[Logon Type 8 (plain text) for BrokerService.exe on Delivery Controller]

Hi guys,

I keep getting eventlog entries on the delivery controller saying that plaintext password was used.

This happens during log on through Netscaler and whenever I start a published application.

Setup is Win2019, Citrix 1912 CU2, Netscaler 13

What I've already done to secure communication channels:
 

- Bind certificate to IIS on Storefront servers for Default Website port 443,  but kept default port 80
- Set communication with DDC on each SF-Store to HTTPS
- Install certificate on DDC
- Register certificate with brokerservice.exe (netsh http add sslcert...)
- On Netscaler set STA to https for Citrix Gateway Virtual server

- LDAP policies (LDAP server) authentication is set to SSL, Port 636

 

What am I missing ? Do I need to enforce SSL at some point?

Thanks a lot

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DDC.MyDomain
Description:
An account was successfully logged on.

Subject:
    Security ID:        NETWORK SERVICE
    Account Name:        DDC$
    Account Domain:        MyDomain
    Logon ID:        0x3E4

Logon Information:
    Logon Type:        8
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        MyDomain\MyUser
    Account Name:        MyUser
    Account Domain:        IBLZ
    Logon ID:        0x838503BF
    Linked Logon ID:        0x0
    Network Account Name:    -
    Network Account Domain:    -
    Logon GUID:        {AnyGUID}

Process Information:
    Process ID:        0xd24
    Process Name:        D:\Program Files\Citrix\Broker\Service\BrokerService.exe

Network Information:
    Workstation Name:    DDC
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

 

[Icons delivered by Storefront disappear at Selfservice.exe refresh]

As a workaround we decided to provide the applications by copying shortcuts to the startmenu which then calls the published app

"D:\Program Files\Citrix\Online Plugin\ICA Client\SelfServicePlugin\SelfService.exe" -qlaunch "YourPublishedAppName"

Hope that of any help 

[Teams without tenant]

Hi guys,

I hope you can advice me on some best practises for this scenario.

Our environment is Virtual Apps 1912LTSR CU3 on Windows server 2019, clients with current Workspace App.

 

I know there's a huge manual about optimizing Teams in Citrix (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/multimedia/opt-ms-teams.html), just wondering if this is all neccessary and applicable in my situation.

My client doesn't have its own MS tenant, they only want to participate in meetings set up by externals. So their users don't have a O365 account and there is no on-premises Teams  environment.

What would be the best way to install the Teams client on the VDA and use optimization with Workspace App.

Where can I get the appropiate Teams Client from MS (their downloads are bit confusing)?

 

Thanks a lot

[Icons delivered by Storefront disappear at Selfservice.exe refresh]

Hi guys,

I wonder if this is by design or what am I missing here.

Setup is Windows 2019 with Citrix 1912 CU2 and UPM

When a user starts a  desktop he receives applications through a Storefront Store and they appear in the startmenu just fine.

When a user pins a shortcut to an application to the desktop or taskbar, logs off, logs on again, the icons disappear.

You can see this is happening on refreshing apps, that is starting Workspace App and refreshing applications or starting selfservice.exe -poll

If we don't refresh apps (usually through logon script), the icons remain white but are useable

 

[Migrate profile OS version and move to new store]

Hi there

I'm looking for a way to accomplish the following task

Old Profile Dirfor Win2012R2: ...\TSProfileXA7$\#SamAccountName#.!ctx_osname!\ -> Testuser.Win2012R2

New profile Dir for Win2019: ...\TSProfileXA2019$\#SamAccountName#.!ctx_osname!\ ->Testuser.Win2019

 

'Migrate User Store'  ist set to ...\TSProfileXA7$\#SamAccountName#.!ctx_osname!\

'Path To Userstore' is set to : ...\TSProfileXA2019$\#SamAccountName#.!ctx_osname!\

'Migration of existing profile' is set to: Local & Roaming

'Automatic migration of existing application profile' is set to: Enabled

 

The idea is to migrate old profiles from Win2012R2 to Win2019 AND move them to a new store in the same step

 

Migration to Win2019 works fine if I don't enable 'Migrate User Store'

 

When I enable 'Migrate User Store', UPM looks for a Win2019 profile in the old Store, which doesn't exist. So a new profile in the new store is created

 

Is it possible to do both task in one step?

 

Thanks a lot

[Vdisk is not available in PVS1912]

We finally figured it out ourselves. It turned out my collegue had converted the local c:\ drive into a dynamic disk because he was tight on disk space for the inplace upgrade. Since the docs only mention this as being incompatible with the write cache disk, he didn't bother.

After using the ver first version of the reverse image which was a basic disk, verything worked fine.

Citrix really needs to update their docs because this and the incompatiblitiy of GPT partitions is only mentioned regarding the write cache disk,not the c:\ drive

 

[Vdisk is not available in PVS1912]

Hi there

hope someone can help me on this

 

We did a reverse image of a Win2012R2 / Ctx 7.15 device, uninstalled all Citrix components and Vmware Tools.

