Citrix Default Printer Won’t Retain

The Windows default printer is a magical thing. This is the printer that is selected by default when you print in an application. Depending on your particular printing workflow this may be the only printer you ever use. Some applications have a quick print functionality that sends a print job to the default printer using default settings and no prompts (for example, portrait orientation and a single copy). To make a printer your default, simply right-click it and select default printer.

default_printerWhen you use Citrix, a Windows default printer is still a Windows default printer. The difference is that Citrix has administrative policies to help you decide what will be the default.

I recently ran into an issue with a new XenDesktop v7.6 environment where users could select a new default printer using the method above but the next day when they logged on to their desktop it was set back to Microsoft XPS Document Writer. A quick note on Microsoft XPS Document Writer, as you may have noticed it installed on your computer, it is really a print-to-file driver Microsoft created to allow you to save print output in the Microsoft XML Paper Specification.  If you have never used it, do not feel bad, it is more likely you have used the immensely popular PDF format made popular by Adobe before becoming an open standard in 2008.

By default, the user’s current printer is used as the default printer for the session. For example, my laptop’s default printer is HP Deskjet 3520 series (Network).  When I logon to my Citrix desktop it will redirect the laptop printers into the session including my default printer.  That is ideal for a laptop user.

redirected_printer

For my next example, I am using a thin client that does not have a default printer because it does not have an OS. It can only connect to a Citrix desktop. When I logon from the thin client it will not see a default printer so it will make the first printer on the Citrix desktop the default. Often times this ends up being the Microsoft XPS Document Writer instead of the HP Deskjet 3520 series (Network).

At first, the issue seemed related to a Windows user profile issue since everyone lost their setting from one logon to the next.  After verifying that other Windows user settings were being retained (i.e. wallpaper, Office settings, and the printer mappings themselves), I moved on to Citrix print policies.   There is a specific policy I found interesting:

Default printer

citrix_default_printer_policyLooking closer at the policy it defaults to “Set default printer to the client’s main printer”.  Most of the time this will result in using the default printer on the user’s endpoint (e.g. laptop or desktop).  If that endpoint is a thin client or even an iPad it will not have a default printer to redirect so you will end up with the first printer in the session.

I made a new policy and set it to “Do not adjust the user’s default printer” and gave it a higher priority then the others and assigned it to my test user account.

citrix_default_printer_policy_detailsI then ran a gpupdate on each test worker to verify it had the new policy.  To test, I logged on with the test user, changed my default printer to a network printer.  I then logged out and put that test server in maintenance mode ensuring my next logon would go to the other test server.  Success, my new default printer was retained.  To be extra sure there was not anything cached locally, I rebooted both non-persistent workers and logged in again.  Success.  The final steps were to make the policy apply to more users and have them test before rolling it out to everyone on both the test and production workers.

Printing is rarely thought of as complicated but it always is.  If you are running into a similar issue then this policy change could be your answer.

Brian Olsen @sagelikebrian

Microsoft Excel Not Enough Memory or Disk Space

During a recent Deployment of XenApp 7.6 on Windows Server 2012 R2 when users ran an application that exported data to Excel they kept getting this error.

excel

Checking the XenApp session host server which was sized at 2vCPU and 8GB of RAM there was plenty of memory available as there was only one users logged into the server. Launching Excel then opening a workbook was fine and did not result in the error and after patching Office 2010 to the latest patch the error still persisted. After investigating there was no reason why this error would appear.

It would appear that this is a bug in Excel 2010 and Excel 2013 running on Windows Server 2012 R2 and excluding AppData\Local with Citrix Profile Management which is done to reduce the size of profile. With this configured the Cache folder ends up not having allocated enough space, the folder is part of the User Shell Folders in their profile.

cache

The solution. Redirect the user Cache directory to C:WindowsTemp, but doing so without the need to load the hive and hack the default profile’s NTUSER.dat.

