Troubleshooting Slow Citrix and Terminal Server Logons

Posted on June 19, 2011 by Murugan B Iyyappan

This article will take you through the steps to follow when someone says, “Citrix Server logons are too slow.”

Understanding the Terminal Server Logon Process

The logon process in Terminal Server environments is interesting, especially since it doesn’t necessarily relate to the usability and overall feel of the server in general. A series of events happen on a Terminal Server from the time a user clicks the “connect” button until the time his application or desktop is presented to him. In order to successfully troubleshoot slow logons, you need to fully understand what happens during the logon process. Only then can you begin to investigate which aspect of the logon process is holding things up.

From a high level, this sequence of events occurs when a user logs on to a Terminal Server:

  1. The user clicks the connect button.
  2. A request is made to determine which server the user should connect to.
  3. The server negotiates with the requesting client for its encryption level and virtual channel capabilities.
  4. The Microsoft licenses are verified. The server client access license is verified first, and then the Terminal Server client access license is verified.
  5. The user is authenticated to the domain and his rights are checked for access to the connection.
  6. The Citrix licenses are verified.
  7. The Terminal Server loads the user profile.
    • First, it contacts the logon server (domain controller) to see if a roaming profile is configured for the user.
    • If so, the server checks to see if a local profile exists.
    • If so, it checks the see which is newer.
    • If the remote copy of the roaming profile is newer, the server copies the roaming profile from the remote server.
  8. The Terminal Server applies any GPOs that have been configured.
    • The server connects back to the logon server to check for any GPOs for the user.
    • If so, the server downloads those GPOs.
    • Then, it applies the GPOs.
    • The Terminal Server checks GPO filtering, recursion, etc.
    • It then processes each GPO extension, such as folder redirection, security policy, disk quota, etc.
  9. The Terminal Server launches any applications as specified in the policies.
  10. The server executes the contents of the “run” registry values.
  11. The server runs the user’s logon script(s).
  12. The server runs any programs in the Startup folder of the user’s Start Menu.

This list is just a very high level and has been greatly simplified for presentation here. The important takeaway is that all of these steps take place each time a user logs on.

Now that you’ve seen what happens (or could potentially happen) each time a user logs on, you can start to trace this process in your environment to see where the delay could be. Here’s the approach:

  1. Isolate the Problem
  2. Check the pre-connection items
  3. Check the initial user environment creation
  4. Check the shell and session creation

Isolating the Problem

Before you can really start troubleshooting the logon process, you should get a feel for the situations in which slow logons occur. To do this, collect as much information about the symptoms of the problem as you can. Some potential questions to ask include:

  • Are logons slow for some users or all users?
  • If you’re using Citrix, does a user with a slow logon via ICA also experience a slow logon via RDP?
  • What happens if a user with a slow logon logs in via the server console?
  • Are logons slow at all times of the day, or just sometimes?
  • Do users experience slow logons every time, or is it sporadic?
  • Is there anything else that the slow logon users have in common? (Are they all in the same domain group or OU? Are they all in the same building? Do they all have the same type of client device or desktop image? Are they all accountants?)
  • Or is it just plain slow for everyone?

Answering these questions will help you frame your investigation. For example, if you determine that slow logons only occur via ICA and not via RDP sessions, then you’ll be able to focus your efforts on the ICA session startup process.

Once you’ve determined what common characteristics are in place for users with slow logons, you can begin to investigate more closely. The easiest way to do this is to use the Citrix Web Interface and log on as a user that’s experiencing slow logons. To do this, first get a stopwatch and time the entire logon process–from the moment you click an application icon in Web Interface until the moment the desktop shell or application is fully loaded. That will give you your total logon target. Then you can narrow this down by breaking the logon process down into four chunks:

  1. User clicks an icon in Web Interface, causing the server to build a custom ICA file and sends it to the client
  2. Client receives ICA file and establishes connection
  3. User is authenticated and their environment is loaded
  4. Post shell loading actions take place

Logon Phase 1: Server Selection

The first part of the logon process actually happens before a user ever hits a Terminal Server. This could be called “server selection.” This phase is when the user sends their application request to the server, and the zone data collector selects the appropriate server and sends the server information to the client.

