System Center Virtual Machine Manager 2012 SP1 Saved Connections

Leave a reply

Before we upgraded to SP1, I had our old VMM server saved as the auto-connect for the VMM console. When I upgraded to SP1, it remembered my old VMM server (which we did not upgrade, we built a new one). So, the VMM console would get stuck at the splash screen because the old server wasn’t SP1.

Here’s the registry key to edit to get it to point to the new server since it doesn’t error out and will sit until you end the process:

HKEY_Current_User\Software\Microsoft\Microsoft System Center Virtual Machine Manager Administrator Console\Settings\Shared

Change the “autoConnect” REG_SZ and you’re all set.

More info here.

Citrix CloudGateway Express and NetScaler Access Gateway

Leave a reply

I’ve been try to integrate CloudGateway Express (CGE) with Access Gateway for a while now. Last week I finally achieved my goal – no thanks to Citrix technical support (I have a one and a half week old ticket open), Citrix Knowledgebase/eDocs, or Google-at-large.

So, as you will now be aware, Citrix is ending its support for Web Interface as we currently know it. There’s still a few years before end-of-life, but we’re currently in the turmoil of switching how our users launch their applications, so I figured I should go ahead and move in the direction of the technology. And, we have a Chromebook in the Enterprise (which requires Storefront Services and will not work with Web Interface at all).

The recommended way to deploy StoreFront is with Access Gateway if you’re going to use it outside of your firewall – which we are, so I am. There are plenty of guides for setting up StoreFront, so I won’t go into much depth with it, except as it applies to AG. And, setting up a NetScaler would require a different article, so I’ll assume you also have one of those that’s licensed for AG.

Once you have SF and AG ready to go, it’s time to make them work together. I was told a couple of conflicting things by Citrix Support when I started this, so I’ll talk about what worked for me specifically. First, make sure you have SF 1.2 and NetScaler 10. Once support technician said a later version of 9.3 would work, another said we needed 10. I said that if I’m upgrading, I might as well go all-out and went to 10, so what follows applies to it. Also, I’ll assume our SF site is named sf.domain.com and our AG site is named agee.domain.com. It’s best to name them differently as well see later on.

First, let’s open the StoreFront console and find your way to the Gateways tab and click “Add Gateway Server” on the right. Enter a display name, the gateway URL, and your NetScaler’s SNIP (this can be found in the Network>IP section of the NS GUI – look for the SNIP on the same subnet as the CGE machine).

On the next screen, enter your AG’s URL again just as you entered it above.

Next, enter your secure ticket authorities (STAs). Remember exactly what you entered here. You’ll need them later.

Click “Create” and you’re finished with this wizard.

Now, go over to Beacons on the left and let’s verify them. I didn’t have to change anything here, but I want to explain what’s going on.

StoreFront uses the beacons to determine where a connecting endpoint is. If it can contact sf.domain.com, then it assume the endpoint in inside the network. If it can contact agee.domain.com and not sf.domain.com, it assumes it is outside of the network. If you’re inside, Receiver 3.1 will use the inside’s address and bypass the AG, so don’t publish sf.domain.com on external DNS or through the firewall. The citrix.com URL is a secondary external beacon. I’m not quite sure of its point. Presumably you’ll have internet access whether you’re internal or external.

Now, let’s go up to Stores on the left of the console. Highlight your store in the middle, and click “Enable Remote Access” on the right. Click “No VPN Tunnel”, check the gateway we created earlier, and click OK.

We’re done with StoreFront’s configuration. Be careful , though, because I had some trouble authenticating at this point because the AG isn’t setup on the NetScaler yet, and StoreFront is looking to NetScaler for authentication.

Now, let’s open our NetScaler GUI. I’m told that NS10 Build 70.7 is best viewed in Chrome because they are switching from Java to HTML, but I digress. Find the Access Gateway section on the left and open it. We’re about to create three session policies and three session profiles.

First, add a new session policy. Call it something like “Receiver Web Policy”. This is the policy and profile we’ll use to identify when we should return StoreFront Web instead of a services site.

First, let’s add the following expression to the policy:

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

You can do this with the Advanced Free-Form editor, or add it manually via the “Add…” button. Now, click “New…” to create a new request profile. This will tell the NetScaler what to do when the expression above is matched. Call the profile something like “Receiver Web Profile”.

On the Client Experience tab, check and allow “Clientless Access”, and check “Single Sign-on to Web Applications”. On the Security tab, check “Default Authorization Action” and set it to allow. On the Published Applications tab, check “ICA Proxy” and set it to on, check and set your “Web Interface Address” (in our example, https://sf.domain.com/Citrix/SFWeb). You can set the “Single Sign-on Domain” if you’d like. This will keep users from having to type their domain every time they login (use your best judgment if this isn’t appropriate for your environment).

Here are the screenshots for these three tabs. Ignore the Network Configuration tab.

Click OK, and now your session policy should look something like this:

This says that if the HEADER returned by the connecting endpoint does not contain “CitrixReceiver”, return the web interface because it’s probably just a web browser.

Now, let’s create another policy for StoreFront Services. This policy will match and handle things like Receiver 3.1 that can take full advantage of the new CloudGateway stuff.

Same procedure as before – create a new policy, call it something like “StoreFront Services Policy”, and use this expression:

REQ.HTTP.HEADER X-Citrix-Gateway EXISTS

And create a new profile called “StoreFront Services Profile”. The Client Experience and Security tabs are the same as above. The Published Application tab is also the same, except there is no Web Interface Address (I’m not sure why).

And one last one, “PNA Services Policy” with this expression:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS

In its profile, “PNA Services Profile”, the Client Experience tab should have “Single Sign-on to Web Applications” checked, the Security tab is the same, check and allow the “Default Authorization Action”, and the Published Applications tab will have “ICA Proxy” checked and on, and the “Web Interface Address” will be the legacy services URL that you can find in the StoreFront console. In our example, it’s https://sf.domain.com/Citrix/SF/PNAgent/config.xml.

Whew. We’re all done with policies and profiles. Let’s go back to the Access GatewayVirtual Servers section in the NetScaler.

From here, create your Access Gateway as you normally would (I’m not going to cover it here). On the Policies tab, add the three policies above in the following order: Receiver, PNA, Storefront. I saw another blog article that said put PNA first, but that didn’t work for me.

Lastly (assuming you have the rest of the AG setup properly), click the Clientless button under the Policy tab. You’ll need to insert a policy here. Click on New Policy, give it a name, then click “New…” to add a new profile. Give it a name here, then click Create. There are no settings that need to be made. Type the word “true” into the Expression box and click OK.

You’re all set.

Changing the Volume Labels of CSVs

Leave a reply

I needed to change the volume label of a Hyper-V cluster shared volume. Here’s PowerShell the command:

Get-WmiObject Win32_Volume -Filter Label=’original_label’” | Set-WmiInstance -Arguments @{Label=”new_label”}

Make sure you’re running at an elevated PS prompt.

XenApp Servers are Set to Disable Logins After a Reboot

Leave a reply

We have our XenApp servers set to reboot each Saturday morning at 3AM. The problem is that, for some reason, about half of them change from allow to deny logons after their reboot. I found that the registry key below was set to 1 on those that were denying logins and 0 on those that were allowing.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerfDenyTSConnections

I set this key to 0 and our problem has been solved.

In researching the problem, I found a lot of posts and articles mentioning that you should put your data collectors on a different reboot schedule, because if the collectors are rebooting, then machines will change to deny when they come back up and can’t find them.

This wasn’t our problem, but I have changed the reboot schedule for our data collectors.

Scrubbing Hyper-V Virtual Networks

Leave a reply

I was installing a new Hyper-V host a few days ago and had some issues when I tried to create the virtual networks. I setup the virtual networks via Hyper-V Manager, but then the machine disappeared from the network. Luckily, I had console access. Turns out, the host couldn’t renew its IP addresses for some reason. In my troubleshooting, I decided to try to remove the virtual networks – but how?

Via this script: Continue reading →

Repair Orphaned Users in SQL 2008R2

Leave a reply

I was moving a database from a production SQL server to a SQL Express instance. Per usual, I created a backup of the database on the production server and restored it to the Express instance.

This created an orphaned user. To fix such a user, enter the following in a new query window:

select ‘sp_change_users_login @Action = ‘ + char(39) + ‘auto_fix’ +
char(39) + ‘, @usernamepattern = ‘ + char(39) + name + char(39) + char(13) + ‘go’
from sysusers
where issqluser = 1 and (sid is not null and sid <> 0×0)
and suser_sname(sid) is null
order by name

The results of this query will be the query code to fix the orphaned user(s).

I’ll try to get some screenshots next time.

Why Does Direct Access Have to be Such a Pain?