First assign Users Modify rights to C:WindowsTemp, otherwise they will not have access and this will not work.

temp

Create a GPO Preference Registry Collection named something descriptive such as Excel Cache Directory

cachegpo

Create a new Registry Item pointing to: HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERUSER SHELL FOLDERS
The Value Should be Cache
The Data Should be C:\WINDOWS\TEMP
The Type Should be a REG_EXPAND_SZ

cachegposetting

Allow for the GPO to replicate and run a GPUPDATE /FORCE and test and you should no longer see the error.

The next time you encounter this issue give this a try. For more information please leave a comment.

Johnny Ma @mrjohnnyma

Marlins Score Big with Citrix

It seems like every other week there is an IT security breach that makes the news.  Many of these hacks score credit card information that can immediately be used or sold.  Recently there have been allegations that members of the St. Louis Cardinals hacked into the Houston Astros’ system to gather information on players.

New York Times – Cardinals Investigated for Hacking Into Astros’ Database
Kansas City Star – Astros GM Luhnow disputes details related to Cardinals hacking probe

At face value, it seems shocking to hear about hacking in Major League Baseball.  There was a time when America’s favorite pastime was not considered high tech.  It was the boys of summer playing a great game and the best team won.  In this Moneyball era of baseball statistics, numbers and data win big.

 

You don’t have to believe me, just ask Brad Pitt.

As soon as I heard the news it made me think of what the Marlins are doing with technology from Citrix.

 

The Marlins are scoring two big wins with Citrix.  First, they are doing things that have never before been possible and making a better experience for their customers.  Second, they have a focus on security that has kept their IT department out of national headlines while protecting their team and intellectual property.  It is hard to put a price on the total package.

We should not give all the credit to the Marlins’ IT foresight.  After all, the Simpsons predicted this way back in 1999.

Brian Olsen @sagelikebrian

How to Fix Java issues with Citrix Netscaler GUI

We have all encountered the dreaded Java error when trying to connect to the Citrix Netscaler GUI.  In this post I would like to walk through the steps of resolving those Java error messages. There are a few technical articles that TRY to walk you through the process of troubleshooting this issue, but I have found the method that I use to be the most successful.  For me this is one of the most frustrating error messages, as I am constantly working in different versions of Java, Netscaler firmware or browser.

Auth

For starters, lets go ahead and uninstall any version of Java you currently have installed.  Most versions of Netscaler 10.1 and above will support the most recent version of Java.  You can download the most recent version Here.  For this exercise, we are going to assume you are using chrome, Firefox or IE.  In my experience, I have had the most success with the Netscaler GUI and the Chrome browser.

After you have successfully installed Java and went through the confirmation process go ahead and browse to your java configuration applet or go to control panel > Java (32bit).

Once the Java Control Panel pops up, click on the Settings button.

Auth

You will now be redirected to the Temporary Internet files dialog.  First, click on the “Delete Files” button

Auth

One the “Delete Files and Applications” box appears, UNCHECK all of the checkboxes and click OK.

Auth

Before clicking out of the Temporary Internet files dialog, make sure to uncheck ” Keep Temporary files on my computer” and click OK.  Having all of these temporary files are one of the main causes for applet corruption.

Auth

That last set of steps will clear out all the previously downloaded temporary applets, cookies and certificates you currently have in your configuration.  If you are launching java for the first time after the new install this might be a moot point, but I do it anyway :)

Now, stay in the Java Control Panel and at the top, click on the “Security” Tab.  Inside of that tab, click on “Edit Site List” at the bottom.

Auth

Once you have clicked on Edit Site list, Click on Add.  Here you will be able to add the Netscaler access gateway FQDN as an exception.  Only add websites here that you know you can trust their certificate.

Auth

After you click add you will notice a text box appear in the same window.  Go ahead and add your Netscaler FQDN into that field and click OK  example:  Https://yournetscaler.yourdomain.com

Auth

After clicking OK, you will notice your Netscaler FQDN is now in the exceptions list.  Click Ok to exit the Java Control panel and relaunch your browser to test.

