Citrix Workspace Single Sign On Woes

 In today's world, your security team is probably constantly pushing for settings to secure the environment. This may come from any vendor as suggested environmental settings that will protect you against attacks. I love when things are secure. I have an alarm system and a bunch of cameras in my house just so I feel safe. However, not all security settings will make Citrix professionals happy. One setting in particular will break your single sign on and the configuration checker will not point you in the right direction.

So what happens? Your single sign on to workspace has been working like a champ for years. It has worked through all the different VDA and workspace versions and then all of sudden it breaks. Now, there are some Windows 11 gotchas out there and I won't go into detail on this post but if you suddenly can't get Windows 11 to SSO and you are not using Enhanced SSO then this could be an issue with MPR notifications. https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication.html

But back to the issue that you might run into and not really have any signs as to why it happened??

Restricting NTLM!!!!

Yep if the Name: restrictsendingntlmtraffic is set to any value other than 0 or 1  at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 then you will break legacy SSO for Citrix Workspace. The symptom will be that you are prompted to sign in to Citrix Workspace on Desktops and/or VDAs that have Citrix workspace installed.

Workaround: If you are not using a VDA 2311 or higher, then upgrade your environment and use Enhanced SSO which uses Kerberos. If you can't upgrade yet, then add one of these two methods

Registry Method

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

ClientAllowedNTLMServers Multi-String Value: <storefront base url>

 or

 GPO Method

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -> <storefront base url>

Yep that's it!!! Once you do this, your SSO will begin working again.

FSLogix vs. CPM Containers

Everyone knows that I have been a huge promoter of FSLogix since its inception many years ago. However, Citrix Profile Management (CPM) has come along way. It offers profile containers similar to FSLogix but with more advantages. See the table later in the article for key feature differences. One of the biggest selling points of CPM is that it comes with Citrix. There is nothing additional that you need to install to get it to work, and it works pretty effectively out of the box.

Features	CPM Containers	FSLogix
Multiple Locations for Profiles	Yes	Yes
Office Data Handling	Yes	Yes
AppxPackage Handling	Yes	Yes
Asynchronous GPO Processing	Yes	No, Synchronous
Auto Expansion	Yes	Yes
Multi-Session Access	Yes	Yes
Profile Exclusions	Yes	Yes
Deduplication	Yes	No
Large File Handling	Yes	No

As you can see CPM stands up against FSLogix pretty well including the ability to do Synchronous GPO processing which makes logons much faster from a CPM perspective over FSLogix.

I am not saying go out and switch but I would definitely try it out.

Citrix FAS - Why do I need it?

So, my customers often ask me why I need Citrix FAS when I'm trying to decrease the number of servers I manage when going from Citrix On-Prem to Citrix Cloud.

Simply put, you don't need it unless you use a 3rd-party authentication solution that Windows will not recognize. This includes Entra ID. 

Federated Authentication Service (FAS) allows Windows to not prompt the user when the desktop launches for additional credentials. FAS uses a smart card like certificate to log the user on using the credentials they have already specified. FAS works for both on-prem and Citrix Cloud environments. So looking to implement Entra ID and MFA for your users? Then FAS will help that really awful pain point that you will discover when you've turned it on but start getting Windows prompts stating you entered bad credentials.

So what do you need to start?

• At least two servers running the FAS software
• Best practices, you should have a two-tier PKI environment in place
• one Offline Root
• one Online Sub
• Run the FAS wizard to configure your PKI to work with FAS
• Deploy the Certificate Templates
• Set up the Certificate Authorities
• Authorize FAS to use the CAs
• Configure the rules
• Connect FAS to the Cloud if needed
• Install the FAS ADMX and ADML files on your DCs
• Create a GPO at the root of your Citrix OU so that all Citrix machines receive the FAS information.
• Add the FAS servers to the list of FAS servers
• If you are using on-prem Storefront, then you will need to configure your Storefront to work with FAS.
• Run this script to enable FAS on the Storefront server. 
• Modify the variable $StoreVirtualPath to reflect the organizations true store name.
• Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module $StoreVirtualPath = "/Citrix/Store" $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory" Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

After you have completed the above and your FAS is showing all steps as Green, then you can proceed to testing successful logins using your third party authentication solution. Happ

LTSR Woes

Don't stop upgrading...

