Jump to content
Welcome to our new Citrix community!
  • 0

Extra login screen during logon


Dennis van der Velde

Question

Hello all,

 

In december we had this very fun issue (https://discussions.citrix.com/topic/417772-very-slow-boot-times/)

 

Now since 8/9 march we´re seeing an extra inlog screen during the start of a session, which in turn makes it look like the average session login duration went up over the last month.

Also going to any website has quite a delay before the content is shows, the problem is that this comes and goes in waves and differs between users.

 

We suspect that this might be a defender issue again, but so far had no luck with testing.

 

2023-04-2009_57_19-Window.thumb.png.3f5babed003f537ae0a6e35017815ece.png

(in the attached screenshot you can see the average login duration, there are always a few outliers, but here we see the average trending upwards.)

Edited by Dennis van der Velde
typo
Link to comment

7 answers to this question

Recommended Posts

  • 0

We make a new disk every month, but going back to the february or older builds does not have any impact.

We have a separated test environment which also shows this behaviour.

We took PVS out of the equation and can still reproduce the issue.

 

All these factors make us think that it is something like defender or network related, anyone ran into something similair?

Link to comment
  • 0
On 4/20/2023 at 2:28 PM, Martijn Kools1709163625 said:

What profile solution are you using?

 

Can you check Director and drill down to see which component takes such a long time during logon?

 

I don't know if the double logon is related, that sounds like a FAS issue?

 

We´re using fslogix (2201), and Vmware DEM, no recent changes here.

 

And the 2 components that seem to take the longest are the GPO´s or Interactive session.

 

You select a desktop on storefront, and then you see a logon box before the user policies are being applied.

Link to comment
  • 0

Does it sit on that login box for a while, and then eventually continue the sign in?   We had that.  It was because the master image had accidentally been joined to Azure AD, which is an unsupported configuration.  Then the machine account in AAD was deleted, and all the child machines started throwing errors and long pauses, especially around login time.


From a child machine, open up a command prompt and type:

 

dsregcmd.exe /status

 

If it's in AzureAD, it will show up in there.

Link to comment
  • 0
17 hours ago, Michael Burnstead1709159565 said:

Does it sit on that login box for a while, and then eventually continue the sign in?   We had that.  It was because the master image had accidentally been joined to Azure AD, which is an unsupported configuration.  Then the machine account in AAD was deleted, and all the child machines started throwing errors and long pauses, especially around login time.


From a child machine, open up a command prompt and type:

 

dsregcmd.exe /status

 

If it's in AzureAD, it will show up in there.

 

That is exactly what happens, but it's not joined in AAD ?

 

As added problems we also see that Nvidia licences are not being released on logoff and when going to a webpage sometimes there is a 6-8 seconds waittime before the content loads.

In logging we can see that this time is DNS lookup, but our network department cannot see this time on their side, so it seems like the VDI is holding in the request and waiting for something.

Link to comment
  • 0

What do you see when you run that dsreg command?

 

The other trick I found (which is probably related) is if you start up the master image, disjoin the domain, reboot and then rejoin the domain, the problem also went away.   That might be worth trying.  But in our case I have found the permament fix was to move the master image into an OU which isn't synced with AAD, run the dsregcmd to leave AAD, and then reboot and seal up the image.   Reg keys were set to 0 in WorkplaceJoin key for autoWorkplaceJoin and BlockAADWorkplaceJoin.


Anyone reading this and wanting to try it - be aware that as soon as you run the command on the master to leave AAD, it will break all the child machines until you push the new image with those reg keys set because they all have the same AAD machine account.  Do it out of hours.

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...