If you’re using Citrix’s Web Interface, it’s easy to figure out how long this process takes. Instead of double-clicking on an icon to launch an application, right-click the icon and select “Save as…” to save it to your desktop. This will save a file called launch.ica that will contain all the results of the server selection process. If that file is created very quickly, then you know you do not have a problem at this stage of the logon. If that file takes a while to be created, then you can focus your investigation on the pre-connection issues (name resolution, data collector latency, etc.).

Logon Phase 2: Server Connection

The next phase of the logon process is the actual connection with the server itself. You can launch immediately into this phase by double-clicking the launch.ica file on your desktop that was created in the previous step. However, before you do this, you should edit the launch.ica file in notepad to remove the Web Interface user credentials / ticket information. Why? Because doing so will cause the automatic logon to fail, thus stopping the logon process dead in it’s tracks at the remote Citrix server logon screen. This is a good thing, because it allows us to time the activities that take place between double-clicking launch.ica and the Windows logon box appearing on the screen. By deleting the user credentials out of the ICA file, we essentially create a breakpoint in the logon flow.

This phase is where the initial session connection and Microsoft license verification takes place, so you can check into these areas if this is the slow point.

Logon Phase 3: Authentication and User Environment Creation

At this point you should be sitting at the Windows logon box on your remote server. Go ahead a log on a see how long the process takes. If the desktop (or published application) takes a long time to load, there are actually several things that could cause it. Maybe you have a huge roaming profile? Maybe there are two many GPOs being applied?

In Windows 2000 and Windows Server 2003, an application called “userenv.dll” is responsible for creating the entire user environment at logon time. This includes loading user profiles and applying GPOs.

Fortunately, you can enable diagnostic trace logging on all actions that the userenv.dll file conducts. These trace logs are extremely detailed, describing down to the millisecond exactly what the server was doing. For example, in addition to being able to trace the high-level logon process outlined previously, you can also see the userenv.dll verifying the profile file list build, checking for disk space, verifying ntuser.dat, loading ntuser.dat into HKCU, and replacing system variables in the path with actual variables.

By viewing this log you will see if a particular file in the roaming profile is getting stuck, if the file copy process is taking too long, or if DNS or WINS name resolution is holding the server up. It also allows you to track the application of GPOs to see if one is taking an inordinate amount of time (or if you simply have too many GPOs that are slowing things down).

This log file can help you pinpoint slow logon issues related to things you might not have thought of otherwise. For example, one environment was experiencing slow logons due to the domain controller. The IT staff had been focusing their attention on the path between the Terminal Server and the file server hosting the master copies of the user profiles. But by looking at the userenv.dll logs, they discovered that the domain controller was so busy that it was taking 30-45 seconds to respond when the Terminal Server queried it to see where the user’s roaming profile was stored. A $3,000 hardware upgrade to the domain controller saved this company 45 seconds on every user logon across 20 Terminal Servers.

You can enable userenv.dll logging by adding the following registry entry to a Terminal Server:

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Type: REG_DWORD
Data: 10002 (Hex)

The data value of 10002 will enable verbose logging to a file on the server. Once you set this value, reboot your server and check for a “userenv.log” file in the %SystemRoot%\Debug\UserMode\ folder. Remember to turn this off when you’re done troubleshooting it, since each user logon can easily add 100KB to the size of this log file.

Let’s look at a small example from a userenv.log file. This example has been severely trimmed, and shows only a few random lines to give you a feel for the type of information that is available in this log file. Notice that the exact time down to the millisecond is listed for every line in this log. This allows you to see exactly what’s happening and where the hold-up could be. 

