Wednesday, December 15, 2010

Deloy Citrix Merchandising Server with Receiver 2.0 using anonymous access

Citrix Merchandising server 2.0 adds in the ability to deploy the receiver with tokens. This allows the receiver to be utilized with anonymous access and elimates the need for users to login for receiver updates (note this doesn't change the need to login for online plugin which will be presented as a receiver login prompt, don't confuse the 2 different authentication prompts)

For this I used both Merchandising server 2.0 and 2.1 along with Receiver 2.0 and 2.1.

Configure the Merchandising Server
  1. Download and import the merchanding server (8GB HD space req)
  2. Configure with IP, subnet, etc and install the latest XenServer tools. Use receiver.yourfqdn as the hostname
  3. open https://ipaddress/appliance
  4. login as root with the default password (found in the citrix edocs, note this is different than the unix password you configures from the console)
  5. Configure Active Directory
    1. Source Name = your call
    2. Server Address = IP address to DC
    3. Server port = 389 or 3268
    4. Bind DN = user account to sync ldap (ie
    5. Bind Password = the password to the ldap account
    6. Base DN = your base dn (ie DC=here,DC=contoso,DC=com)
    7. Save (if it errors you did it wrong)
  6. Permissions
    1. In the search users box type your domain user first or last name (username will result in nothing)
    2. Select the radial button and click Edit
    3. Change to Admin
    4. Repeat for all other admins
    5. Logoff
  7. Enter a dns record for "receiver" pointing to the merch server IP address
  8. point your browser to https://receiver/appliance
  9. Logon as your newly configure admin account. Note that you'll need to use domain\username for now
  10. Go to configurations - options
  11. Enter your support desk email, website, phone as desired. Ensure you select Token Expiration of Never (unknown to me at this time if you set it to expire if the end clients will update automatically, or if it will just break it).
  12. Enter the default domain name desired (note that this will fix the need for using the domain\username format)
  13. Save
  14. Go to configurations Authentication
  15. Click Generate Token (needed for the anonymous access)
  16. Click Save
  17. Now we need to generate an ssl cert. Since most intermediaries now require all ssl certs be generated with 2048 or higher you won't be able to use the CMS built in cert request as it only generates at 1024. I used IIS7 for this.
    1. Open IIS manager
    2. On the server find Server Certificates
    3. Click Create Certificate Request
    4. Common name =
    5. Fill out rest of the request and generate the csr
    6. Copy the contents of the CSR and generate a cert (I used Godaddy)
    7. download the completed cert
    8. In IIS7 select the cert and click "Complete Certificate Request"
    9. Once finished select the cert and click export
    10. enter a location and password
    11. Download and install openssl
    12. Convert the new cert from pfx format to pem using openssl
    13. open command prompt and navigate to where you installed openssl (default is C:\openssl\bin)
    14. openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\receiver.pem –nodes
    15. Enter the password you gave it when you exported it.
  18. Now that we have a cert in the proper format we can import it to the receiver. Go to configuration - ssl certifcate management
  19. Change the drop down to "import certificate from a certificate authority"
  20. For "Public Certificate File" browse to the newly created pem file
  21. For "Private Key File" browse to the newly created pem file
  22. Enter the password
  23. Submit
  24. The CMS will reboot at this point. When it comes back up you'll notice that you don't get a cert warning anymore (provided everything was done right).
  25. Dedicate an external IP address and map the external address to your internal address at your firewall. You'll need port 443 open obviously.
  26. Get the A-records mapped externally for receiver.fqdn to point to your external address if you haven't already
  27. under plug-ins click Get new
  28. select a plug-in that you want and click Download to server
  29. under Deliveries click Create/Edit
  30. Create
  31. Delivery Name = Default
  32. Check mark default delivery
  33. enter how often to check for updates
  34. Add a plug-in to push as the default package
  35. Set the schedule for Deliver Now
  36. Click Schedule
Package the receiver
Citrix has a tool available for packaging the receiver. It works very well. Unfortunately I don't like it because it forces you package it alongside the Access Gateway client, which I don't necessarily want to push to all my workstations that will be using receiver. If you want to push that client as well then use this to package your receiver with the token.
Here's an excellent tip on packaging the receiver.
Download the receiver msi from Then make your installation look like the below. Note that the token comes from the "Authentication" tab in the receiver. It's the token we generated way back on step 15.
start /wait msiexec /i "Receiver.msi" /qn ALLUSERS=1 REBOOT="ReallySuppress" SERVER_LOCATION= VERBOSE=true AUTOUPDATE=true TOKEN=yourtoken
Alternatively you could use Orca to modify the msi.
New! Citrix has added a new page in their edocs regarding how to push the Citrix receiver and the switches available. You'll find it under Receiver for Windows - Installing Receiver for Windows.

Citrix Online Plugin SSOn with Windows 7 x64

I was having issues getting SSOn working with any version of the Online plugin on Windows 7 x64. Mainly I was working on getting it running with the Citrix Receiver 2.0 deploying Full online plugin 12.1.

Checked that ssonsvr.exe was indeed running.

Found that the GPO template provided by Citrix contains what appears to be invalid entries for the SSOn keys. (note that SSOn for winXP working using these settings)

Finally, discovered that it *was* the credentials that SSOn was attempting to use. I found that using the FQDN for the domain field would result in a failure, but using the "pre-Windows 2000" domain name would work.

Bingo, the PNA services site was set to allow only the "pre-windows 2000" version of the domain name. On the services site I added a second allowed domain name as the fqdn and everything took off running. Apparently XP was passing through the domain name that I had allowed, whereas Windows 7 was using the FQDN (which would make sense).

Monday, December 13, 2010

Remove Sleep and Hibernate from Start Menu in Windows 7 via GPO

Looking around on the internet I found a LOT of incorrect and incomplete information on this.

To remove the sleep and hibernation options from the Windows 7 start menu via GPO do the following (this doesn't disable sleep entirely, just removes it from start menu, to disable sleep via GPO you can do a power plan with it set to 0 and then select the power plan):


Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Set to disabled


Note that I tried changing the HibernationEnabled key with no success. Running processmonitor I found that this key and many others are updated, contrary to many of the posts I found on the internet. In addition I found that many of the proposed adm templates for this actually caused GPO processing failure (so beware).

Computer Configuration\Preferences\Windows Settings\Registry
Action - Update
Key Path - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name - DisableHibernate
Value Type - REG_SZ
Value Data - %systemroot%\system32\powercfg.exe -h off
Common Tab - Apply once and do not reapply (optional)

Monday, May 17, 2010

BlackBerry Express Dispatcher service fails to start

Recently in an installation of BB Express with SQL Server 2005 Express I had some issues with the Dispatcher and SQL.

Event Type: Warning
Event Source: BlackBerry Dispatcher pubBESExpress
Event Category: None
Event ID: 25137
Date: 5/17/2010
Time: 10:11:24 AM
User: N/A
{ConnectionItem::ConnectToDB} Failed to connect. Connection string is Provider=SQLNCLI.1;Server=servername\SQLEXPRESS;Database=BESMgmt;

This error was followed by:
Event Type: Warning
Event Source: BlackBerry Dispatcher pubBESExpress
Event Category: None
Event ID: 25105
Date: 5/17/2010
Time: 10:11:24 AM
User: N/A
Failed to authenticate connection - local machine time may be out of sync with domain controller time. Please restart Windows Time Service.

I eventually found this here: where Keithk23 nails it.

Set the SQL Browser service to automatic and started it and all was well.

Friday, April 30, 2010

Smart Card Error when RDP to server console

When logging into a server console I would get the following error:

"The card supplied was not recognized. Please check that the card is inserted correctly, and fits tightly"

This occured on an HP dv4 laptop.

