C:\inetpub\wwwroot\Citrix\StorageCenter\cifs\AppSettingsRelease.config

Add the following line the config:

<add key="disable-folder-permission-verification" value="1" />

Once added, recycle the StorageCenterAppPool in IIS as below: I have it on strong authority this will be resolved in a future build, but no promises. A big thank you to Dan Brinkmann, George Christophi and Citrix Support for this fix.

After creating an AppDisk, it got a little stuck. I tried deleting the task and AppDisk but the disk just seemed to be stuck in the “creating” phase indefinately.

To remove it, I had to do the following in Powershell from a delivery controller:

ASNP Citrix*
get-applibtask -active $true

Once i had identified the TaskID, i ran:

Stop-AppLibTask -TaskId 5be48afc-263b-454e-b3e9-5a2db6b966ff
remove-AppLibTask -TaskId 5be48afc-263b-454e-b3e9-5a2db6b966ff

Now just one last thing to do!

get-applibappdisk and find the entry in the “creating” state:Now finish with a:

remove-AppLibAppDisk -AppDiskUid d54681d3-6d0a-4259-b3ee-b90a899033bd

using the DiskUid that you saw in the previous get-applibappdisk command.

Thats it!

Update:

if you find that the machine you usually use to capture app disks is no longer available. use the following command to release it:

set-BrokerMachine -IsReserved $false -MachineName <MachineName>

PS: I could have piped a lot of that, sure! but my mac pipe symbol is currently out of action so i did it the hard way. if you are the type who reads others blogs and leaves comments to improve the scripting, I’m sure there are new people on the Microsoft forums you could be bawking at right now.

My issue was simple, as a developer and powershell zealot, I regularly used the pipe Symbol (|) in anger. Well in anger i mean, I was literally angry as despite pressing the frickin pipe key, an imposter appeared in the remote console…

• Looked like a pipe? Yes!
• Acted like a pipe? NO!

So anyway, being a Citrix CTP has it’s benefits, I reached out to the aforementioned blokes and sure enough a few emails were exchanged and poof! issue resolved.

To paraphrase Dustins email:

1. Open ~/Library/Application Support/Citrix Receiver/Config in a text editor
2. Find the KeyboardLayout setting in the [WFClient] section
3. Change KeyboardLayout to: British
4. Save the file
5. Launch the session

Tada! Pipe back to normal. Thanks again Simon and Dustin.

One area it’s always lacked is real time alerting. In order to really know what’s going on in your environment you need to be logged into director and watching. This is less than ideal and few monitoring vendors have endeavored to actually pull this data into their own solutions.

With the help of Rachel Berry, Prateek Kansal and Sridhar Mullapudi from Citrix. I set about diving into the logic and monitoring options within the FMA architecture. Citrix did a great job here and most if not all of it was readily available in PowerShell and oData. So, with the help of Citrix and a little bit of hard work, I’m very pleased to announce my latest free tool!

About the tool:

The Citrix Director Notification service sits on an edge server as a service (or local to the delivery controller) and periodically checks the health of:

• Citrix Licensing.
• Database Connections.
• Broker Service.
• Core Services.
• Hypervisor Connections.

And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action. The tool will also send “All Clear” emails when these items are resolved, ensuring you are aware when the service has resumed a healthy state, neat huh?

An example of one of these alarm emails can be seen below:

Hypervisor Alerts, too!

Did you know that the Citrix XenDesktop and XenApp 7.x suite also keep track of Hypervisor alarms? It was news to me! Any-who, if you are lucky enough to be running XenServer or vSphere. The director Notification service can be configured to also catch these alarms, allowing you to also be alerted.

An example of a Hypervisor alarm is below:

Installation guide:

Below you’ll find the steps to get the director notification service installed:

 Download:

Director Notification Service 1.0.5

Setup:

• Download the Tool from the above URL.
• Install the service on a server running Windows Server 2008 R2 or above with .Net Framework 4.

Provisioning the Account:

The service account maintains a WinRM remote session to your delivery controllers and performs checks on a frequency you determine. Setting up this account is the meat of the install.

• Create an Active Directory Service account for monitoring director (this is needed later).
• Copy the XDServiceAccountProvision.ps1 file from the installation directory and run this script on all delivery controllers to automatically create the correct permissions for your service account.
• If you’re curious, read the script. A copy is below if you feel like doing it manually.

Using the configuration tool:

You’ll find the configuration utility on the start menu, under Direct Notify Configuration (this tool requires admin permissions).

Once open, configure the tool to suit your environment:

Ensure to use the test buttons.

Once happy all is working. Start or restart the “Director Notification Service”.

Advanced Logging:

A debugging option exists in the configuration tool, this will log to a trace.log in the installation directory of the machine. If you have issues, first enable this and review the log.