I have noticed over time that many organizations are picking LTSR and forgetting to upgrade. I have updated quite a few environments from 7.15 LTSR because they were so far behind the upgrade path.

What is LTSR?

LTSR (Long Term Service Release) provides stability and long-term support. It offers 5 years of mainstream and extended support.

Is this a good thing?

For organizations that wait a while between upgrades like 3 to 5 years, yes because during that time you are still within the support cycle.

Why is this becoming a bad thing?

Organizations are going beyond the 3 to 5 years cycle and also not keeping up with the cumulative updates. For instance, to upgrade to 2203 LTSR, you must be on at least 7.15 CU 5. If an organization installed 7.15, then it must choose a path to upgrade to the latest LTSR. Recently, this update required two separate maintenance windows. One to upgrade to 7.15 CU 5 and the 2nd to update to 2203 LTSR. 

Choosing whether or not LTSR is the right path for you and your organization doesn't have to be a difficult decision. However, choosing LTSR does not mean you stop updating your environment. Consider Citrix CUs as Windows Updates. We patch to keep our environments healthy.

Don't let LTSR be a phrase that causes woes when it was meant to cause relief.

Storefront Update Errors...Is Telemetry running?

It is the middle of your maintenance window and you are updating Storefront Servers...

All of sudden, you receive one of those helpful errors that mean absolutely nothing to you!!!!

Now what?

In my experience, all roads lead to the Telemetry service. I stop this service before any upgrade on Storefront Servers. It has fixed the issue and helped me finish my upgrade each time.

Why?

No clue, but at least if you run into this at 2 a.m. and you are really sleepy...you can try it and save you hours of researching via Google!!! You're welcome!!!

XPS Printers causing log off to fail on Windows 2019

Built a new 2019 server. Installed the same software as the 2016 Server. Users log on but do not successfully log off. You try uninstalling the VDA and reinstalling the VDA, but you get the same result. Note the Event Logs and you may see Metaframe warnings. If you see Metaframe warnings for XPS printers, then this may be your culprit.

Open your Citrix Policies and check your XPS Session Printer filter. The default rule for the XPS printer does not include an asterisk (*). This means there can be a conflict between the one on the 2019 server and the one on the user's machine.

 

Edit the XPS Document Writer to include "*". Try having users log off and log back in. This should resolve the issue.

ADC PCoIP Gateway + Cisco DUO

So for this configuration, I used Carl's article (https://www.carlstalhood.com/netscaler-gateway-12-pcoip-proxy/) and Duo Radius Configuration (https://duo.com/docs/radius). 

When configuring the Duo Auth Proxy, use the Auto instead of iFrame. iFrame will give you the Duo auth page only via the web, but you will also not be able to see the apps after the login. The Horizon Client will not never show the iFrame.

ADC (NetScaler) Upgrade - LDAPS go bye bye???

So you upgraded to 13.0 79.64 and your LDAPs stopped working?

So, there are few options to fix this.

You can modify your LDAP to use 389. 👎👎👎 This is not a good idea and please don't do that.

You can edit your LDAP monitor and remove the secure checkbox. 👎👎 I wouldn't do this either, but if you must! Just don't tell anyone that I said it.

The best solution and what worked for me is to make sure in your monitor, you have a filter, cn=builtin. If this doesn't fix the issue, then also make sure your service account isn't locked out. After the upgrade, the monitor tries to do its job and it fails (likely locking the account out). 

Update: This is still an issue in future builds. I've seen some forums state that also changing the Bind username from DN to UPN or from UPN to DN also fixed the issue. Neither of these worked for me.

What's in your profile management solution?

 So one of my most frequently asked questions is....(drum roll) which profile management solution do you use?

My answer today is always FSLogix! Why? It's truly the simplest way to deliver a persistent profile solution in a non-persistent environment!

If you combine FSLogix with Folder Redirections, then you can provide a great experience for users.

FSLogix is a small agent that can be installed within all VDI/Published Apps environments. It is the default profile management solution for Microsoft's Azure Virtual Desktop.