09:25:30:606 UnloadUserProfile: Entering, hProfile =
09:25:30:606 UnloadUserProfile: In console winlogon process
09:25:30:616 UnloadUserProfileP: Entering, hProfile =
09:25:30:616 CSyncManager::EnterLock
09:25:30:616 CSyncManager::EnterLock: No existing entry found
09:25:30:616 CSyncManager::EnterLock: New entry created
09:25:30:616 CHashTable::HashAdd: S-1-5-21-2364083253-1420309831-852573094-500 added in bucket 19
09:25:30:616 UnloadUserProfileP: Wait succeeded.  In critical section.
09:25:30:872 MyRegUnLoadKey: Returning 1.
09:25:30:872 UnloadUserProfileP:  Succesfully unloaded profile
is local, not setting preference key
09:27:39:975 CreateLocalProfileImage:  One way or another we haven’t got an existing local profile, try and create one
09:27:39:975 CreateSecureDirectory: Entering with
09:27:40:052 CreateSecureDirectory: Created the directory
09:27:40:052 ComputeLocalProfileName: generated the profile directory
09:27:42:068 CopyProfileDirectoryEx: Leaving with a return value of 1
09:27:42:106 MyRegLoadKey: Returning 00000000
09:27:42:106 IssueDefaultProfile:  Leaving successfully
09:27:42:115 RestoreUserProfile:  Successfully setup the local default.
09:27:42:115 SetupNewHive:  Entering
09:27:42:115 SetDefaultUserHiveSecurity:  Entering
09:27:42:335 SecureUserKey:  Entering
09:27:42:335 SecureUserKey:  Leaving with a return value of 1
09:27:42:335 SecureUserKey:  Entering
09:27:42:345 SecureUserKey:  Leaving with a return value of 1
09:27:49:719 ProcessGPOs: ———————–
09:27:49:719 ProcessGPOs: Processing extension Microsoft Disk Quota
09:27:49:719 CompareGPOLists:  The lists are the same.
09:27:49:719 ProcessGPOs: Extension Microsoft Disk Quota skipped with flags 0x6.
09:27:49:719 ProcessGPOs: ———————–
09:27:49:719 ProcessGPOs: Processing extension QoS Packet Scheduler
09:27:49:719 CompareGPOLists:  The lists are the same.
09:27:49:719 ProcessGPOs: Extension QoS Packet Scheduler skipped with flags 0x6.
09:27:49:719 ProcessGPOs: ———————–
09:27:49:729 ProcessGPOs: Processing extension Scripts
09:27:49:729 CompareGPOLists:  The lists are the same.
09:27:49:729 ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO lists are empty.
09:27:49:862 ProcessGPOs: User Group Policy has been applied.
09:27:49:862 ProcessGPOs: Leaving with 1.
09:27:49:872 ApplyGroupPolicy: Leaving successfully.
09:27:51:763 IsSyncForegroundPolicyRefresh: Synchronous, Reason: policy set to SYNC
09:27:52:700 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
09:27:53:139 GPOThread:  Next refresh will happen in 109 minutes
09:27:57:926 LibMain: Process Name:  C:\WINDOWS\system32\ie4uinit.exe
09:28:40:507 LibMain: Process Name:  C:\WINDOWS\system32\msiexec.exe
09:28:47:967 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe

Once you have this log file, take a quick look at the first and last timestamps. If they’re very close together (like only a few seconds apart), then you know that it’s probably not worth spending too much time with this logfile. However, if you have 10, 20, or even 30 seconds in this file, then you can read through it to figure out where the holdup is.