I found that it only occured when a keybard with "Smart Terminal" was connected to the laptop. Easily resolved by opening the device manager and disabling the smart card reader.

Skype Crashes on Windows 7 x64

After installing Skype on my Windows 7 x64 laptop it would fairly consistantly crash, occasionally taking the laptop down with it.

  1. Open cmd prompt (run as admin)
  2. type bcdedit -debug off
  3. reboot

Friday, February 19, 2010

XenServer - Disk Access Priority (qos)

Following are steps for setting Disk Access Priority in XenServer 5.5

Note: I found that the Admin Guide and Technote provided by Citrix for making these changes have typos in the commands. This could cause unexpected results and more obviously Disk Priority doesn't work (most notible by the slider not working).

Note the message that is displayed briefly when hovering over the slider "This feature is disabled due to license restrictions on the server" has nothing to do with license restrictions, but rather just that it needs enabled on the SR.

  • Shutdown all vm's on the SR
  • xe sr-list name-label="srname" (this will give you the SR UUID)
  • xe sr-param-set uuid=UUIDofSR other-config:scheduler=cfq
  • Detach and reattach the SR (or uplug and replug each pbd for the SR, detach reattach effectively does this)
  • Change the slider to the desired setting

If you happened to follow the admin guide or technotes and used the incorrect command (xe sr-param-set uuid=uuidofsr other-config:scheduler-cfq, note the -cfq rather than =cfq) then you will need to clear this setting first.

xe sr-param-clear uuid=sruuid param-name=other-config

Technote - Correct

Technote - Incorrect

Admin Guide - Incorrect

Bug #2

The Disk Access Priority level (highest / lowest) is displayed incorrectly at 0 and 7 settings. They infact show opposite of what they should. (0 = lowest, 7 = higher). This only shows on the VM storage tab. Setting of 8 shows normal. This can be ignored as a GUI / display bug, go by the numbers. 0 - 7 (according to Admin Guide) with 7 having more priority over 0. Unsure if 8 is valid or not although it can be selected.

Should be High

Should be low

Wednesday, January 27, 2010

Disable Windows Password Caching

A client has a number of laptops that are shared amongst several users using the same local username and password. Problem, if one opens SharePoint, other Internet site, or File Share and chooses "remember my password" then passes the laptop onto the next user... you get the picture.

Disable password caching option:
Group Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options
Network access: Do not allow sotrage of credentials or .NET Passports for network authentication
Set to Enabled

This will disable the "remember my password" option from both Internet Explorer and File Shares.

Tuesday, January 19, 2010

Server 2008 Virtual Iron to XenServer winlogon.exe corrupt

During a conversion of Server 2008 to XenServer the first boot worked great. Upon reboot the server responded with an error that "winload.exe - the selected entry could not be loaded because the application is missing or corrupt"

Booting to the install disk and choosing repair then command prompt. I then ran the following:
Bcdedit /set {device} osdevice “partition=C:”
Bcdedit /set {device} device “partition=C:”
Bdedit /set {bootmgr} device “partition=C:”

I then also had to ensure that the device ID (on storage tab) where set properly for each drive.

Reboot and worked fine.

Friday, January 8, 2010

Server 2008 - Windows cannot change the password

After building a Server 2008 SP2 member server I realized that I had set the administrator password to the wrong one. CTRL-ALT-DELETE change password resulted in an "Access Denied" error. At this point I went to the Control Panel - User Accounts - Change your Password option.

"Windows cannot change the password"

"This behavior can occur because the Administrator account logon option appears only in Safe mode if more than one account is created on the system. The Administrator account is available in Normal mode only if there are no other accounts on the system. "

  1. Start
  2. In search type mmc
  3. File - Add/Remove Snap-in
  4. Local users and Groups -- Add
  5. Finish - OK
  6. Expand to Users
  7. Right Click Administrator - Set Password
  8. Proceed
  9. Enter new password - OK