IE11 on 2012R2 VDA - user registry hive not saved

[Stefano Losego1709152505]

Hi all,

 

i've a strange behavior with xa 7.6 and 2012r2 vda.

I was able to reproduce the issue in a clean lab enviroment installed from scratch.

 

the enviroment:

(domain w2012r2 level, 1 dc)

1 server with ddc 7.6, storefront, db (sql express) - w2012r2

1 server with vda 7.6, terminal server, w2012r2

 

standard windows patch (update at january 2015), no citrix hotfix in place.

 

the issue:

when a standard user open IE11 and set a personal home page, this is not retained after a graceful logoff and login. Digging more in detail, i've seen that the registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

is correctly filled during the session, but when user logoff the registry is not write into the NTUSER.DAT.

 

for troublehooting purpose, the user profile is not configured / managed (local profile) and there is NO policy at all in the lab, neither antivirus.

 

please note:

i've verified that with a windows 2012r2 server with RDS roles the issue does NOT occur so i suppose is something  related to Citrix (UPM?)

I've also disabled (via services) the Citrix UPM but no change.

 

Anyone with same issue with IE11 on 2012R2?

I've read something similar:

http://discussions.citrix.com/topic/357284-ie11-on-2012-r2-roaming-usernames-and-passwords/

but at the moment i've not verified if i have the same problem too.

 

any help is appreciated!

thks

Stefano

 

 

[Jeremy Saunders]

Hi Anders,

 

Glad you got it working :-) Thanks for the feedback!

 

I also got it working just by using mirroring the "vault" folder and adding the login script.

 

Cheers,

Jeremy

[Stefano Losego1709152505]

Hi guys,

 

for the initial issue of home page and IE settings, Citrix have suggested the following workaround for the existing profiles.

 

1.       Logon to the ICA session and open the registry.
2.       Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and rename it to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main1.
3.       Run IE and set the home page to your_homepage and close the instance.
4.       Logoff
5.       Logon again and run IE. You should see  your_homepage as your start page. Further changes to the home page also will work.

 

We've tested on prod env and i can confirm is working.

Now we have to rollout via gpo/script to existing users profiles, while for new profiles is still valid the first workaround suggested.

 

Cheers,

Ste

[Jeremy Saunders]

Hi Stefano,

 

It's a bit dramatic to have to delete the whole "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" key structure. Personally, I would need a good technical explanation as to why you need to delete that whole key structure. So I'm not sold that you need to do that, but I stand corrected if wrong. I would want to further fault find to a specific subkey or value. Then you may be able to just use one or two Group Policy Preference registry settings to resolve it for existing profiles. And it could be a bug that we could all learn from.

 

Cheers,

Jeremy

[Adam Bergsbaken]

Any other suggestions with the password saving part? I have tried all described solutions in this thread and none have worked for me

[Jeremy Saunders]

@Adam, Have you tried to track this with Sysinternals Process Explorer?

[Rasmus Raun-Nielsen]

Hi everyone

 

Spotted the same issue - I then tried upgrading from VDA 7.6/UPM 5.2.0 to VDA 7.6.300/UPM 5.3.0, but still the same.

 

I implemented the UPM as follows:

 

Dir's to synchronize:

AppData\Local\Microsoft\Credentials

AppData\LocalLow\Sun\Java\Deployment\Security

AppData\Roaming\Microsoft\Credentials

AppData\Roaming\Microsoft\Crypto

AppData\Roaming\Microsoft\Protect

 

Folders to mirror:

AppData\Local\Microsoft\vault

AppData\Roaming\Microsoft\Windows\Cookies

AppData\Local\Microsoft\Windows\INetCookies

AppData\Local\Microsoft\Windows\WebCache

 

GPP "create" with "apply once and do not reapply" and "apply in user's context":

Folder - %SystemDrive%\users\%Username%\AppData\Local\Microsoft\Vault 

Reg.hive - HKCU\Software\Microsoft\Internet Explorer\Main

 

This seem to work in our environment.

 

A lot of Thanks and gratitude to everybody who contributed!!

 

Regards

Rasmus

[Jeremy Saunders]

Nice input Rasmus.

 

It's definitely a timing issue or race condition related to the reg hive and vault folder. Nice use of a GPP to create them :-)

 

For anyone with some spare time and a Microsoft Premier Support contract, a case should be logged as Microsoft should fix this properly.

 

Cheers,

Jeremy

[Danny Welge]

How are you making the redirect work? Is it possible to use Group Policy's?

[Jeremy Saunders]

What redirect are you referring to Danny?

[Christian Carlsen1709152759]

Hi everyone

 

Spotted the same issue - I then tried upgrading from VDA 7.6/UPM 5.2.0 to VDA 7.6.300/UPM 5.3.0, but still the same.

 

I implemented the UPM as follows:

 

Dir's to synchronize:

AppData\Local\Microsoft\Credentials

AppData\LocalLow\Sun\Java\Deployment\Security

AppData\Roaming\Microsoft\Credentials

AppData\Roaming\Microsoft\Crypto

AppData\Roaming\Microsoft\Protect

 

Folders to mirror:

AppData\Local\Microsoft\vault

AppData\Roaming\Microsoft\Windows\Cookies

AppData\Local\Microsoft\Windows\INetCookies

AppData\Local\Microsoft\Windows\WebCache

 

GPP "create" with "apply once and do not reapply" and "apply in user's context":

Folder - %SystemDrive%\users\%Username%\AppData\Local\Microsoft\Vault 

Reg.hive - HKCU\Software\Microsoft\Internet Explorer\Main

 

This seem to work in our environment.

 

A lot of Thanks and gratitude to everybody who contributed!!

 

Regards

Rasmus

Hi Rasmus

 

I am having the exact same issue. But I'm not user UPM. I just using GPO and loginscript.

 

Could you guide me in the right direction to get the problem solved. I am also in a running enviroment so cannot delete the profiles.

 

/Christian

[Marco Hofmann]

If you are not using UPM, there is no way afaik to sync or mirror files from \AppData\Local. I'm sorry. 

There could be ways to use scripts to backup and restore files from \AppData\Local to the user home for example, but to be honest I wouldn't try that. 

Is there a reason not to use UPM? After all it's free.

--

Marco Hofmann

www.meinekleinefarm.net

[Jeremy Saunders]

Hi Rasmus,

 

What is it you're trying to achieve?

 

Using the login script to create the Vault folder should work.

 

You'll find some more ideas here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/2ead13cc-2863-4637-b0fe-7f3b26a3aaf2/save-website-passwords-not-working-properly-with-credential-manager-in-windows-2012r2-rds?forum=winserverTS

 

Cheers,

Jeremy

[Christian Carlsen1709152759]

Hi

 

We had some major problems with our roaming profile setup at a customer. So right now we have a system with the following.

1*StoreFont/Studio Server - Windows Server 2012R2

3* XenApp 7.6.3 - Windows Server 2012R2

 

All users are forced unto one specific server. And they all have local profiles. Therefor I am confused. Why should it still be necessary to move appdata around to get the password saving and the home page that the user choose to set. I am a bit confused about that.

 

Could someone assists me on this issue.

 

/Christian

[Danny Glavicic]

Hi Christian, sounds like your possible not using roaming profiles and perhaps don't need to as you say if they are being forced onto specific servers the settings would be saved on that server for that user and therefore when the user logs back in the settings would be there ie Homepage/password etc etc...

 

Roaming profiles are best when you are saving the settings from a user session and then roaming those settings so that when you log back in on a completely different server you have all your settings.

 

Cheers
Danny

[Christian Carlsen1709152759]

Hi Christian, sounds like your possible not using roaming profiles and perhaps don't need to as you say if they are being forced onto specific servers the settings would be saved on that server for that user and therefore when the user logs back in the settings would be there ie Homepage/password etc etc...

