Wednesday, September 4, 2013

Citrix Hooks - Troubleshooting

Citrix Hooks - Troubleshooting

After clicking on a link via published Internet Explorer that opens a streamed VNC session through an ActiveX control, VNC does not display

This morning, one of my clients upgraded their internal site that allows users VNC access to the point of sale computers. They were able to log in, but unable to launch VNC. You could see that the vnc session was opened, but to the users, they could not see the window at all. They were getting to the internal site via published IE8 in a XA6 environment.

First thing was to see if it was a hook that was causing the issue. To disable all hooks, you will need to have the following registry "DWORD" in place
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI\" 
    • "SeamlessFlags"=dword:00e6dea7


Now after killing all my sessions and then launching IE, the second VNC window opens. This tells me there is an issue with one of the hooks. Until I found out there was a GUI that sets the hooks auto-magically for you, I used to manually se the hooks in the registry. The easy way to do it is to use a tool called

Now for the fun part. To my knowledge it’s basically a guessing game to narrow down which hook you need to set. I personally do 6 at a time and then whittle it down to which specific one it is. What you need to do is after checking the boxes next to the hooks you want, click on “Set Values”, then close all your Citrix sessions and re-launch your app for testing. In my case, the issue is with

Not so fast! At this point you know the hook, but this is a global setting. This will apply to all published apps. To narrow it down to a specific app you need to find the “ClassName” that is being affected. To do this, I use an app called
After opening the application, hover over the area of the application that is launching the secondary window/app that is not displaying correctly. This will give you the “Class”
  • Internet Explorer_Server 

Now go back to the Farm Helper app and add in the Class Name

This will then pop up the following window

Click on one of the boxes (anyone), and then click on “Set_Values”

This will setup a new registry key under TWI called Internet Explorer_Server. It is all though going to have the wrong “Data” for “Type”. Open up the “Type” DWORD and change the value to the hook you selected earlier (0x4). You could also dig deeper and run through selecting each check box in the per app flags, but in my case, I do not need this.

You have now successfully added the “DISABLE ACTIVE ACCESSIBILITY HOOK” hook to only the “Internet Explorer_Server” Class.

Just make sure to go back and delete the “SeamlessFlags” DWORD under "TWI"so the hook isn't applied globally.

Wednesday, July 24, 2013

VM - SYSPREP Failure!

VM - Sysprep Failure

Sysprep: Fatal error occurred while trying to sysprep the machine

While trying to sysprep a machine this morning I ran into an issue with running sysprep. Below is the process I was going through.
  • I would open a command prompt and run sysprep 
  • I would then run sysprep with OOBE  

Every time I was getting the same error

Sysprep - Fatal error occurred while trying to sysprep the machine

So the first thing I checked was the "Remaining Windows Activation Count" via "slmgr /div". It looks like I have 3 more activations remaining.

The next thing was to check the "GeneralizationState" Registry Entry. If it is not already set to 7, change it to 7.

After changing the "GeneralizationState" DWORD to 7, sysprep is now working!

Tuesday, June 18, 2013

Citrix - Protocol Driver Error

Error: Cannot connect to the Citrix server. Protocol Driver Error 

This morning I got reports form my Service Desk that users were receiving a protocol driver error.

The environment is a Presentation Server 4 environment with four servers. After completing all my basic troubleshooting, I tried telnet'ing to my servers over ICA, and noticed two of my servers (CTX01 and CTX02) were not accepting connections on port 1494 (You can test to see if ICA is opened from a windows machine, by using "netstat -ano | findstr "1494""). Also, multiple restarts of the servers did not help the situation.

Before trying to recreate the ICA listener to get ICA opened up and working, I decided to try something different. I disabled and then re-enabled the ICA listener on the two servers and "Wa-Lah"! It Worked! This option is so much easier than having to delete and recreate the ICA Listener and all the security settings attached to it.

Below are some additional things you may try if you receive the protocol driver error message and disabling and re-enabling the ICA Listener doesn't work.
  •  Disable Windows Firewall
  • Make sure you can RDP to each of your Citrix Servers
  • Disable Session Reliability, test, and then re-enable Session Reliability

Monday, March 4, 2013

Citrix PVS - Encountered an improper argument

While reverse imaging a vDisk it errors with "Encountered an improper argument"

While trying to reverse image a vDisk, the conversion from volume (C:\) to volume (G:\), failed halfway through with the error, "Encountered an improper argument"

You see the error when you open the XenConvert Log. You can locate the XenConvert log in:
  • C:\Program Files\Citrix\XenConvert\XenConvert.txt 
So what does this error mean? It means that XenConvert does not like one (or more) of your directory names or naming convention. Chances are, you have a directories that are two long. To see which directories have issues, you can use an application called "Long File Path Lister"

The application is very easy to use. Just download it and click the "Search" button.