Auth

 

This article applies to Netscaler versions 9.3, 10.0, 10.1

Let me know how it goes.  Add your comments below!

 

 

Kevin B. Ottomeyer @OttoKnowsBest

 

 

Configuring Citrix Storefront Domain Pass-through with Receiver for Windows

I would like to discus the procedure for configuring and implementing Domain Pass-through with Citrix Storefront and Citrix Receiver.

First things first, let’s get a receiver installed on a test machine.

****Note, this machine and all subsequent machines must be a member of the domain that your storefront server is currently attached to in order for the pass-through to work.

Download the Citrix receiver Here

Once downloaded find the path of your download location.  Now, we will need to install the receiver with the single sign on switch as follows:User-added image

This will install the receiver, enable and start the single sign-on service on that machine.  After your installation is completed and the machine is rebooted,  log back in to your workstation and double-check to make sure the ssonsvr.exe service was installed and is currently running under services.

User-added image

Once you have confirmed.  Lets move over to your Storefront server.

Launch the Storefront administration console from the storefront server and on the left side of the console, click on Authentication.

Auth

Once authentication is selected move over to the right side of the console screen and under actions > authentication, click on add/remove Methods.

Auth

After clicking on Add/Remove Methods, a dialog box should appear with options to select what methods you would like to enable in Storefront.  The second option from the top is, “Domain pass-through”, click on the check box next to that option and click OK.  This will enable Storefront to take the credentials from the ssonsvr service on your workstation and pass them through Storefront and enumerate the app list without authenticating twice.

Auth

Depending on your Citrix infrastructure, you might need to propagate the changes to the other Storefront servers in your Server Group.  If you have more than one Storefront server and you do not propagate changes, you might see mixed results in your testing.

To do this, click on “Server Group” on the right side of the console and then on the left side under actions, click on “Propagate Changes”.    This action will replicate all the changes you just made to your authentication policies over to the other Storefront servers in your Server Group.

Now that you have all the configuration pieces in play, reboot the workstation you installed the receiver to and log back in.  Once logged in your should be able to right-click on the receiver and click open.  Receiver will now prompt you for your Storefront FQDN or email address if you have email based discovery enabled.  At this point your application list should enumerate without prompting for credentials. This also goes for the Web portal. Test both to make sure they are passing those credentials through appropriately.

********If your credentials still do not pass through, below are a few troubleshooting steps you can take.  Of course this all depends on how your environment is set up and what access you have to modify certain components in your windows infrastructure.

Modifying local Policy to enable pass-through on the workstation

Apply the icaclient.adm template located in C:\Program Files\Citrix\ICA Client\Configuration to the client device through Local or Domain Group Policy.

Once the adm template is imported, Navigate to Computer Configuration\Administrative Templates\Classic Administrative Templates\Citrix Components\Citrix Receiver\User authentication\, then double-click on the “Local user name and password” setting.

User-added image

The following box should appear and make sure to select both “Enable pass-through authentication” and “Allow pass-through authentication for all ICA connections”.

User-added image

Adding Trusted Sites in your browser

On the same workstation you are testing the pass-through.  Open IE and navigate to Tools > Internet Options.  Click on Trusted Sites and add your Storefront FQDN (the same address you entered into the receiver when you set it up.

Auth

Also, it wouldn’t hurt to configure pass through in IE.  In The Internet Options Security tab with Trust Sites selected, choose Custom level, security zone. Scroll to the bottom of the list and select Automatic logon with current user name and password.

User-added image

Configure the NIC provider order

On the workstation you installed the receiver, launch control panel and click on Network Connections, choose Advanced > Advanced Settings > Provider Order tab and move the Citrix Single Sign-on entry to the top of the Network Providers list.

User-added image

If you are still having problems with the receiver not passing the credentials, leave a comment with your specific issue.

