Björn Schläfli
-
Posts
278 -
Joined
-
Last visited
-
Days Won
15
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Björn Schläfli
-
-
Hi KFI Service,
which versions do you use? Site, vda? Do you use VMware or other hypervisors? Do you use fslogix?
-
Jean, how did you disable fslogix?
-
Hi Jean,
thank you. We use 12.3.0. Then an update won't help either.
Which site and vda version do you use?
-
What hypervisors are you using?
VMware? Which tools version?
-
I just tested fslogix 2210 HF3 Preview. No success. I'm sure it's not a FSLogix problem. Yesterday I made a Procmon and CDF Control recording, which I will now analyze.I just tested FSLogix Hotfix 3 Preview. Without success. I'm very sure that's not the reason.
I have no case open at the moment. I'm still troubleshooting to get more and clearer information. I've recorded a procmon and Citrix CDF Trace yesterday which I will now analyze.
-
Interesting fact:
If I update the image manually (usually we use our software deployment solution to set up images) with one of the black screen patches the image boots after the patch installation only once. After that is stucks with a black screen after the vdisk status is displayed from pvs. If I install one of the good patches, e.g. 10th october 2023, the image machine reboots smoothly.
-
Hi all. We are affected also.
Windows 10 22H2, 2203 site. VDA 2203 CU3 and CU4. The issue starts with MS patch october 2023 preview 5031445 and still exists with january 2024 patch.
I'm troubleshooting for hours now.
I'm nearly sure it's not FSLogix related, since I've uninstalled FSLogix in a test image and tested with the same effect. Without FSLogix I should be able to login with a local profile if FSLogix would be the cause. I've also able to log on my test user in VMware console directly to a W10 Citrix target. The black screen only happens if I connect by a Citrix HDX ICA connection.
I've denied gpo's - same issue
Two different images are affected. Both newly set up completely (OS, apps...).
-
With Windows 10 pvs image patched with december 2023 update KB5033372 users are unable to log in. Stucks at a black screen. It works with MS updates up to october 2023 kb5031356. Starting with october preview kb5031445 the issue exists. 2 different images, newly set up completely. Site is 2203. Tested vda 2203 CU3 and CU4 with no luck. FSLogix 2210 HF1, HF2 and HF0.
The working environment is VDA 2203 CU3, FSLogix HF1, september 2023 patch.
It seems to be a Citrix issue, because I've uninstalled FSlogix completely but the issue remains and when I log my test user on directly in the VMware console it works.
Not working environment is VDA 2203 CU3 and later, FSLogix 2210 HF0 and later, october 2023 preview patch and later.
The following is noted in the Citrix 2311 CR known issues:
"You may see a black screen when launching a session if you have FsLogix 2201 HF1 installed on the session host. To address this issue, you must upgrade FsLogix to a newer version. [HDX-46159]"
We use 2203 LTSR, not CR and FSLogix HF2 doesn't fix it (which is the newest) neither.
-
Hi Johannes,
thank you very much for that idea. I appreciate. I think that covers more or less what I've mentioned in my post from 08. december 23.
That would mean I have to use an external dns entry per customer which is pointing to the same (single) gateway ip. That would also mean I would have to use a SAN certificate which I have to expand with every new customer.
I think it will be the simpler solution to use group extraction but use that in a similar way as your solution. AAA.USER.IS_MEMBER_OF("xyz") && HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix Receiver").NOT.
Thank you all. I now know variants of how I can accomplish this.
-
Hi Jeff
That's very kind of you. Thank you.
The nFactor drop-down solution is the one I use in the current configuration since a few years. I've thought about to use it for this new configuration but that's not possible, as we have a lot of customers and therefore I would have to create a huge drop-down selection and further I cannot publish our customers names in to the internet.
I think if we want to do it with one single entry point the only solution will be to configure a first factor with ldap noauth for group extraction and further factors in order to then assign the appropriate gateway and authentication policy.
-
I‘ve configured the redurection with usb device rule gpo setting connect: vid pid split=1 intf=3.
also enanled autoredirection of existing usb devices.
the redirection as generic for the hid is working. Audio is redirected as optimized. But the buttons on the head set to answer and end the calls are not working. They only work if I enable the workspace app gpo setting „enable audio through generic usb rediredtion“. The downside with this setting is that all audio devices are redirected as generic. The realtek audio is not recognized after and the audio output in the Citrix desktop session only goes through the headset.
I‘ve trying for hours and I’m out of ideas. -
Fixed it. Our CA admin used this article https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff961506(v=ws.10)
-
Hi Jeff,
thank you for your answer.
I think I don't understand what you're saying. 1 Content Switching server as a single external access point with 1 Gateway server attached. Then I would need a host name for each tenant, i.e. a DNS entry, but they all point to the same content switching server (plus a SAN certificate)? Or how should I generate different hostnames?
Then I could query the host name in the expression of the authentication profile and call the appropriate action, but that doesn't seem practical to me.