Below, you can see that I have an issue with:
  • C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\

So what now? You can exclude the problem directories and copy them off, so that you can copy them back into your vm after you v2v them back into PVS. I have decided to zip the InstallCache directory so that it no longer technically exists and will not cause any issues. That in return will let me to v2v as much as I need to, and then when I am finished, I will unzip the directory.

Excluding directories from the XenCovert Process

To exclude directories from the XenConvert process, you will need to add the directory under the "exclude" section in the XenConvert.ini file. That file is located at:
  • C:\Program Files\Citrix\XenConvert\XenConvert.ini 
Below is what it looks like. After adding the problematic directories, all you need to do is run XenConvert.

After running XenConvert now, I receive a "Conversion was successful!"

Wednesday, February 20, 2013

NetScaler - N2N Files

NetScaler to NetScaler File Transfers

So you want to transfer over either an SSL cert or config file to another NetScaler. There are many ways to do this, but in this scenario, I will be using the command "scp" form the NetScaler


  • NetScaler A
    • Version 10.0
    • Hostname: nsvpx_a
    • IP:
    • User: nsroot
    • Password: toor
  • NetScaler B
    • Version 10.0
    • Hostname: nsvpx_b
    • IP:
    • User: nsroot
    • Password: toor
SCP Usage
  • scp [[user@]from-host:]source-file [[user@]to-host:][destination-file] 
SCP Options
  • r = recursively copy entire directories
  • p = preserves modification times, access times, and modes from the original file
  • C = compression enable
  • q = Do not display the progress bar
  • v = Displays debugging messages
SCP Examples

Copying NS.CONF
I want to copy the ns.conf file from nsvpx_a to nsvpx_b
  • scp -rpC /nsconfig/ns.conf nsroot@
Copying all *.CONF Files
I want to copy all the ".conf files" from nsvpx_a to nsvpx_b
  • scp -rcP /nsconfig/*.conf nsroot@
Copy all SSL Certs and Keys (Copy all Files in a Directory)
I want to copy everything in the ssl folder from nsvpx_a to nsvpx_b
  • scp -rcP /nsconfig/ssl/* nsroot@

Friday, February 15, 2013

PowerShell - Show VMWARE VM UUID

How to show the VMWARE UUID of a VM using PowerShell

I am working on a project where one of the functions is to get the UUID of a VM from the guest vm via PowerShell. You can get the "Windows" UUID with:

  • (Get-WmiObject Win32_ComputerSystemProduct).UUID
The problem is that a lot of the values are reversed. Below are examples of a Windows UUID and a VMWARE UUID.
  • Windows UUID
    • F8420542-10A9-9961-5225-C6F8D91A468D
    • 420542f8-a910-6199-5225-c6f8d91a468d
So i needed to figure out a way to move the variables around. To do this, I used ".substring" with delimiters to extract out each value, and then piece it back together. I am not a PowerShell expert in any means, so if you think there is a better way to accomplish any of what I am doing, there probably is. 
  • NOTE: There is another way of doing this with "vSphere PowerCLI" and Get-VM commands. I did not want to go that route, because I did not want to download or install anything to accomplish my task. I wanted to do this from a PowerShell CLI.

The Script:

## Begin Script vmware_show_uuid.ps1

# By: Keith Smith -
# Date: 2/15/2013

# Set Variables
$uuid = (Get-WmiObject Win32_ComputerSystemProduct).UUID

# Section 1
$uuid11 = $uuid.Substring(0,2)
$uuid12 = $uuid.Substring(2,2)
$uuid13 = $uuid.Substring(4,2)
$uuid14 = $uuid.Substring(6,2)

# Section 2
$uuid21 = $uuid.Substring(9,2)
$uuid22 = $uuid.Substring(11,2)

# Section 3 
$uuid31 = $uuid.Substring(14,2)
$uuid32 = $uuid.Substring(16,2)

# Section 4
$uuid41 = $uuid.Substring(19,4)

# Section 5
$uuid51 = $uuid.Substring(24,12)

# Piece the strings together
[string]$uuida = "$uuid14$uuid13$uuid12$uuid11"
[string]$uuidb = "$uuid22$uuid21"
[string]$uuidc = "$uuid32$uuid31"
[string]$uuidd = "$uuid41"
[string]$uuide = "$uuid51"
[string]$uuidfixed = "$uuida-$uuidb-$uuidc-$uuidd-$uuide"