 

Roaming profiles are best when you are saving the settings from a user session and then roaming those settings so that when you log back in on a completely different server you have all your settings.

 

Cheers

Danny

Hi Danny

 

Thats correct. We have disabled ALL roaming profiles policy's because we had are very hard attack of Malware/Ransomeware on the profile share.

 

Therefor we dont use roaming profiles at the moment. But in loong terms we need to again. But at the moment, all profiles are LOCAL but when a user changes a home page in IE, log off the session, and back in again the home page is changed back. I have no policy saying that a user cannot change that. Do anyone now why this happens? I dont think I have to do all above do to the fact that the profile is local.

 

/Christian

[Christian Carlsen1709152759]

To everybody:

 

Hi

 

Thats correct. We have disabled ALL roaming profiles policy's because we had are very hard attack of Malware/Ransomeware on the profile share.

 

Therefore we dont use roaming profiles at the moment. But in long terms we need to again. But at the moment, all profiles are LOCAL but when a user changes a home page in IE, log off the session, and back in again the home page is changed back to msn.com. I have no policy saying that a user cannot change that. Do anyone now why this happens? I dont think I have to do all above do to the fact that the profile is local.

 

/Christian

 

[Stefan Gloeckle]

Hi Rasmus,

 

I used your posts to handle my saving Password Problem but it doesn't work in my Environment. Even worse: since Setting up the policies and creation of the vault Folder I cannot even save Passwords in IE11 during the same logged on session.

So saved Password are forgotten even wenn IE11 is shut down.

 

do you have any idea what might be wrong in my Setup?

 

thanks for help

 

The IE Homepage Problem could be solved.

 

cheers, Stefan

[Jonathan Andrus1709152826]

Hi everyone

 

Spotted the same issue - I then tried upgrading from VDA 7.6/UPM 5.2.0 to VDA 7.6.300/UPM 5.3.0, but still the same.

 

I implemented the UPM as follows:

 

Dir's to synchronize:

AppData\Local\Microsoft\Credentials

AppData\LocalLow\Sun\Java\Deployment\Security

AppData\Roaming\Microsoft\Credentials

AppData\Roaming\Microsoft\Crypto

AppData\Roaming\Microsoft\Protect

 

Folders to mirror:

AppData\Local\Microsoft\vault

AppData\Roaming\Microsoft\Windows\Cookies

AppData\Local\Microsoft\Windows\INetCookies

AppData\Local\Microsoft\Windows\WebCache

 

GPP "create" with "apply once and do not reapply" and "apply in user's context":

Folder - %SystemDrive%\users\%Username%\AppData\Local\Microsoft\Vault 

Reg.hive - HKCU\Software\Microsoft\Internet Explorer\Main

 

This seem to work in our environment.

 

A lot of Thanks and gratitude to everybody who contributed!!

 

Regards

Rasmus

 

 

Rasmus, 

 

For the reg setting "Reg.hive - HKCU\Software\Microsoft\Internet Explorer\Main"  what did you set it to do?  Update? Delete? 

[Jonathan Andrus1709152826]

I see it now.  Disregard please.  

 

The settings Rasmus posted worked for me in conjunction with the login script to create all the directories posted by Jeremy.

[Michael Southwell]

Thank you to everyone for all of your fantastic contributions! It took us a considerable amount of time to resolve this and these forum posts where instrumental in getting the credentials to roam between VDA's!
 

One final point to add that eventually resolved this for us, beyond what appears to have been added as the "official fix" by Citrix here: https://support.citrix.com/article/CTX213190

 

We had to restart the Credential Manager Windows service for the Web Credentials to show up for the user in Credential Manager after logging on to a new server (we were troubleshooting this on Windows 2019 servers).

 

Also, it's a good idea to watch out for the existing "AppData\Local\Microsoft\vault" folder in the user's UPM as you may need to delete it from the UPM store and from the current session's AppData location and then recreate it with the below subdirectories for it to finally start mirroring correctly and roaming Web Credentials between servers.