Leave a reply

Here’s the setup: one user’s laptop would not connect to corporate resources at all from outside the corporate network. No other issues with Direct Access. Just this one user’s laptop. I tried the normal stuff: can he ping us from where ever he is? Yes. Does his machine have the correct policies for DA? Yes. I even went so far as to clear his session tickets and reapply the group policy via VPN. No dice.

The output of a netsh dns show state was such that DA said it was configured, but was disabled:

As you can see, the laptop has determined that it is outside the corporate network, but it is set to never use DA settings.

After much searching, I stumbled upon the answer to my issues. Here’s what happened:

There is a DWORD buried in the registry that flips between three different values based on where the machine is (inside/outside) and whether or not DA is manually set to use local DNS. The DWORD is here:

HKLMSoftwarePoliciesMicrosoftWindowsNTDNSClient
EnableDAForAllNetworks

The three possible values are 0, 1, and 2.

0 tells DA to determine whether it should be enabled or disabled based on its network location. This is normal setting and allows for normal operation – when you’re inside the corporate network turn off, and when you’re outside turn on.

1 sets DA to always on. This isn’t useful when you’re inside the network. Perhaps it’s there for testing purposes.

2 is disabled. When set to 2, DA doesn’t care where it is, it’s always off. Consequently, this is what the DWORD’s value is set to when you tell the DA Client to Use local DNS resolution.

So, after an hour’s worth of digging, I found that somehow this particular client had the above registry key set to “2”, which effectively turned DA off. The weird part here was that the DA client was not set to use local DNS. The registry entry was stuck.

I ended up manually changing it to “0”. Go figure, DA started working immediately – no reboot required. Before I finished, I tested turning the DA client to use local DNS and back. The registry entry appears to now be unstuck.

Why are you such a pain to troubleshoot, Direct Access? Why?

Notes on Direct Access

Leave a reply

We’ve been having some weird issues with Direct Access here at the office. For some reason, clients would work fine one minute, not work at all others, and some clients never worked.

After spending some time on the phone with a Microsoft technician, we tracked the problem down. Here are a couple notes I wanted to keep from the call.

Direct Access on Other Networks

If I take my laptop, which is Direct Access-enabled, into another AD network environment, teredo will disable itself. That is, if I go to someone else’s office – complete outside of my domain – and my Direct Access client detects a DC outside of its domain, Direct Access will fall back onto IPHTTPS.

This is because teredo is a NAT-bypass mechanism and poses a security risk to other networks. If you need teredo to work, there is a command that can help:

netsh interface teredo set state type=<CLIENT_TYPE>

Where client type is one of the following:

disabled – Obviosuly, disables the teredo interface.
client – This is the default type, and is just a normal client that will adhere to the rule above.
enterpriseclient – This is a default client, except it will ignore the rule above and build a teredo tunnel, even in the presence of a foreign DC.
server – This is the type that your UAG server holds.

Purging the System Account’s Kerberos Ticket

One client we were troubleshooting was having a hard time applying the policy. The Microsoft guy ran the following command to manually expire the system account’s ticket. This effectively forced the client to reevaluate its group memberships.

klist –li purge

mail vs. wp_mail

Leave a reply

I was working on my wife’s WordPress site tonight after she told me her contact form wasn’t working. I had been using the SMTP settings in php.ini to handle email across all the websites I support. But, I decided to stop using that because all emails were be coming from the same account, regardless of domain.

So, I started digging around and there is a plugin for WordPress called, aptly enough, WP Mail SMTP. This plugin is great because it allows me to set SMTP settings for individual sites, and it intercepts wp_mail() calls and sends them with the SMTP settings you give it.

This turned out to be my problem. The theme my wife uses has a built-in contact form, which was hard-coded to use mail() to send from the form. This no longer worked for me after I removed the SMTP settings from php.ini – even with the WP Mail SMTP plugin.

I started looking around at what exactly wp_mail() required to function. Here’s what the WordPress Codex says about what to pass it:

wp_mail($to, $subject, $message, $headers, $attachments);

Looks oddly like what the PHP Manual says about mail():

mail($to , $subject , $message, $additional_headers, $additional_parameters);

I tried changing the hard-coded mail() to wp_mail(), and there you go.

SharePoint and Firefox

Leave a reply

For those of you that prefer Firefox over IE, here’s a little gem to ease the troubles you undoubtedly have with SharePoint:

You can enable NTLM credential pass-through by doing the following:

Type about:config into your address bar.
Find the preference labeled network.automatic-ntlm-auth.trusted-uris.
Add the URL of your SharePoint site as a value for this preference.

Voilà! Now your SharePoint site is a “trusted site” in Firefox.