I'll give an example of what is necessary in my opinion, assuming 40 tenants that are to be made available via a single external access point. 20 of these tenants each access 1 Virtual Apps & Desktops site via the gateway:
- 1 external url for all users
- 1 gateway server for all users
- 40 authentication actions for every saml tenant configuration
- 40 authentication policies (Expression differentiates customers. How?)
- 1 authentication virtual server
- 1 authentication profile
- ? session profiles to send the users to one of the two sites
- Content switching server (Unified Gateway) necessary?Can group extraction be carried out via saml? How? The saml authentication action does not offer an option here like with ldap.
-
We now have one Netscaler gateway vServer with a drop-down to send the users to their site.
Soon we will have multiple tenants for every customer. Users should be able to authenticate to their EntraID (saml) with mfa. As I understand it, I need one Gateway vServer for each customer because I will have to configure one authentication server and authentication profile for each of them and bind it to the appropriate Gateway vServer. First I thought to use Unified Gateway, set expressions in cs policies to differentiate the customers and send them to the appropriate Gateway vServer but UG only supports 1 Gateway vServer.
The
Am I right, that I will have to configure one Gateway vServer for each customer?
Or shall it be possible to configure multiple authentication policies and bind them to the Gateway vServer?
-
I've configured the NTAuth store with the correct certificate and configured Read and Allowed to authenticate on DC OU for the issuing CA server (which besides should not be necessary with forest-wide trust as we have in our test environment). The Publish button is still greyed out "No certificate authorities were found".
certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS has been set.
The root certificate of the child domain exists in the root domain.
-
Our CA is installed in the root domain. Today certificates are published by CES (Certificate Enrollment Server). I've installed FAS in child domain, which has a two-way trust to the root domain. In FAS admin console the button publish and authorize are greyed out, as FAS is unable to find the CA. Is it possible to configure and make it work in this construct or do we have to install a separate issueing CA in the child domain, where the FAS server is a member?
-
I'm having this problem right now too. CPU 100%
Eventlog: remote database not connected. Exit
-
I would be interested to know how you deal with the increased storage requirement or is that not an issue for you? We have around 6000 user profiles. I read in Citrix Techzone that 6 GB per VHDX with Teams, OneDrive and Outlook cache are expected. For this amount of users, that's a huge amount of storage required. Otherwise what are your experiences with vhdx (fslogix or citrix) profiles for teams and onedrive?
Now our traditional citrix upm profiles are around 400 mb in size.
-
Do I need EntraID P2 licenses or are P1 enough for using Citrix FAS with EntraID (MFA, on-prem site)?
Techzone FAS indicates that a P2 is necessary.
-
I think you don't understand me correctly.
I have upm exclusions in use to exclude everything not needed (a user profile is approx. 150 mb in size). Also profiles will be deleted at logoff of course.
example:
user logs in, uses edge browser and has to download some vlc files needed for their work. These files have a size of up to 12 gb. If they choose %temp% as download path (although we set the path to user home drive as recommended setting) these files are downloaded to their local profile copy on the server and of course the write cache is then filled. When the user logs out the local profile is deleted and user's %temp% will not be written to profile share because it's excluded.
The problem here occurs while the user is actively working on the server and writing files to his profile. I cannot remove write access to his profile ? and I cannot set the download path as a must because some of theme need to be able to choose where they want to save downloads.
Is this more understandable?
-
I use Citrix UPM. What do you mean Simon? While the user is logged in everything written to it's profile is written to C drive and if it's a lot of data the write-cache in ram isn't enough and it will use the overflow (e.g. a user maybe uses an application which writes data to user's %temp%). So it's nothing else than cache.
-
Virtual Apps
PVS
50 GB Write-Cache Disk for every VDA multi-session
Some of our users download very big files (business need) in Edge browser. As they download it in their %temp% write-cache is filling up quickly. We've configured a gpo setting lately to recommend the download path to point to their user home share. Only recommended because users have to be able to change the download location. Some users changing the path to their temp again...
How do you guys configure download paths for browsers? It's a real "danger" for write-cache, if big downloads are written to the user profile.
-
Hi Carl,
ok. And thats one of the mentioned virtual desktops Microsoft means which is supported?
-
Hi,
maybe still the same issue since a long time.
Should be fixed, see https://support.citrix.com/article/CTX338807/users-may-fail-to-reconnect-or-start-a-new-session-on-virtual-apps-and-shared-desktop
I use vda 2203 CU2 and had to set the following reg keys:
HKLM:\SOFTWARE\Citrix\Ica\GroupPolicy
DWORD EnforceUserPolicyEvaluationSuccess
0
only for os 2019 and later:
HKLM:\SOFTWARE\Citrix\Reconnect
DWORD FastReconnect
0
Restart vda after.
Anyone else have problems with November patches kb5032189?
in App Layering 4.x
Posted
If I kill the frxsvc.exe process while the user's desktop shows black screen, the desktop is displayed shortly afterwards. That would point to FSLogix. But if I don't even have FSLogix in the image, I also have the black screen, which just doesn't make any sense (veryfied once again).