screen was displayed. Unfortenately we were not able to read the full message because the server was directly rebooted. To stop this you have to press F8 before Windows boots (to get the selection menu with “Safe Mode” and so on) and select “Disable automatic restart on system failure” – now the system is not automatically restarted and you can read the full blue screen message. Interestingly the blue screen only displayed a stop 0x0000007B error – with no further details.
We started to check why this error occured. The vDisk was neither created using a Static IP nor something of the E1000 Adapter was left in the image. Furthermore it didn’t help to activate the “Interrupt Safe Mode” in the Bootstrap settings of the PVS-Servers (which should be ok because it was only needed for VMware 5.0).
Even a clone of the original master crashed with a blue screen while booting from the vDisk.
In Citrix KB125361 exactly our problem “Target Device Fails to Start with VMXnet3 Drivers” and “The target device fails with a STOP 7B Blue Screen error.” is descripe. Inside of this article a Microsoft Hotfix is mentionend which fixes the following problem “0x0000007B" Stop error after you replace an identical iSCSI network adapter in Windows Server 2008 R2 SP1 or in Windows 7 SP1“ – sounds like our problem.
We removed the PVS Target Device Tools, installed the mentionend Microsoft Hotfix (KB 2550978), installed the PVS Target Device Tools again and created another image and tried to boot our PVS-Targets. Again a blue screen – except of the cloned servers which worked fine.
Oh ok?!? – But where is the difference? After checking the VM-Settings we found an interesting difference:
The cloned servers had the same “Ethernet???.pci” value (you can find these settings under VM-Properties => General => Configuration Parameters) – the new created servers had a different value. After changing this to the same value on the newly created servers they booted withoud any problems.
Conclusively we had two problems to fix:
1. Install a Windows Hotfix to solve a problem with changing iSCSI Network Adapters
2. Change the Network Adapter ID inside the VM-Settings to the same number