# Clear everything on the screen and pop up the VMWARE UUID
$msgbox = new-object -comobject
$x = $msgbox.popup("$uuidfixed",0,"VMWARE UUID",1)

## End Script

Tuesday, February 12, 2013

Citrix PVS - Error: vDisk is not available

So I got to work this morning with the intention of reverse imaging a couple vDisks. Usually a simple process, but today I am having nothing but issues. Luckily it is the same issue on each of the vDisks. So here is a quick synopsis of how I am reverse imaging:
  • Add a Secondary Disk to my VM
  • Use Xenconvert to copy my "c:\" volume to the new vmdk I attached
  • Set the new drive to "active" and reboot to the bios
  • Set the VM to boot off the HD
  • Boot the VM
  • Remove VMWARE Tools
  • Remove Target Device Software
  • Reboot
  • Add VMWARE Tools (Now upgraded)
  • Add Target Device Software (Now upgraded)
  • Run through PVS Wizard and "Optimize"
  • Reboot to Bios and set boot order to PXE first
  • Let the PVS Imaging Wizard complete after logging in
So now for the issue.. At this point, instead of the wizard taking over and completing the process it gives me a very vague error message. To me it doesn't really tell me anything.
  • Error: vDisk is not available. Please check your network PXE boot Configuration and restart imaging wizard
Going through the event log I see Event ID 7026
  • Event ID 7026 - The following boot-start or system-start driver(s) failed to load: Bnistack
The reason I am seeing this is because there is a hidden NIC somewhere in my system, and the PVS Imaging Wizard does not know what to do with it. How do we fix this? By removing the NIC and re-installing the Target Device software.

Show Hidden Devices
  • Uninstall the Provisioning Server Target Device software from the virtual machine and restart
  • Open up the Environment Variables
  • Click the New button below the System Variables panel
  • In the New System Variable dialog box, type in the variable name:
    • devmgr_show_nonpresent_devices
    • Set the variable value to 1
  • Click OK to return to the System Properties dialog box and then click OK again
  • Access Device Manager > View > Show Hidden Devices
  • Expand the network adapters in the device tree and look for the inactive icons, which indicate unused device drivers
  • Re-install the Provisioning Server Target Device software and restart
  • You should now be able to connect to the virtual disk
The ghost NICs are as displayed in the following screen shot:

  • Remove the environmental variable after completing the procedure.

XenApp - Install and Publish SQL Server Management Studio

Citrix XenApp SQL Server Management Studio Installation

Versions I am working with:
  • OS: Server 2008 R2 Standard 64-bit
  • Citrix: XenApp 6.5
  • SQL: SQL Server 2008 R2 Management Studio
Below was the error I was receiving when trying to install SSMS:
  • “Another version of Microsoft Visual Studio 2008 has been detected on this system that must be updated to SP1. Please update all Visual Studio 2008 installations to SP1 level, by visiting Microsoft update.”

First off, "DO NOT REMOVE CITRIX". That is not a required step. Even if you saw that on some Citrix forum. You just need to install Visual Studio and Visual Studio SP1. To accomplish this:
  • Install Visual Studio
    • E:\1033_ENU_LP\x64\Setup\vs_shell.msi
  • Install Visual Studio SP1
    • E:\1033_ENU_LP\x64\Setup\VS90sp1-KB945140.msp

SQL Server Management Studio will now install without any issues. If you want to publish it via Citrix just point you app towards:
  • "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

Monday, February 11, 2013


How to shrink your Winsxs directory

If I had a nickel for every time I had a drive space issue due to the "Winsxs" directory.... I'd probably only have 50 cents. Right now I have a 14GB Winsxs Directory ( c:\windows\winsxs ) and need to do something with it. To fix the issue on your server, open up a command prompt as adminiistrator, and run the following command:

  • dism /online /cleanup-image /spsuperseded
That will take some time depending on the size of it. I just went from 14GB to 7.7GB, and it took about 2-3 minutes to run. I am thinking it may be a good idea to just create a start up script with the dism command in it to automate this on reboots. On my PVS'd servers, I am just going to  setup a personality string to remove the winsxs directory on boot if the server is in standard mode.