Provisioning Script contents:

write-warning "Before proceeding, Ensure you have: "
write-warning "1: Created a service account for monitoring XenDesktop."
write-warning "2: Ensure you have local administrative access to the local machine."
write-warning "3: Ensure this powershell instance is elevated."
write-warning "4: Ensure you have Administrative access to the XenDesktop site."
read-host "Press Any Key To Continue"

asnp citrix* -ea 0

$domain=Read-Host -Prompt "enter domain name the monitoring user is a member of: e.g. lab"
$username=Read-Host -Prompt "enter monitoring user name: e.g. john.doe"
$group="Remote Management Users"

if(!(Get-AdminRole "Direct Notify Role")){
#create new administrative role
new-adminrole -Name "Direct Notify Role" -Description "used for Direct Notify Service"
Add-AdminPermission -Role "Direct Notify Role" -Permission Configuration_Read
Add-AdminPermission -Role "Direct Notify Role" -Permission Configuration_Write # needed for some unknown reason, thanks citrix ¯\_(ツ)_/¯
Add-AdminPermission -Role "Direct Notify Role" -Permission EnvTest
Add-AdminPermission -Role "Direct Notify Role" -Permission Global_Read
Add-AdminPermission -Role "Direct Notify Role" -Permission Hosts_Read
Add-AdminPermission -Role "Direct Notify Role" -Permission Licensing_Read

#create administrator
New-AdminAdministrator -Name $domain\$username
add-adminright -Administrator $domain\$username -Role "Direct Notify Role" -Scope all
}
#configure remote management if not configured
winrm quickconfig -quiet

#add the monitoring user to the remote management group
([ADSI]"WinNT://$env:computername/$Group,group").psbase.Invoke("Add",([ADSI]"WinNT://$domain/$username").path)

 Fine Print:

Just a few things to be aware of:

Application Dependencies:

• The Notification service requires .Net 4.0
• PowerShell Remoting must be enabled on the Broker Servers
• A service account should be created to monitor the brokers (included in the script).

Tested on:

• Citrix XenDesktop 7.6.
• (Previous versions should work fine too.)

Support:

Drop me an email on andrew@andrewmorgan.ie if you have any trouble!

Enjoy and i hope this is very useful to you.

Future plans:

I’ll be diving into the oData values in the Citrix monitoring database in the next itteration. This work has already begun and will be updated soon.

ThinKiosk 4.5 is a big update, so without further ado, lets get right to it:

ThinKiosk Broker Service:

• HA features are now available in the ThinKiosk Broker.
• The Broker service can now utilise Microsoft SQL for the database and an easy migration utility can be utilised to do so.
• Brokers can now be load balanced via Citrix Netscaler or Microsoft DNS round robin.
• The ThinKiosk Broker can now deliver software updates directly to clients.
• The ThinKiosk Broker can now authenticate against active directory.

ThinKiosk Client:

• The ThinKiosk receiver functionality has been moved to the applications tab in our new ThinScale Connector functionality.
• The Client can now communicate directly with Microsoft RDS Broker services. Allowing customers using Microsoft RDS or VDI to use ThinKiosk to connect, enumerate and launch resources within ThinKiosk, without RDP files.
• The Client now supports password changing and legal notices for the ThinScale Connector.
• The Client now supports “auto launch” logic to specify which desktops to auto launch on logon.
• The Client now starts up at least 40% quicker than previous versions.
• The Client’s communication logic has been redesigned to allow management even when nobody is logged in.
• The Client now supports central software updates from the Broker, allowing push software updates.
• The Client now has an authentication API for use with Imprivata tap and go cards or similar technology.
• The Client is now smart enough to detect DNS round robin when connecting to a Broker and will use the list retrieved from DNS as a broker list to try when starting up.
• The Clients will delete stale or old user profiles periodically to keep machines clean.
• Many, many improved administrative features allowing ease of access to the system for administrators.

We’re extremely proud of this update and we look forward to hearing from you!

Not withstanding the issues that can occur when the cache is heavily in use, it’s a great piece of technology. One of the features you see on twitter repeatedly is trying to report on the exact size of the PVS cache in RAM.

Many blogs and scripts (Matt’s here, as an example) will take the raw performance counter details for Non Paged Pool memory and assume this is the size of the cache. This is faulty logic, but close enough. It’s like looking into a can of beans and trying to determine which one gave you gas.

The Non paged Pool is a collective pool of memory used by the system that guarantee’s the services using it (drivers, etc) that the contents will never reach the disk and will always be maintained in memory. As an example, imagine you created your own disk driver, but the disk driver tried to reference it’s memory and it had since been flushed to the disk…. Chicken and Egg stuff!

Microsoft has a fairly clear description here:

The memory manager creates the following memory pools that the system uses to allocate memory: nonpaged pool and paged pool. Both memory pools are located in the region of the address space that is reserved for the system and mapped into the virtual address space of each process. The nonpaged pool consists of virtual memory addresses that are guaranteed to reside in physical memory as long as the corresponding kernel objects are allocated.