Then we did an inplace upgrade o Win2019 and installed VDA and PVS target software for ctx 1912CU2

PVS server is 1912CU2, fresh install

target device boots from iso image and connects to pvs server just fine.

vdisk is found during boot process and is visible in tray icon

 

Nevertheless i receive the following error after rebooting

 

If I start P2PVS.exe manually, I get this one

A file cannot be created if it already exists

 

According to https://support.citrix.com/article/CTX133272, I checked:

one network card, is vmxnet3, no ghost nics

IP6 is off

vdisk is in private mode

no locale virus scan, guest introspection via vmware

 

There are tons of filter drivers, but I don't know what they are used for or how to change their order

 

This has been driving me crazy for two days now

 

Thanks a lot

 

 

[PVS compatibility Windows 2012R2 / 2019 & PVS 7.15 / 1912]

Hi guys

we are planning a farm upgrade from Citrix 7.15 to 1912 LTSR AND Windows 2012R2 to 2019

I'm struggeling wih PVS server/target device compatibility.

Can I connect a Windows 2012R2 /7.15LTSR target device to a Windows 2019 / 1912LTSR PVS server?

If not, what would be the best path to upgrade?

 

For pre-testing purposes of target devices, which target device version works on Windows 2019 that can connect to PVS 7.15 PVS server?

 

Thanks

[Sort favorites in Home Tab on SF 1912]

Hi there

I just upgraded successfully to SF 1912. 

My question is: Is there a way to sort icons on the home tab/favorites?

As of now they are all unsorted, perhaps in the order they were added years ago.

But since there is no way of rearraning them by he user himself, can we just sort them alphabetically ?

Thanks

[Change password of Storefront service accounts?]

Hi

my client wants to change passwords of all service accounts.

So is it possible/recommended to change the passwords of SF service accounts like 

NT SERVICE\CitrixClusterService

NT SERVICE\CitrixConfigurationReplication, etc
 

If possible, how can I achive this and what Storefront tasks need to be done afterwards, i.e change password in SF services etc

 

Thanks a lot

[Upgrade from Storefron 7.15 CU6 to 1912 with Windows 2012R2 to 2019]

Hi guys, hope you can give me some advice on this.

My client want to migrate from Win2012r2 to Win2019 and from XenApp 7.15 to 1912

My original idea, as found in a CTX article, was to set up two new Servers with Windows 2019, install SF 7.15 CU6, Export/import SF settings and upgrade to SF 1912.

But according to the product manual, SF 7.15 is not supported on Win2019, only up to Win2016.

Would it work anyway or do I have to get two temp. server 2012R2, do the SF upgrade as planned and then move to Win2019 in a second step?

Thanks a lot

[Maximum Number of PVS servers with 1912]

18 hours ago, Carl Stalhood1709151912 said:

I think the bootstrap only supports 4 entries but otherwise I'm not aware of a limit.

Thanks Carl

[Maximum Number of PVS servers with 1912]

Hi there

can anybody pls tell me the maximum number of PVS server per farm and/or site with 1912?

I guess it was 4 servers per farm in 7.15, but I can't seem to find any info for 1912.

Thanks a lot

 

[Command policy for SFTP]

Hi there

I'm running a Netscaler VPX 13 and I need a user who is only allowed to download log filesv ia SFTP

I understand, that I can't limit him on directory level and that's ok.

 

I created a command policy which only allows  (^sftp.*) and he can log on just fine.

But he can also do everything on file level, like renaming, deleting, uploading etc

He is only assigned this policy. Adding the default read-only policy doesn't change anything.

 

Is there a way to limit him to

- log on

- change directory 

- download (get)?

 

Thanks a lot

 

[NetScaler - delegated access to NSlogs]

On ‎6‎/‎11‎/‎2019 at 1:04 PM, Anthony McCloat said:

Many thanks.

Appended "|(^sftp.*)" to the end of my existing expression and resolved my problem.

Can you share your custom exporession please. I have the same issue

Tried to extend the default read-only policy by adding "|(^sftp.*)", but can't login  via SFTP

Thanks a lot

[Expand Disk Drive]

I have the same question. We need to keep the logfiles for an extend period of time and I'm worried /var will not be big enough. Netscaler VPX13 on Vmware.

So if I attached a second disk, where would this additional space go? To the / filesystem?

[OneNote cache corrupton with UPM]

I'm facingthe same issue on Win2012R2, Office2016, Citrix 7.15Cu4

Did you find a solution?

[Can't logon to netscaler LDAP& RSA with token in new-pin mode]

Hi there,

I've set up a netscaler VPX v 13 (CAG only license) to authenticate via LDAP & Radius, Radius on different appliance

LDAP only works fine

Radius services show online in netscaler and monitor with testuser authenticates fine, too.

 

My problem is that I can't connect with LDAP plus RSA token.

According to the Radius guy the token is in new-pin mode and therefore requires to set a new pin on first Login.

But the window to set a new pin doesn't come up when I try to connect, ,neither via Receiver For Web nor for Receiver Self Service

I can't find any clue as to whether this would even be possible.

Any help is very much appreciated

Thanks

[XA78 - Open multiple desktops - single icon]

I know this post is pretty old, but did you find a solution?

We have the same Problem with Xendesktop 7.15

 

- Set-BrokerEntitlementPolicyRule "DeliveryGroup" -SessionRecoonection DisconnectedOnly run on DG

- GPO RDS Setting "Restrict eah user to a single session" - Disabled

 

Doesn't work neither on Webinterface nor on SF

Webinterface Settings are the same as for the old XA 6.5 farm where it works perfectly.

Not matter if I disable or enable Workspace Control, makes no difference

 

Thanks