WIERD SITUATION- Web Interface issue....

[bran2235]

Hello everyone...

I am running WI 3 and CSG 2 on the same box. EVERYTHING is running awesome.

I went to show a user how to log in to the page, choose his apps, etc. from inside / on the WAN so he'll know how when he gets home- HEre's what happened:

I shadowed him, opened his IE (from a published desktop)- went to the WI page, logged in as him, his applications loaded perfectly- When I clicked the app to launch, it went thru the normal processes, "connecting" etc. and then BAM! Everything just stopped. I was left at the WI page. The app never loaded after I clicked it...!!! ??????

This works logged in as an admin on the same MF, and logging into WI as admin on the same box.

I also was able to do this: Log into the box as admin, but logged in as this user on the WI page (not admin)- everything worked fine!

WHY can't I log in as him on the box and then log in to WI and have it work??????


Any Ideas???
Thanks,
Brandon

 

[ascotta]

Could be a few things

1 TS Licenseing
2 Policy to allow normal humans to log on

1 On your pc can you log on as them.
2 Try installing Programme neighbourhood on your pc and try logging on to a desktop as them. That will show whether it is WI or Citrix.
3 You sound as though you know what you are doing, but check out the TS licensing just in case, you want to set it per user.


[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[bran2235]

Ok- we have plenty of TS licenses... ALL OF MY MFs are identical!... in every way, shape and form. I don't think it is a TS license issue because I can turn right back around and make this work on a different MF- I've also checked the number of connection / pooled licenses (plenty).

This only happens on four of my 13 MFs(?)
---
Setup: CSG 2 and WI 3 on same box.
All MetaFrames publish one desktop (all servers identical) 13 Metaframes all together in my farm
.
Users can go to my WI page (from within their Citrix published Desktop), log in and basically launch another desktop thru CSG/WI on their current desktop. This is good

HOWEVER, this is not possible on 4 of my metaframes (?) What happens is this:
-I am on a published desktop as a standard user (using ica client 8), I go to the WI page, log in as the same standard user,
-Their apps (just one published desktop) show up in the Applications window (all good so far)
-THEN, when I click the application (published desktop)- I see the "connection in progress, etc.) and then all the sudden, I'm right back at my WI page!!! (?)- Doesn't make sense to me!!

On the servers that I can't do this on, their is only one exception:
-If I log into server (using ICA client from my PC) as Admin, go to WI page, THEN, log in AS STANDARD USER, I can launch their published desktop (?);

On my CSG Box (event manager) inside of CitrixSecureGateway Log, I see two events for this one 'bad' attempt:
Event Type: Information
Event Source: CtxSecGwy
Event Category: Status
Event ID: 4205
Date: 3/30/2005
Time: 5:06:52 PM
User: N/A
Computer: CSG
Description:
CSG4205 Request STA or Authentication Service [STA01] to resolve ticket [E8B5C06324E01D8BC4DB50BA3A78259C].

And the second one is:

Event Type: Information
Event Source: CtxSecGwy
Event Category: Status
Event ID: 4201
Date: 3/30/2005
Time: 5:06:53 PM
User: N/A
Computer: CSG
Description:
CSG4201 Client IP [192.168.60.23:3384] with username [jzone] connected successfully to server [apxw2kmf01.APEX.LOCAL:1494], using protocol [ICA].

It appears that the session/app (published desktop) is acutally taking place (see event above) but It actually isn't happening in my session (can't see it)!!

Scott, you replied to a bunch of my posts- I appreciate your help!!


Cheers,
Brandon

 

[ascotta]

As I said it sounds like you know what you are doing

So lets try a little left field.

On the boxes that you cannot login as the user is the user profile local or roaming, and is it different on the others?

Try using PN8 on their PC's logged in as them and connecting to published app use the login enabled to force them on to failing servers. What happens.

At least we should be able to rule something out there.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[bran2235]

Thanks

ALL user profiles are roaming- I cheked and their are no cached profiles on the failing servers;

All of my remote users are using Neoware Appliances (thin clients)- The problem is exactly the same wether I log in at my PC w/ PN8 or when they log in to their published app w/ the think client.

I think this point is important:
When I log into a 'bad'/failing server as admin using PN8, go to WI page, BUT LOG INTO WI AS THE USER, it works fine!!

AND THIS:

After I re-create the problem w/ standard user, I get a message when I try to log them off of the (first) published desktop Unable to log off Citrix MetaFrame Server. Please manually close connection and continue

This has got to be important.

 

[ascotta]

Hi, what I am trying to establish is is it a citrix issue or a WI issue.

So by using there neoware appliance can you log on to the failing servers to run a desktop or a published app going nowhere near a web site.

If they cannot the WI is not the problem. Then we look at why citrix won't let them on to these boxes, we can then use filemon and regmon to see if it is permission, which I think it is.