Logon Phase 4: Loading all the Junk

There is a lot of stuff that gets loaded into a Windows session, even when Terminal Server is used. If you still haven’t found the cause of your slow logons, you need to investigate everything else that’s loading during the session initiation. I used to give out a long list of registry locations, but fortunately there are now tools that do this for us. My favorite is the free tool

AutoRuns is a simple tool that you run on a computer (or your Citrix server in this case) that scans the registry to list out absolutely everything that runs, loads, or is mounted in a session. It’s like an extreme version of MSConfig. Here’s a sample output:

AutoRuns from SysInternals

AutoRuns from SysInternals

As you can see from the size of the scrollbar, AutoRuns will find hundreds of modules and components that load on startup. Of course you can’t remote everything from this list, but you can step through it to get an idea of what’s loading. You might be very surprised at what you find! You can also use this tool to remove items from these lists to try your logons without them.

Conclusion

Troubleshooting Citrix and Terminal Server slow logons is easy once you know the process and know how to insert break points to narrow down where the problem might be. Try to isolate it as much as possible and you should be able to solve it

Posted in Citrix XenApp, Citrix XenDesktop | Tagged , , , | Leave a comment

XenApp 6 Installation and Configuration Step-by-step

Posted on May 28, 2011 by Murugan B Iyyappan

Installing XenApp Server

Before starting the installation, disable the IE Enhanced Security Configuration.  Start the Server Manager.

Select “Configure IE ESC” on the right side.

Select Off for both Administrators and Users, then click OK.

Insert the XenApp 6 install DVD.  It is recommended to run directly from the  DVD or extract the files to a local drive on the server.

Select Install XenApp Server.

If you have not yet installed .Net 3.5 SP1 it will prompt that it will be installed, click OK.

Now at the Role Manager screen click “Add server roles” on the right.

Select your XenApp edition.

Read the license agreement, select the check box to accept the license agreement, and click Next. (No need to scroll upto the end ;))

Select the role(s) you would like to install.  Here we choose the License Server, XenApp, and Web Interface.  In a production environment you may want to install the License Server on a separate non-XenApp server.  The same goes for your Web Interface servers.  Click Next.

Click Next.

The installation will include a bunch of prerequisites that need to be installed.  The first is the activation of the Remote Desktop Session Host role/Terminal Services application mode which will require the server to reboot mid-install.  One of the nice things about XenApp 6 is that the installation of prerequisites has been simplified.Click Next.

Click Install.

Click Finish.

Back at the Role Manager window it tells us the XenApp configuration has a reboot pending because of the Remote Desktop Server role installed earlier.  Select Reboot or manually proceed to reboot the server.

Once we’ve logged back on after the reboot the Role Manager screen should pop back up.  Click Resume Install under the XenApp configuration task. Before that check whether the selected roles ahs beed still active, or click Add roles again.

Click Install.

If the install was successful you can see the above screen.  Click Finish.

Configuring XenApp Server

Now we will configure the different components of our XenApp installation.  If the Role Manager window does not appear click Start > All Programs > Citrix > XenApp Server Role Manager > XenApp Server Role Manager.

Click Configure under XenApp.

Select “Create a new server farm”.

Type a name for the new XenApp Server farm, then click Next.

We can specify the license server info later through a XenApp policy, click Next.

We now have the option to install a new database locally on the XenApp server or on an existing SQL Server in our environment.  For simplicity here we choose the New Database option.  The installation will automatically install a copy of SQL Server Express 2008 on the XenApp server and configure the data store database for our new Citrix farm.

For larger environments it is recommended to use an existing SQL Server.  We even can use an existing SQL Server 2005 SP3 database server instance.  If you choose to use a separate SQL Server you’ll want to create a new database for the Citrix farm on that server, assign a new SQL login and user for that database, and add the db owner role on the new database for that SQL user.  Perform these steps first if using an existing SQL server, then come back to the XenApp installation.

Enter a user and password for a database administrator for the new database. We may use a more restricted standard user account for better security. Click OK.

Click Next.

Unless you want to configure restrictions on session shadowing, accept the default and click Next.

Zones are typically geographically based groupings of XenApp servers that share a common data collector, which contains certain information on the status and availability of the XenApp servers in that zone.  We kept the default zone name.  Don’t click Next yet.