 

AppData\Local\Microsoft\vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
AppData\Local\Microsoft\vault\UserProfileRoaming

 

Especially in our case, where we started off with the vault folder being in Directories to synchronize, rather than Folders to Mirror. There is a fantastic article here about the difference between the two in case anyone else finds it a bit confusing https://virtualfeller.com/2019/01/15/synchronize-vs-mirror/

 

I hope this helps anyone else with their troubleshooting that still has to deal with legacy support for Internet Explorer. It's 2020 already, and I can't believe people are still refusing to move on from Internet Explorer and also insisting on saving their passwords in the browser, but the client gets what the client wants!

[Felipe Albuquerque1709153149]

@Michael Southwell, I'm also having the same problem with the exception is Win Server 2016.

 

Since you are the most recent response of a success on this. I would like to ask exactly what you did if you still remember, pls.

 

Did you change anything about the Main key?
HKCU\Software\Microsoft\Internet Explorer\Main

 

Did you set to create the Vault folder and subfolders, what other folders?

 

Which folders were set to Sync and which to Mirror?

Do I need to Sync folders from the AppData\Roaming to the UPM profile, even though I have Folder Redirection enabled?

 

Also thanks for pointing out the link to the difference between sync and mirror! This is very helpful information!

[Felipe Albuquerque1709153149]

So... After smashing my head through the table....

Used ProcMon and found what was going on!

A process named Isass.exe tries to write a .vsch file inside AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

However it WILL NOT CREATE the folder if it doesn't exist!

Looking in ProcMon I was able to see the PATH NOT FOUND event, but nothing to treat this follows the event. (see attached image)

 

No error is issued for the user in IE so you can even assume that the process went smoothly however, looking inside AppData\Local\Microsoft\Vault you see that is Empty!

 

So I believe this article https://support.citrix.com/article/CTX213190  is wrong when it says to create AppData\Local\Microsoft\Vault
In my case I needed to create AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 (if the Vault does not exist it will create recursively no need for 2 items in the GPP) 

 

After that, the .vsch was created upon saving and persisted across sessions.

 

I'm still not even sure, if AppData\Roaming stuff needs to be sync to the UPM profile if I already have Folder Redirection, but.. I fully followed article and left the entries to sync and mirror as the article says.

 

Now onto "Chrome not saving passwords across sessions" problem... *sigh* (yes I'm synchronizing Login Data and Login Data-journal)

[Michael Southwell]

Hi Felipe,

 

I have replied to your PM, but I will include the response here also for the benefit of other people who are getting stuck:

 

 

We did not touch any of the registry keys.

 

We manually checked the users at first to make sure they all had the Vault folders, but once you set it up correctly, new users are created with the folders consistently so you don't need to check it.

 

AppData\Local\Microsoft\vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
AppData\Local\Microsoft\vault\UserProfileRoaming
 

If existing users are not persisting their credentials, ensure the vault folders are there and then restart the credential manager service once they land on the server to repair their credential manager vault.

 

I will list below the AppData Roaming and Local locations that we are persisting, but it is important to note that we DO NOT use GPO AppData roaming in our environment as this is very buggy and is just an all round bad idea when you can use Citrix UPM to roam everything you need anyway.

 

Directories to synchronize:
AppData\LocalLow\Microsoft\CryptnetUrlCache
AppData\Local\Microsoft\Credentials
Appdata\Roaming\Microsoft\Credentials
Appdata\Roaming\Microsoft\Crypto
Appdata\Roaming\Microsoft\Protect

 

Folders to mirror:
AppData\Local\Microsoft\Vault
AppData\Roaming\Microsoft\Windows\Cookies
AppData\Local\Microsoft\Windows\INetCookies
AppData\Local\Microsoft\Windows\WebCache

Also, Google Chrome credential roaming breaks regularly with random version updates, so we would recommend users sign up for a Google account (they can do this using their company email) and then this will allow them to roam their credentials and favourites etc between servers without issue.