FSLogix settings can be applied via registry keys or Group Policy. The preferred and easier method would be to use Group Policy which requires copying the admx/adml files that come with the download into your domain environment.

If you've never used FSLogix, then it is worth noting it does require a storage location. It works great on most storage solutions, but do not place FSLogix on a DFS with Replication enabled.

My favorite and suggested GPO settings:

• Swap component names: Please make sure to do this. If you do not do this before your deployment, then it show the user's SID first and then their samAccountName. So basically, you will sort on their SID which can be very difficult to manage. 
• Do separate out the Profile and Office containers. FSLogix allows you to use only the Profile Container or the Office Container. My recommendation is to use both. This configuration allows you to be able to remove the Office Container without having to remove their other Profile data or vice versa.
• Move temp, tmp, and inetcache to the local profile. This setting reduces bloat in the profile. 
• Use Dynamic instead of Fixed. Unless you just have storage to waste, then do not set the profile to fixed. Also use VHDX if your storage solution supports it.
• DO NOT use the Windows Search feature for any Windows 10/Windows 2016 and above. It will just work if you don't use this feature.
• Use the redirections.xml file to reduce the amount of data within the Profile Container.

Because you will reduce the amount of data in the profile container almost immediately with Folder Redirections and redirection of temp files, you will want to come up with a strategy to handle the white space created within each VHDX. There are scripts and other options out there to do this, my personal choice is ShrinkFSL.exe. It is a GUI and a command-line executable. I set it to run nightly against the root folders and this helps to shrink the file through Task Scheduler. The file can be downloaded here.

VDI - What's the right size?

So I get customers asking me this all the time. Here's what I will tell you right away...it is NOT 2vCPUs!!! 2vCPUs with Windows 10/Windows Server 2016/Windows Server 2019 will just make your users unhappy. Why? Because if they are using Chrome and/or Office, then the CPU will be grinding away using just those apps.

Suggestions? At a minimum, for a Single Session VDI, use 4vCPUs and 8 GB of RAM. This specification is for your average (non-power) user. If you are an Azure VDI user, then I would suggest the Burstable VM B4MS. It is cheaper than your other options and still gives the user the power they need to do their work. 

What about multiple session VMs like Azure Virtual Desktop/Citrix/Horizon? You want to ensure each user logged in has at least 1.5 to 2 vCPUs. So on a 10 vCPU box, you are looking at about 6 users per box if you are virtualizing for the experience. Your users will complain a lot less if they have the CPU power to do their work.

Most customers will believe they need more RAM as a resource. Sometimes that is true, but oftentimes the user experience is improved by vCPU adjustments. Trust me, you will thank me later!! 

By the way, you will likely never see the spikes or the issues by using monitoring tools outside of the VM so don't try that.

Citrix Cloud - My Machines Are Shutdown

This issue actually occurs on-prem as well, but I have only seen it recently with my customers who have machines in Azure and in their on-prem vSphere datacenter.

They set their machines to perform a reboot. The interval doesn't appear to matter. The symptom is that by the morning, some of the machines are still shut down. They must be manually powered back on and then everything operates normally. It will continue to occur and the machines that are shut down are never the same.

The reason this occurs is Citrix has an internal time-out where if an action doesn't occur, then it stops the action. When you set a Citrix Delivery Group to reboot, Citrix sends a signal to the Hosting Connection to perform a shutdown. Once, the hosting connection sends the signal that the machine has been shut down, then Citrix sends another signal to power the machine back on. If the shutdown signal is not received before the time out, then Citrix never sends another signal to turn the machine back on.

To resolve this issue:

Login to the Citrix Cloud Connector (it already has the Citrix Cloud PowerShell SDK installed)

Open Powershell

Run asnp Citrix*

Run Get-XDConnection (login with your Citrix Cloud credentials)

Select the appropriate customer account if connected to multiple accounts

Run the following commands:

Set-BrokerServiceConfigurationData 'HostingManagement.MaxRegistrationDelayMin’ –SettingValue 60

Set-BrokerServiceConfigurationData 'RebootSchedule.MaxShutdownDelayMin’ –SettingValue 50

Reference article: https://support.citrix.com/article/CTX272494