On the left select “XML Service”.  We generally choose to “Use a custom XML Service TCP/IP Port” and change this to 8080, but you can keep the default if you want.  Make a note of which port you use because you’ll need it when configuring components like the Web Interface.

Select “Remote Desktop Users” on the left and select “Add the Authenticated Users” to limit logons to authenticated users.  Click Next.

Click Apply to configure with the settings selected.

XenApp configuration successful, click Finish.

Under XenApp task is displays a reboot pending, click Reboot and proceed to reboot the server

Configuring Web Interface

After we’ve rebooted log back on and go back into the Role Manager if it doesn’t start automatically.

Click “Configure” under “Web Interface”.

Now the Web Interface Management console should start.  Select XenApp Services Sites on the left pane, then click Create Site on the right.  We need to create a site that will allow the Citrix Online Plugin on our clients to gather connection information about our Citrix farm.

Click Next.  The IIS role and the Default Web Site should have been installed when we installed the Web Interface.

Click Next.

Click Next and the site configuration will start.

Type the name of your Citrix farm and click Add.

Type the fully qualified domain name of your XenApp server or its IP address and click OK.

If you changed the port the XML Service runs on update it like I have above.  Add any additional servers you may have in your environment, then click Next.

For now we’ll use only Online applications, click Next.

Click Finish to wrap up the XenApp Services Site configuration.  Then close the Citrix Web Interface Management console.

Configuring License Server and Installing Licenses

Back at the Role Manager window click Configure under License Server.

Enter a password for the “admin” user on the license server web console.  Click OK.  When I installed the License Server on the same server as the XenApp server, it gave me an error about the Management Console Web Port already being in use.

If this happens to you, change the Management Console Web Port to something like 8081 to get past the License Server Configuration screen.

Go to Start > All Programs > Citrix > Management Consoles > License Administration Console.

Select Administration on the upper right side of the page.

Logon with the “admin” user and password specified earlier.  Optionally check Remember Me so you don’t have to log on in the future.  Click Submit.

Scroll down and select “Vendor Daemon Configuration” on the left side of the screen.  Then click “Import License” at the top.

Click the Browse button to find your license file.  The import of the license file is kind of tricky, it may give you an error that the license does not have a consistent server host ID.  Rest assured, it is.  Go to Start > Administrative Tools > Services.

On the right side scroll down to the Citrix Licensing service, right click and select restart.  Close the Services MMC.  Now if you go back to the License Server Console, click Dashboard on the top right and the license should be registered.  Now close Internet Explorer.

You are now returned to the Role Manager screen.  Click Close.

Go to Start > All Programs > Citrix > Management Consoles > Citrix Delivery Services Console.

It will ask about disabled authenticode signature check, we selected Disable.

It will run a discovery process to find your new Citrix farm.  Click Next.

When presented with product selections leave the XenApp option checked and uncheck Single Sign On.  Click Next.

Click the Add Local Computer button to allow the console to browse it for available services.  Click Next.

Click Next.

Once discovery has completed click Finish, or at least I think that is finish!  Click the middle button.  You should now be presented with the Delivery Services Console.

In the left tree go to Citrix Resources > XenApp > Policies.  Then on the right pane select the Computer tab.  Select the Unfiltered policy under Citrix Computer Policies, then click Edit.

Click Next.

On the Left side select Licensing.  Then on the right select Add next to “License server host name”.

Type the name of your license server, then click OK.

Click Add next to “License server port”.

Make sure the value says 27000, then click OK.

Click Save.  Now we’ll be returned to the Delivery Services Console window.

Publishing a Citrix XenApp Application

Now it’s time to publish our first application to our clients.  Go into the Citrix Delivery Services Console if it is not already running.

On the left side of the window drill down to Citrix Resources > XenApp > Applications.  In the right actions pane click Publish Applications.

Click Next.

We’ll publish the Calculator, so enter a Display Name and click Next.

This is a simple application published from the XenApp server.  Click Next.