So with this in mind, taking a total of the Non Paged Pool memory and assuming it’s PVS is “OK”… But not accurate. Many other sources can bloat that memory cache, particularly in x64 systems where limits on these pools are now enormous compared to the tiny pools we had to deal with in x86 architectures.

Nerdy digression aside, if you REALLY want accurate information on what’s going on inside of this pool. You need to grab a copy of Poolmon from the Windows Driver Kit (WDK). Download the WDK, install it and you’ll find your poolmon in:

C:\Program Files (x86)\Windows Kits\10\Tools\x64\poolmon.exe

Once you have a copy, fire up poolmon and you’ll see in all their glory.

Pro tip: Press “p” once to sort my non pooled, then “b” to sort by bytes used.

Each pool tag and the respective space they are using. Interestingly, the Citrix caching technology seems to use the “VhdR” pooltag allocation. There’s also a Microsoft Pool tag for this (http://blogs.technet.com/b/yongrhee/archive/2009/06/24/pool-tag-list.aspx) but the case sensitivity differences between VhdR and VHDr may make all the difference.

I did reach out to Citrix on this one, but they didn’t provide any further insight.

Any-who, if you want to see the size of your PVS cache accurately? Use PoolMon. Here’s a quick script using poolmon to get the GB value back:

$poolmonpath= "d:\poolmon.exe"
$poollog= "$env:temp\poolmon.txt"
if(test-path $poollog){Remove-Item $poollog}
Start-Process-FilePath $poolmonpath -ArgumentList "-n $poollog" -Wait
((Get-Content $poollog | ? {$_ -like "*VhdR*"}) -split "\s+")[6] /1gb
if(test-path $poollog){Remove-Item $poollog}

I had neglected to update this tool for a while, until I actually needed it and the remote screen saver annoyed the hell out of me. necessity is the mother of product maintenance it seems!

Anyway, I digress, check the original blog post here for the downloads and configuration options.

In other news, if you’re familiar with ThreadLocker, watch this space, it’s about to get a serious overhaul!

PS: stop asking me for a mac client, it’s not possible as there is no ICA SDK / API for mac.

Warm up your labs or fire up your golden images ladies and gents, we’re delighted to announce ThinIO’s brief public beta will begin today!

This project has taught us some really interesting things about Windows IO, how Windows behaves and how the hypervisor and storage can behave. This project really felt like a David vs. Goliath task as we (members of our community with a desire to simplify this issue) attempted to tackle one of the largest issues in our industry, storage bottlenecks and Windows desktops.

What’s really unique about our approach is there are no hardware lead times, no architecture changes needed and no external dependencies. ThinIO can be installed in seconds and the benefits are seen immediately.

We’ve spent countless hours testing, tuning, retesting and even more tuning. We’re extremely happy with the results. This public beta will serve as an opportunity for you to really kick the tyres and believe the hype in what we’ve built while we’re putting together the final touches to release the product in the coming weeks.

During this time, we found achieving positive and consistent IO negation boils down to a number of items:

• cutting down on the volume of IOPS sent to the storage.
• Reducing the data transferred (MB/sec) to and from the storage.
• Intelligently cutting down on peak IO, such as boot and user logon.

In the coming days we’re going drill down into these categories in more depth. But as a quick overview, here’s a baseline (top) and ThinIO (bottom) session comparison of a Windows 8.1 desktop login, 1 hour Login VSI medium workload and log off with just 350 mb of cache for ThinIO:

Keep an eye out for the coming blog posts, but in the mean time, the ThinIO beta is available to download here now! Go forth and have fun.

Until next time,

A

Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:

Desktop appliance site: (Slight deviation, bear with me).

An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.

Back on topic!

Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:

XenDesktop Delivery controller configuration:

on each delivery controller accessible by the storefront site, run the following two commands:

Client Configuration:

(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)

when installing the client, you can enable the single sign on features with the following command line:

[code language=”bash”]
CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0=”Store;https://yourservername.yourdomain.com/Citrix/Store/discovery;on;Store”
[/code]

Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:

Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:

x86:

C:Program FilesCitrixICA ClientConfigurationicaclient.adm

x64:

C:Program Files (x86)CitrixICA ClientConfigurationicaclient.adm

Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*

*the policies dont work in user mode, oddly.

Configure the authentication policy:

Configure the web interface authentication ticket settings also:

Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.

Storefront Configuration:

I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.

Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:

Note the warning, the receiver for web will also need some configuration, so that’s our next step:

Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods':

As you can see above, domain pass-through is now an option, with a nice little warning:

Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.

Testing:

The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.

if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:

and the following error’s mean you’ve gotten the configuration wrong on the client side:

and that’s it, happy sso’ing!