References:

https://www.citrix.com/downloads/citrix-receiver.html

http://support.citrix.com/article/CTX200157

 

 

Kevin B. Ottomeyer @OttoKnowsBest

 

 

 

 

Citrix Access via Chrome is Broken

Purpose:
This post explains Google Chrome functionality that can negatively impact the access to any Citrix environment.

Symptom:
After clicking on a published application or desktop icon in StoreFront using Chrome–nothing happens.

or

After logging on to StoreFront using Chrome, it never thinks Citrix Receiver is installed and offers it to me to download before I get to see my icons.

or

You have a warning to, “Unblock the Citrix plug-in.”

blocked_citrix_pluginResolution:
1) Re-enable the plugin using CTX137141.  This workaround will end in November 2015 when Google permanently disables NPAPI.
2) Customize StoreFront to remove the prompt to download Receiver with customized code.
3) Customize StoreFront with a link to download Receiver with customized code.
4) Enable a user setting to always open .ica files using CTX136578.
5) Use another browser not affected by the Chrome changes.

Cause:
Back in November 2014, Google announced it would remove NPAPI support from Chrome.  They are making this change to “improve security, speed, and stability” of the browser.   In April 2105, they will change Chrome’s default settings to disable NPAPI before removing it entirely in September of 2015.

What does this mean for my Citrix users who use Chrome?

Receiver detection.  The NPAPI plugin that Receiver (Windows and Mac) installs allows Receiver for Web (aka StoreFront) to detect if Citrix Receiver is or is not installed.  Without this plugin, it assumes you do not have Receiver and will offer it for you to download and install.  As an aside, you may have noticed that Internet Explorer has an ActiveX control that does the same thing.  If your user does not have Receiver then they can not launch their Citrix application or desktop, so this is a good thing. If your user is already running Receiver but gets offered the Receiver download this will be confusing and could potentially be a bad thing.

Launching applications and desktops.   Let me explain what should happen when you click on the icon for, say, Outlook 2010 in StoreFront (aka Receiver for Web).  StoreFront will talk to a delivery controller to figure out what machine is hosting Outlook 2010 and has the lowest load.  StoreFront will then offer you a .ica file to download.  If you have the plugin, Windows will know that this is a configuration file that should be opened by Receiver.  Receiver will then connect you to your application.  This all happens quickly and seamless making it seem like Outlook 2010 launches immediately.

Without the plugin, you will download an .ica file but Outlook 2010 will not open until you click it.  Chrome does have the option (the arrow on the downloaded file) to “Always open files of this type” as shown in CTX136578.

References:
http://blogs.citrix.com/2015/03/09/preparing-for-npapi-being-disabled-by-google-chrome/
http://blog.chromium.org/2014/11/the-final-countdown-for-npapi.html
http://support.citrix.com/article/CTX141137
http://support.citrix.com/article/CTX136578

Brian Olsen @sagelikebrian

Sharefile SAML AD Authentication Fails on Chrome and Firefox

After configuring our ShareFile to integrate our AD accounts using AD FS 2.0 and SAML for login, we found several user could not log in with Chrome or Firefox.  They would go to the SAML login URL and then enter their correct AD credentials.  The login would then fail.  Using IE with the same credentials was successful.  After investigation, the issue was linked to AD FS 2.0 and Chrome/Firefox, not ShareFile.

The Solution below was found at http://exitcodezero.wordpress.com/2013/05/30/adfs-authentication-issues-with-chrome-and-firefox/

To correct the issues, disable Extended Protection in IIS on your ADFS server

  1. Open IIS Manager on your ADFS Server
  2. Expand your ADFS Server
  3. Expand Sites
  4. Expand Default Web Site
  5. Expand adfs
  6. Click to select ls
  7. Double-click Authentication 2013.05.30_adfs_auth_2
  8. Right-click Windows Authentication and select Advanced Settings… 2013.05.30_adfs_auth_3
  9. Set Extended Protection to Off 2013.05.30_adfs_auth_4
  10. Restart IIS or perform an iisreset