Browse for the Calc.exe of enter the information as above and click Next.

Click Add to select the server that this application is published from.

Double click Servers in the top box.  Then double click the XenApp server to add and it will appear in the bottom.  Then click OK.

Make sure a server appears, then click Next.

Click Add to select users for this application.

Double click this server, then double click the user group you’d like to publish this application to.  We’ll choose the local standard “Users” group.  If the XenApp server is in a windows domain it will also publish to members of the Domain Users group.  Click OK.

Click Next.

Click Next.

Click Finish.

The published application should now appear in the Delivery Console.

Installing the Citrix Online Plugin

Now let’s configure a client computer for XenApp 6.  One important thing  to note is that you should be running the latest version of the Citrix  XenApp Online Plugin client version 12. Also since Program Neighborhood is no longer included with the  current Plugin client that functionality appears to no longer be  supported.  Instead we’ll use the XenApp Services Site we set up earlier (formerly Program  Neighborhood Agent) to provide the settings for our client to connect with.

Now we need to install the Online Plugin client on a workstation.   There are two clients bundled in the Plugin client download, we will  install the Full Plugin client, CitrixOnlinePluginFull.exe.  It will  proceed with the installation.  Once completed it should prompt you for  the server.

Enter your server name and click Update.  It should now ask for your  logon credentials.  If it doesn’t, right click the Citrix icon in the  system tray and select Log On.

Enter your user, password, and domain if this is an Active   Directory environment.  To specify a local user account to the XenApp server type the computer name in the domain field.  Click OK.

Now left click the Citrix icon and select your application that you published earlier.  You should now be running your first XenApp 6 published application!

Posted in Citrix XenApp | Tagged , | 9 Comments

Best Products of the year 2010

Posted on December 14, 2010 by Murugan B Iyyappan

Google Android 2.2 (smartphone operating system; included with phone)

Apple iPad (tablet; starts at $499)

Amazon Kindle, thirdgeneration (e-reader; $139)

Netflix (streaming video service, video-by-mail plan; starts at $9, Watch Instantly free with monthly plan)

Samsung Galaxy Tab (tablet; price to be determined)

Sony Alpha NEX-5 (digital camera; $650)

HP Envy 14 Beats Edition (laptop; starts at $1149)

Samsung Epic 4G (smartphone; $249 with Sprint contract)

Google Chrome (Web browser; free)

Microsoft Security Essentials (antivirus sofware; free)

Posted in Citrix XenApp, Citrix XenDesktop | Tagged , , , , , , | Leave a comment

WINS vs DNS ?

Posted on December 14, 2010 by Murugan B Iyyappan
Windows Server 2003 Standard Edition cover box

Image via Wikipedia

“WINS” is Windows Internet Name Service.  DNS is Domain Naming Service.

WINS and DNS are both name resolution services for TCP/IP networks. While WINS resolves names in the NetBIOS namespace, DNS resolves names in the DNS domain namespace. WINS primarily supports clients that run older versions of Windows and applications that use NetBIOS. Windows 2000, Windows XP, and Windows Server 2003 use DNS names in addition to NetBIOS names. Environments that include some computers that use NetBIOS names and other computers that use domain names must include both WINS servers and DNS servers

WINS help Windows NT Client and Servers to locate DC. NetBIOS looks for its name resolution from a WINS server. DNS helps applications like web browser and email clients to located web and mail servers Winsock looks for its name resolution from a DNS server. PING is a Winsock command.

Posted in Citrix XenApp, Citrix XenDesktop | Tagged , , , , , , , | Leave a comment

What is Kcc(Knowledge Consistency Checker) ?

Posted on December 14, 2010 by Murugan B Iyyappan

An administrator may establish additional connection objects or remove connection objects. At any point, however, where replication within a site becomes impossible or has a single point of failure, the KCC will step in and establish as many new connection objects as necessary to resume Active Directory replication.

Posted in Citrix XenDesktop | Tagged , | Leave a comment