Tuesday, January 15, 2013

Microsoft - Gpresult ERROR Access Denied

Running GPRESULT results in "Error: Access Denied"

Today on one of my Citrix Servers I was presented with an error when troubleshooting a GPO. I opened up my command prompt with "Run As Administrator", and received "Error: Access Denied".

So what now? You already are logged into the server with domain admin credentials, and opening command prompt as administrator doesn't work. You could disable UAC and see if that works, but chances are you will have to register the userenv.dll file again, and recompiling the scersop.mof file.

Below are the steps to correct the issue:
  • Register the userenv.dll file
    • regsvr32 /n /I c:\windows\system32\userenv.dll
  •  Change Directory to the wbem folder (required step, don't be lazy)
    • cd c:\windows\system32\wbem
  • Recompile the scersop.mof
    •  mofcomp scersop.mof
  • Optional Repositories you can recompile (Probably don't need to) 
    • mofcomp rsop.mof
    • mofcomp rsop.mfl    

  • Force Group Policy Update
    • gpupdate /force

After that, run "gpresult" (gpresult /R if on server 2008). Issue resolved!

Wednesday, January 9, 2013

Citrix NSVPX - Load Balancing LDAP Authentication

NetScaler - Load Balancing LDAP Authentication

You're setting up a new AGEE on your NetScaler Appliance, and when you go to put in an authentication server, it only allows you to put in one. Why not load balance your ldap requests so that you don't have a single point of failure. 

Things you need, to load balance your ldap requests:
  • 2 load balanced servers
  • 2 load balanced services
  • 1 load balanced vserver
  • 1 authentication policy
  • 1 authentication server

Setting up load balanced servers

  • Highlight "Load Balancing" > Servers
  • Click on "Add" at the bottom of the right pane
  • Create a connection to your first domain controller
    • Server Name: lb_server_demodc100
    • IP:
    • Click "Create"

  • Create a connection to your second domain controller
    • Server Name: lb_server_demodc101
    • IP:
    • Click "Create"
  • You should now see a green circle, and the word "Enabled" next to your ldap services 

Setting up Load Balanced Services
  • Highlight "Load Balancing" > Services
  • Click on "Add" at the bottom of the right pane

  •  Create a TCP LDAP service for your first domain controller
    • Server Name: lb_service_demodc100_ldap
    • Server: lb_server_demodc100
    • Protocol: TCP
    • Port: 389
    • Configure Monitor: tcp
    • Click "Create"

  •  Create a TCP LDAP service for your second domain controller
    • Server Name: lb_service_demodc101_ldap
    • Server: lb_server_demodc101
    • Protocol: TCP
    • Port: 389
    • Configure Monitor: tcp
  • Click "Create"

  • You should now see a green circle, and the word "Enabled" next to your ldap services 

Setting up Load Balanced Virtual Server (VIP)
  • Highlight "Load Balancing" > Virtual Servers

  • Click on "Add" at the bottom of the right pane

  •  Create a virtual server that will point towards your two ldap services
    • Server Name: lb_server_demodomain_ldap
    • Protocol: TCP
    • IP Address:
    • Port: 389
    • Select your two ldap services
      • lb_service_demodc100_ldap
      • lb_service_demodc101_ldap
    • Click "Create"

Setting up an Authentication Policy and Authentication Server
  • Highlight "System" > "Authentication" > "LDAP"

  • Click on "Add" at the bottom of the right pane

  •  Create an authentication policy
    • Name: auth_policy_demodomain
    • Authentication Type: LDAP
    • Server: (We need to create an auth Server)

  •  Click "New" next to the Server field

  •  Create an authentication server
    • Name: auth_server_demodomain
    • Authentication Type: LDAP
    • IP Address: (IP of your load balanced virtual server)
    • Click "Create" 

  •  Select the server you just created
    • auth_server_demodomain
  • Input an advanced Free-Form Expression
    • ns_true
  • Click "Create"

 Applying your LDAP Authentication Policy to a Virtual Server
  • Open your Access Gateway Virtual Server
  • Click on the "Authentication" tab
  • Click "Insert Policy" 
  • Select your ldap authentication policy
    • auth_policy_demodomain
  • Click "OK"



This Access Gateway Virtual Server now has its LDAP request load balanced. What happens is that all requests will hit your AGEE VIP that then applies the ldap policy (auth_policy_demodomain). The ldap policy says look at the ldap authentication server (auth_server_demodomain), that is pointing towards the VIP of your load balanced virtual server (lb_vserver_demodomain_ldap) ( That VIP will load balance the ldap requests to the two domain controllers (lb_server_demodc100 and lb_server_demodc101).

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....