[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[bran2235]

Ok, The issue I think is permission too- but where?????- Yes, I can log onto any 'failing' server using Neoware and launch a published desktop- no problem at all (this is how I discovered the issue- I was shadowing a user to sow them how CSG worked (of course) and it failed after they logged into WI and tried to launch the published desktop-

I'm trying to think of why it's only a few (four) boxes that present the problem... Never used File mon before- Used Regmon once.

Cheers,
Brandon

 

[bran2235]

One more note- All of my MFs are in their own OU w/ loopback processing turned on- so I don't think it could be policies. I run secedit to refresh user and machine policies....

 

[ascotta]

Damn it must be a WI issue then. Citrix is accepting the connections fine.

I think it is passing through your admin credentials hence how it works logged in and the running WI on citrix server.

Will need to have a think, will get back

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[dudenjersey]

Try the registry, HKLM\software\microsoft\mslicensing\ store, see how many are showing, ie licensexx, if multiple, delete the licensexx , restart.

Also, make sure the user has full control permissions on that same key.

 

[dudenjersey]

OOPs, looks like i missed some of the earlier post. the above fix probably won't help you then

 

[bran2235]

Yep- but thanks-
There is only one "License000" on both the 'good' server(s) and the 'bad/failing' ones.


Thanks for you input though!!!

Brandon

 

[bran2235]

Ok, this thing is killing me... I am totally lost on ideas now....

 

[dudenjersey]

i thought i saw something on

http://Www.citrix4ge.de

regarding this, I'll check.

 

[bran2235]

Ok, anyone??????? Any helpful suggestions??

THANK YOU!
Brandon

 

[ascotta]

Is there anything in the event viewer on the citrix boxes ?

If you watch [using refresh] on the CMC do you see an attempt to connect ?


I wonder if the client ticket is expiring too soon.


[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[bran2235]

Ok-

On my CSG Box (event manager) inside of CitrixSecureGateway Log, I see two events for this one 'bad' attempt:

Event Type: Information
Event Source: CtxSecGwy
Event Category: Status
Event ID: 4205
Date: 3/30/2005
Time: 5:06:52 PM
User: N/A
Computer: CSG
Description:
CSG4205 Request STA or Authentication Service [STA01] to resolve ticket [E8B5C06324E01D8BC4DB50BA3A78259C].

And the second one is:

Event Type: Information
Event Source: CtxSecGwy
Event Category: Status
Event ID: 4201
Date: 3/30/2005
Time: 5:06:53 PM
User: N/A
Computer: CSG
Description:
CSG4201 Client IP [192.168.60.23:3384] with username [jzone] connected successfully to server [apxw2kmf01.APEX.LOCAL:1494], using protocol [ICA].

UPDATE: I just re-installed PN 8.1 on the MF (the one that this is happening) and now I'm getting a different outcome-

Before, when I'd launch the published app from the WI page, the splash screen that says "Connection established, negotiating capabilites" would come up and then suddenly go away!
NOW, after the re-install of PN (8.1), the same splash screen will come up BUT NOW, IT JUST FREEZES at that point. The published app never loads...!!

I checked the event logs on the CSG/WI and the Metaframe... nothing outside of what I have said here... this is really killing me!

Someone in another article said they had the same thing but it was fixed with removing a particular reg key (soemthing to do w/ WTS Licenses...????)???

Brandon

 

[ascotta]

Thats what my first impression was, but it works on other servers. He has posted the key further up. It is worth checking licenses again, I know you said you have plenty but lets just rule it out.

I came across an issue at the tail end of last year where the license server that the citrix server was connecting too, was not the one it was supposed to be. I will check and see and post back.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[bran2235]

Ok, maybe you can help me understand this a bit better (licensing)- I'm no pro at it, for sure!

Citrix MFs are W2k Svr;
WTS Licensing Svr is a Win 2003 Server;

When I go to view Term Serv Licensing, this is what I see:

Win 2k Svr- TSCAL per device (50 total, 1 avail)
Win 2k Svr- TSCAL per device (50 total, 1 avail)
Win 2k Svr- TSCAL per device (150 total, 0 avail)
Windows Server 2003- TS per_device CAL (250, 10 avail)

The above really confuses me!!!
NOTE: I've checked the HKLM\SW\MS\MSLicensing\Store and I deleted the "License000"- it did not fix my issue- so I restored it.

....I think we might be onto something here... Can you help me understand the above Scott???

THANKS!
Brandon

 

[ascotta]

lordy lordy licensing
What o/s are the citrix sesrvers, that is the important bit.

As I have said you sound as though you know what you are playing with here. So we are on an equal footing.

You say your license server for ts is a win2k3 box. Firstly win2k3 ts licensing does not fully work yet. Which is nice!

Your citrix servers will have a reg key that looks for its TS license server. That needs to be right.

What is the o/s of the client, for Win2K XP is considered a built in client and Win2K too. But for Win2K3 there is no equivelant desktop and therefore all clients require a license, unless you can prove to have bought XP before win2k3 was released 1st April 2003 ooo er.

Might be better for an e-mail session, I don't know the rules about this so I will check.


[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott