Windows Store and Sideload apps don’t work after reboot when User Layers enabled

Identify any prerequisite AppX packages that are installed by your App installer. For instance, look for commands like this in the installer PowerShell script:

Add-AppxPackage -Path <something>

Or if your installer package contains a Dependencies folder, it may be sufficient to inspect the contents of that folder. There is no simple, clear path to determining the specific AppX packages that are included as prerequisites, so you may need to do some investigation to determine them.

Your list might look like this, for instance:

Microsoft.NET.CoreRuntime.1.1.appx

Microsoft.VCLibs.x64.14.00.appx

Microsoft.VCLibs.x86.14.00.appx

Once you have a list of dependent AppX packages, you need to repair/reinstall some or all of them after each reboot. Manually test this command for each package to determine which need to be fixed:

Get-AppXPackage *Microsoft.NET.CoreRuntime.1.1* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)AppXManifest.xml”}

Now that you have the commands you need to run to fix your App, you can build this as a CMD file that a user has to run manually, or as some manner of login script. For instance, you could just put a BAT file in c:programdatamicrosoftwindowsstart menustartup that would run on each user’s login.

Batchfile:

@echo off

start /min powershell.exe “c:fix.ps1

fix.ps1:

Get-AppXPackage *Microsoft.VCLibs* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)AppXManifest.xml”}

Get-AppXPackage *Microsoft.NET.CoreRuntime.1.1* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)AppXManifest.xml”}

(Note the * chracters which do wildcard matching to allow you flexibility. The line for Microsoft.VCLibs, for instance, captures both the x64 and x86 packages.)

Related:

Re: SCRIPT: Powershell -> ScaleIOREST -> InfluxDB -> Grafana

One thing has come up that I’m struggling to get to the bottom of – looks like powershell’s Invoke-RestMethod and Influx REST api are having issues under some combinations. First few writes to influx work fine, then they start timing out.

Works fine on a Windows 10 client (powershell 5.1), and my Win7 VM uses Powershell 5 – but some 2012R2 boxes are still on Powershell 4 and it’s that that seems to be the issue…

Oddly, even when the script has stopped, I still see connections to the Influx REST on port 8086, and I think it’s something to do with KeepAlives…

edit: updated the code to disable HTTP keepalives to influx, but I think this has a dependency on powershell 5 being present.

If anyone could try it out and report back, that would be useful. All feedback welcome on the script.

Thanks

A

Related:

Using a SafeNet Network HSM to Protect the Citrix Federated Authentication Server (FAS) Authorization (RA) Key

HSM initial setup, initialization and partitioning

Follow the vendor’s instructions to initialize your HSM and create a partition to be used by the FAS server.

Install SafeNet Luna Client

Install the SafeNet Luna Client on the FAS server using the vendor-provided installer:

User-added image

Perform a Custom Setup and ensure that the Luna CSP (CAPI) / Luna KSP (CNG) components are installed:

User-added image

Note: Screenshot shows PCI model. When writing this blog we did not have access to a device to re-test every step and re-purposed screenshots that were saved earlier.

Ensure that the SafeNet software is shown as installed:

User-added image

Warning: Do not use KSP v6.2 to protect FAS user’s (non-Authorization / RA) keys. The HSM will run out of space. Contact the vendor for an updated KSP for use with user keys with FAS.

Follow the vendor’s instructions to configure a secure connection between the FAS server and the Network HSM.

Get to the point where the command vtl.exe -verify succeeds from the FAS server to the Network HSM:

User-added image

SafeNet KSP configuration, slot registration and network service. Register the Safenet KSP on the FAS server by running kspconfig.exe

User-added image

The SafeNet KSP Config Wizard is spawned:

User-added image

Click on Register Or View Security Library and register cryptoki.dll in the LunaClient directory:

User-added image

User-added image

Register HSM slots / Run as Network service

Click on Register HSM Slots and select the following:

User-added image

  • Register For User NETWORK SERVICE.
  • Domain NT AUTHORITY
  • Available Slots choose the partition created in earlier step according to vendor instructions. In this example the slot was named fasluna1
  • Slot Password Enter slot password that was created in an earlier step according to vendor instructions.

Get FAS Authorization (RA) key and revert for user keys

Close FAS GUI.

Put FAS server in maintenance mode. (Instructions to put FAS server in maintenance mode at end of post)

Edit the Citrix.Authentication.FederatedAuthenticationService.exe config file located in the /Program Files/Citrix/Federated Authentication Service directory on the FAS server by adding the following line:

<add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”SafeNet Key Storage Provider”/>

The complete file should now look like this:

User-added image

Save the file.

Restart the FAS service.

Start the FAS GUI

Perform Step 3 in FAS GUI to generate an Authorization (RA) key and certificate request

When all steps in the FAS GUI goes green, revert the Citrix.Authentication.FederatedAuthenticationService.exe config file setting back to Microsoft Software Key Storage Provider. This will prevent user keys from being generated in the HSM once the FAS server goes out of maintenance mode and requests start coming in. The complete file should look like this:

User-added image

<!– add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”Microsoft Software Key Storage Provider“/ –>

is commented out by default. Microsoft Software Key Storage Provider is the default cryptographic provider used by FAS out-of-the box. When no cryptographic provider is specified, the default provider is used. If no other cryptographic provider is specified in the config file, having a commented

<!– add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”Microsoft Software Key Storage Provider“/ –>

or uncommented

<add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”Microsoft Software Key Storage Provider“/>

will both result in the Microsoft Software Key Storage Provider being used.

Save the file

Restart the FAS service

Take the FAS server out of maintenance mode.

Footnote 1 – Putting a FAS server into Maintenance mode

  • Use the PowerShell command on the FAS server:

  • Set-FasServer [-MaintenanceMode <Boolean>] [-Address <String>] [-UserName <String>] [-Password <String>] [<CommonParameters>]

    User-added image

  • If FAS is in maintenance mode StoreFront wont pick that FAS server.

  • Storefront will know that FAS is in maintenance mode because SF will contact FAS server and FAS server will report that it is in maintenance mode.

  • If users already logged into VDA they are unaffected. They can still use their in-session certificates. Even if FAS server is in maintenance mode.

Footnote 2 – Renewing the Authorization (RA) key

When Authorization (RA) certificate expires (after 2 years by default) renew as follows:

  • Place FAS server in maintenance mode using PowerShell command
  • Run FAS GUI > Initial Setup > Deauthorize this Service > Click Deauthorize.
  • Edit the configuration file to use the HSM for RA key:
  • <add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”SafeNet Key Storage Provider“/>
  • Restart the FAS Service
  • Click “Authorize this Service”
  • Manually “allow” the certificate to be issued on the CA
  • Edit the configuration file back so user certificate keys will not be generated in the HSM:
  • <add key=”Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName” value=”Microsoft Software Key Storage Provider“/>
  • Restart the FAS Service
  • Take FAS Server out of maintenance mode using PowerShell command

Warning: When Deauthorizing a FAS server, all the user certificates/keys on that FAS server gets deleted. Ensure that no users with existing sessions are relying on use of in-session certificates from the FAS server that is being Deauthorized.

Related:

XenApp/XenDesktop 7.15.2000 : Citrix Studio Times Out While Enumerating Application Groups In Large Environments With Lot Of Application Groups for Tag Restrictions

  • XenApp/XenDesktop 7.15.2000: Citrix Studio Times Out While Enumerating Application Groups in Large Environments where lot of Application Groups are Published and Tagging is also enabled.

  • When you click on “Applications” tab in Citrix Studio it gets hung with a spinning circle for a few minutes and then throws the error “Database Could Not be Contacted”. When you click on Error details you see “Get-BrokerApplicationGroup” gives the error “Problem Occurred contacting the database”

  • The issue does not occur with any other tab in Citrix Studio except while clicking on “Applications Tab”.

Appgroup4
CDF TRACE

In CDF Traces collected from Delivery Controllers we see ‘Execution Timeout Expired.

368781,1,2018/07/02 13:10:07:11527,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:CmdletExecutionLog(1114): Script GetApplicationGroupsScript(1111): Failed to execute command: Get-BrokerApplicationGroup -AdminAddress “DDCNAME:80″ -MaxRecordCount 2147483647“,””

368782,1,2018/07/02 13:10:07:11545,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_ERROR,”Xendesktop Management Console:1:1:CmdletExecutionLog(1114): Script GetApplicationGroupsScript(1111): Error received from command: Get-BrokerApplicationGroup -AdminAddress “DDCNAME:80” -MaxRecordCount 2147483647, Error:

Name : Get-BrokerApplicationGroup

+ CategoryInfo : InvalidOperation: (:) [Get-BrokerApplicationGroup], SdkOperationException

+ FullyQualifiedErrorId : Citrix.XDPowerShell.Broker.DataStoreException,Citrix.Broker.Admin.SDK.GetBrokerApplicationGroupCommand

368783,1,2018/07/02 13:10:07:11553,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:CmdletExecutionLog(1114): Script GetApplicationGroupsScript(1111): The command; Get-BrokerApplicationGroup -AdminAddress “DDCNAME:80″ -MaxRecordCount 2147483647, Took 380.21 seconds to execute”,””

368784,1,2018/07/02 13:10:07:11561,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:::-fd2ef0c2-3c79-45ce-8275-cef217891283:Executing Cmdlet: Get-BrokerApplicationGroup”,”

368785,1,2018/07/02 13:10:07:11574,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:Attempting to resolve the error DataStoreException to a resource string.”,””

368786,1,2018/07/02 13:10:07:11579,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:Looking for String[Citrix_XDPowerShell_SdkSdkErrorId_DataStoreException]“,””


368787,1,2018/07/02 13:10:07:11758,2436,1624,3,Xendesktop Management Console,_#dotNet#_,0,,1,CDF_NET_INFO,”Xendesktop Management Console:2:1:OperationTimer(GetApplicationGroupsScript: GetBrokerApplicationGroupCmd) : 380212.0ms”,””

Get-BrokerApplicationGroup -AdminAddress “DDCNAME:80” -MaxRecordCount 2147483647

Get-BrokerApplicationGroup : Problem occurred contacting the database

+ CategoryInfo : InvalidOperation: (:) [Get-BrokerApplicationGroup], SdkOperationException

+ FullyQualifiedErrorId : Citrix.XDPowerShell.Broker.DataStoreException,Citrix.Broker.Admin.SDK.GetBrokerApplicationGroupCommand

44614,1,2018/07/02 13:10:07:60659,3124,5752,0,BrokerController,_#dotNet#_,0,,1,CDF_NET_INFO,”BrokerController:2:1:EventLogManager decided to log event CdsEventDatabaseConnectivityLost of type Warning with arguments: ‘Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding.’ ‘System.Data.SqlClient.SqlException’.This is based on event log groups BrokerStartup.DatabaseConnectivity”,””

44627,1,2018/07/02 13:10:07:64208,3124,5752,0,BrokerFiltering,_#dotNet#_,0,,1,CDF_NET_ERROR,”BrokerFiltering:1:1:BrokerSDKLogic.GetChbCommon: Unexpected exception Citrix.Fma.Sdk.Dal.DALConnectionFailedException: Cannot connect to database server —> System.Data.SqlClient.SqlException: Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. —> System.ComponentModel.Win32Exception: The wait operation timed out

Line 2191: 2099,1,2018/07/02 13:02:35:04848,2536,5752,0,BrokerFiltering,_#dotNet#_,0,,8,CDF_NET_INFO,”BrokerFiltering:2:8:Adding operation name GetApplicationGroup”,””

Line 19302: 17372,1,2018/07/02 13:03:47:46942,3124,5752,0,BrokerController,_#dotNet#_,0,,5,CDF_NET_ENTRY,”BrokerController:8:5:SDK >>> GetApplicationGroup”,””

Line 19316: 17386,0,2018/07/02 13:03:47:47221,4444,3576,0,DelegatedAdminLog,_#dotNet#_,0,,1,CDF_NET_INFO,”DelegatedAdminLog:2:1:CheckScopeAccessMultiple serviceType=Broker operations=GetApplicationGroup”,””

Line 19319: 17389,0,2018/07/02 13:03:47:48516,4444,3576,0,DelegatedAdminLog,_#dotNet#_,0,,1,CDF_NET_INFO,”DelegatedAdminLog:2:1:Unrestricted access granted for Broker:GetApplicationGroup”,””

Line 19324: 17394,1,2018/07/02 13:03:47:48692,3124,5752,0,BrokerController,_#dotNet#_,0,,1,CDF_NET_INFO,”BrokerController:2:1:CheckScopePermissions(‘GetApplicationGroup’) returning null (unrestricted)”,””

Line 19325: 17395,1,2018/07/02 13:03:47:48692,3124,5752,0,BrokerController,_#dotNet#_,0,,5,CDF_NET_ENTRY,”BrokerController:8:5:CheckPermission(GetApplicationGroup) returns null”,””

Line 19328: 17398,1,2018/07/02 13:03:47:48753,3124,5752,0,BrokerFiltering,_#dotNet#_,0,,5,CDF_NET_ENTRY,”BrokerFiltering:8:5:FilteringLogic.GetCommon op=GetApplicationGroup”,””

Line 19329: 17399,1,2018/07/02 13:03:47:48764,3124,5752,0,BrokerFiltering,_#dotNet#_,0,,1,CDF_NET_INFO,”BrokerFiltering:2:1:GetSqlStatement: select AG.Uid, AG.Name, (select AGDGA.Priority as I from chb_Config.DesktopGroups DG inner join chb_Config.ApplicationGroupDesktopGroupAssignments AGDGA on AGDGA.DesktopGroupUid = DG.Uid where AGDGA.ApplicationGroupUid = AG.Uid order by AGDGA.Priority, AGDGA.LastModifiedTime desc for xml path(”),root(‘Root’),elements xsinil) as _AssociatedDesktopGroupPriorities, (select DG.Uid as I from chb_Config.DesktopGroups DG inner join chb_Config.ApplicationGroupDesktopGroupAssignments AGDGA on AGDGA.DesktopGroupUid = DG.Uid where AGDGA.ApplicationGroupUid = AG.Uid order by AGDGA.Priority, AGDGA.LastModifiedTime desc for xml path(”),root(‘Root’),elements xsinil) as _AssociatedDesktopGroupUids, (select DG.UUID as I from chb_Config.DesktopGroups DG inner join chb_Config.ApplicationGroupDesktopGroupAssignments AGDGA on AGDGA.DesktopGroupUid = DG.Uid where AGDGA.ApplicationGroupUid = AG.Uid order by AGDGA.Priority, AGDGA.LastModifiedTime desc for xml path(”),root(‘Root’),elements xsinil) as _AssociatedDesktopGroupUUIDs, (select AN.CN as I from chb_Config.ApplicationGroupAccountFilter AGAF inner join chb_State.AccountNames AN on AGAF.AccountUid = AN.Uid where AGAF.ApplicationGroupUid = AG.Uid order by AN.Uid for xml path(”),root(‘Root’),elements xsinil) as _AssociatedUserFullNames, (select AN.SAMName as I from chb_Config.ApplicationGroupAccountFilter AGAF inner join chb_State.AccountNames AN on AGAF.AccountUid = AN.Uid where AGAF.ApplicationGroupUid = AG.Uid order by AN.Uid for xml path(”),root(‘Root’),elements xsinil) as _AssociatedUserNames, (select AN.UPN as I from chb_Config.ApplicationGroupAccountFilter AGAF inner join chb_State.AccountNames AN on AGAF.AccountUid = AN.Uid where AGAF.ApplicationGroupUid = AG.Uid order by AN.Uid for xml path(”),root(‘Root’),elements xsinil) as _AssociatedUserUPNs, AG.Description, AG.Enabled, (select AGMD.Name as [I/@Key], AGMD.Value as [I/text()] from chb_Config.ApplicationGroupsMetadata AGMD where AGMD.ApplicationGroupUid = AG.Uid for xml path(”),root(‘Root’),elements xsinil) as _MetadataMap, TR.Tag, AG.ScopeList, AG.SessionSharingEnabled, AG.SingleAppPerSession, (select T.Tag as I from chb_Config.ApplicationGroupTags AGT inner join chb_Config.Tags T on AGT.TagUid = T.Uid where AGT.ApplicationGroupUid = AG.Uid order by I for xml path(”),root(‘Root’),elements xsinil) as _Tags, AG.TenantId, (select count(*) from chb_Config.ApplicationApplicationGroupAssignments AAGA inner join chb_Config.Applications A on A.Uid = AAGA.ApplicationUid where AAGA.ApplicationGroupUid = AG.Uid and A.ApplicationType <> 2) as _TotalApplications, (select count(*) from chb_Config.Desktops D inner join chb_Config.DesktopGroups DG on DG.Uid = D.DesktopGroupUid inner join chb_Config.ApplicationGroupDesktopGroupAssignments AGDGA on AGDGA.DesktopGroupUid = DG.Uid where AGDGA.ApplicationGroupUid = AG.Uid) as _TotalMachines, (select count(*) from chb_Config.Desktops D inner join chb_Config.DesktopGroups DG on DG.Uid = D.DesktopGroupUid inner join chb_Config.ApplicationGroupDesktopGroupAssignments AGDGA on AGDGA.DesktopGroupUid = DG.Uid where AGDGA.ApplicationGroupUid = AG.Uid and (chb_State.WorkerSatisfiesTagRestriction(D.WorkerUid, AG.RestrictToTagUid) = 1)) as _TotalMachinesWithTagRestriction, AG.UserFilterEnabled, AG.UUID

from chb_Config.ApplicationGroups AG left outer join chb_Config.Tags TR on TR.Uid = AG.RestrictToTagUid

where (AG.IsDesktopGroup = 0)

order by AG.Name asc”,”” Line 47769: 44629,1,2018/07/02 13:10:07:65135,3124,5752,0,BrokerController,_#dotNet#_,0,,5,CDF_NET_ENTRY,”BrokerController:8:5:SDK <<< GetApplicationGroup (DataStoreException)”,””

After Creating the below Registry key Citrix Studio does give results after 6-7 minutes but for those 6-7 minutes it becomes unusable. It means waiting over 6 minutes for the Citrix Studio GUI to display information of each page like just moving between different Application Group folders.

HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerDataStoreConnectionsController

Name:SdkSqlQueryTimeoutSecs

Type:REG_DWORD

Data: 600 (Decimal)

Related:

Merging of User and Computer Policies in XenDesktop

Update: Alternatively refer to the Restore Policy Console utility to try this process for the administrator.

This article describes behind-the-scenes changes in the group policy User Interface (UI) in XenDesktop 7.x Studio.

Background

One of the most important decisions made in the XenDesktop 7.0 Studio group policy UI is eliminating the process required to identify the type (user or computer) of settings. XenDesktop administrators can now define the policy settings based on the intended usage without having to determine if a setting is a user setting or computer setting.

The new UI now combines the user and computer settings. When an administrator wants to create a policy, settings can be defined from both types and only one policy is required. Previously, the administrator would have to create a user policy and a computer policy. The new implementation makes policy creation more efficient.

To maintain backward compatibility the policy data format remains the same. The user and computer types are also maintained. Hence, the merging of user and computer policies are only done in the Studio UI. The PowerShell interface remains the same, when policies are accessed through PowerShell, administrators still need to separately access the user and computer settings of a policy that is displayed as one policy in the Studio UI.

Maintaining backward compatibility at the data level is important. It allows customers to upgrade their existing deployment without changing the database. It also allows the existing PowerShell scripts to work without significant modifications.

Discrepancy Detection

In the following descriptions, when Citrix discusses merging two policies, it means the merging of a computer policy and a user policy of the same name. Citrix never allows two policies of the same type to have the same name; therefore, the concept of merging applies only to a user and a computer policy.

Merging policies at the UI level means that the UI must ensure that two policies (one user policy and one computer policy) with the same name can always be correctly managed in the UI. When two policies contain inconsistent data, the UI must be able to detect the inconsistencies. At the same time, the UI code ensures that as long as policy data is accessed through the UI, the data is always consistent.

Basically, the UI must do two things in addition to maintaining data consistency. First, it must detect data inconsistency every time it reads data from the database. Second, it must decide what to do with the inconsistency.

A policy contains three blocks of data, the policy properties, for example, policy name, the settings, and the object assignments (also known as filters in previous releases). All the data must be consistent for the UI to be able to merge two policies.

Merging Settings

Policy settings are the easiest to merge. The intersection of user settings and computer settings is an empty set. This can be simply put together.

Merging Policy Properties

There are just four policy properties for each policy. The names of two policies must be the same (case-insensitive) for them to be considered as merge candidates. If two policies have different names, they cannot be merged, they will be simply regarded as two separate policies in the UI.

The policy description can be merged if the two policies can be merged and the descriptions are different (case-insensitive). When the descriptions are merged, its simply concatenates the descriptions together and prefixes each portion as Computer Settings and User Settings.

The enabled bits of two policies must be the same. If they are different, they cannot be merged.

The priorities of the two policies do not have to be equal to be considered for merging. The priority of a policy is basically used to indicate the order of application of its settings when the same settings are also used in other policies. This is also the display order of the policy in the UI. Therefore, the actual priority value is not important. What is important is the relative position of the policies among each other.

The algorithm that decides the relative orders of policies to be merged involves considering all policies. The UI must ensure that all the policies have the same order after some of them are merged. If two policies of the same name would cause the inversion of priorities in either the user or computer policies, the two policies cannot be merged.

Merging Object Assignments

The most complicated part in determining if two policies can be merged is the object assignments. First, defining if two object assignments are the same is a challenge. There are many assignment types and each type contains different data. The data are all in different formats and the relationships among the values of each assignment can be complex. For example, an assignment that involves a domain user or group name can be hard to resolve.

We opted to use the most conservative measures to ensure the equality of two assignments. Two assignments can be considered same if we are 100% certain that the two assignments have the same values. For all other cases, we consider the two assignments different.

When the object assignments are different for two policies, the policies cannot be merged.

If any two policies of the same name cannot be merged for any reason, the UI displays a message about the problem that needs fix. Now, the second part of the decision, what to do if inconsistencies are found.

Example:

Users who upgrade from their existing XenDesktop deployments might see a message that looks like the following when they open the Policy node in the Studio.

“Changes made to policies outside of this console, such as in PowerShell or management tools from previous versions, resulted in a discrepancy between policies.”

User-added image

This message is displayed because the group policy UI detected inconsistencies between the user and computer component of the Unfiltered policy.

How to Fix the Inconsistencies

Many options were considered. We tried to completely fix the inconsistencies, partially fix the inconsistencies, and leave everything to the user. After carefully evaluating all the possible methods, the simplest approach was elected, and considered as the best approach, which is to leave everything to the user. The main reason for choosing this route is because, to accurately merge the policies, we need additional information from the user.

What should an administrator do to fix the inconsistencies

User intervention is required only if the policies have been modified using the PowerShell interface that result in inconsistencies, or after an upgrade from a previous release. When policy merge is required and inconsistencies are detected by the Studio UI, a message like what is shown above is displayed. Read this message carefully, it should contain enough information for the administrator to fix the issue.

Basically, the name of the policies to be merged and the inconsistency is displayed. For the given example, the offending policy is Unfiltered and the inconsistency is the Enabled bit is not the same. In this case, the administrator can simply change the Enabled bit to true or false for both the user Unfiltered policy and the computer Unfiltered policy.

Most of the time inconsistencies are found in the object assignments, which can contain multiple and complex values, and therefore hard to fix. For these inconsistencies, we recommend a simple method, renaming one of the policies. For example, if you have a user policy and computer policy named as Policy0, you can rename the user policy to Policy0_User. Because the names are different, the UI will not attempt to merge them.

For those who are not familiar with PowerShell or the Citrix Group Policy Provider, the following PowerShell commands can be used as a reference. Launch Windows PowerShell, and then execute the following commands:

PS>Add-PSSnapin Citrix.Common.GroupPolicy

PS>New-PSDrive Site –PSProvider CitrixGroupPolicy –Root -Controller localhost

PS>cd Site:User

PS>ren “Policy0” Policy0-User

Here it is assumed that the commands are executed on a XenDesktop DDC. If the DDC is a remote server, replace localhost with the name of the remote server. The provider drive name here is Site.

The Studio UI displays one message at a time. So if there are multiple policy merges and inconsistencies, only one inconsistency is shown at a time.

In general it is a good idea to avoid having both user and computer policies with the same name before an upgrade to XenDesktop 7.0. This eliminates the possible messages about policy inconsistencies. In fact, during the upgrade, the XenDesktop 7.0 upgrade scripts rename all policies with the same names.

One might wonder what to do with the inconsistencies in the Unfiltered policies, given that this policy cannot be renamed. It is fortunate that Unfiltered policies do not have filters. Therefore, administrators should be able to fix the Enabled bit, which should be the only possible reason for inconsistencies. The PowerShell command to change the Enabled bit are as follow, after the provider drive has been mounted as Site.

PS>cd Site:UserUnfiltered

PS>Set-ItemProperty . –Name Enabled –Value False

Here the user policy Unfiltered is set to disabled.

Where are my Object Assignments

This section has information on another subject that might be the source of some confusion in the new XenDesktop 7.0 group policy UI.

Some users might have noticed that the object assignment view of the policy wizard sometimes shows different entries. For example, in this view, only four object assignments are shown.

User-added image

However, at other times, more assignments are displayed, as displayed in the following screen shot.

User-added image

How to get the object assignments you want to display

The UI has done that for you. Each object assignment (filter) applies only to certain type of settings. If an assignment is applicable only to user settings, the assignment is not displayed in the list of available assignments if the settings you have picked are all computer settings. Assignments applicable to user settings are displayed only if there is at least one user setting picked in the previous screen.

Assignments applicable to computer settings are all applicable to user settings. They are always displayed.

Additional Resources

Alternatively try the Restore Policy Console utility for the process to run automatically for the administrator.

Related:

XA7.15 – Citrix Config Sync Service failed an import

Solution1:

Make sure you don’t have any orphaned SID’s in any of your Published Applications/Desktops. You can use this small PowerShell script to determine the affected resources..

Run the below powershell cmd to see which application / desktop has the SID associated.

$PublishedApps = Get-BrokerApplication | where {$_.AssociatedUserNames -like “S-1*”}

Foreach ($App in $PublishedApps)

{

Write-Host ” _” $app.Name “is broken”

}

Solution 2:

Disable and Enable Localhostcache by running the ps cmd:

To disable Local Host Cache (and enable connection leasing), enter:

Set-BrokerSite -LocalHostCacheEnabled $false -ConnectionLeasingEnabled $true

To enable Local Host Cache, enter:

Set-BrokerSite -LocalHostCacheEnabled $true -ConnectionLeasingEnabled $false

Solution 3:

To recreate LHC

> Open PowerShell on one of the DDC and enable Local Host Cache by executing following commands

asnp Citrix*

> Download PsExec tool from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec and unzip one of the DDC machine

> Get a command prompt running as Network Service using the command: PsExec.exe -i -u “nt authoritynetwork service” cmd.exe. In that command prompt, navigate to the directory C:Program FilesMicrosoft SQL Server120ToolsBinn

> Stop the Citrix High Availability Service

> Execute: “SqlLocalDB.exe stop CitrixHA”

> Execute: “SqlLocalDB.exe delete CitrixHA”

> Delete the files HADatabaseName.* and HAImportDatabase.* from C:windowsServiceProfilesNetworkService.

> Start the Citrix High Availability Service.

Related:

Creating a New Site After Receiving Error: There Was a Problem Communicating with the Citrix Delegated Administration Service

1. Stop the Citrix Services. Open elevated PowerShell and run:

Get-Service Citrix* | Stop-Service -force

2. Remove the connection strings value manually via registry on all DDCs in the site:

Connection String in XenApp / XenDesktop 7.6

HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServerDataStoreConnectionsController

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesADIdentitySchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesAnalyticsDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesConfigLoggingSiteSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesConfigurationSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesDASDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesDesktopUpdateManagerSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesEnvTestServiceSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesHostingUnitServiceSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesMonitorDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesStorefrontSchemaDataStoreConnections

Connection String in XenApp / XenDesktop 7.15

HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServerDataStoreConnectionsController

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesADIdentitySchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesAnalyticsDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesAppLibrarySchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesConfigLoggingSiteSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesConfigurationSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesDASDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesDesktopUpdateManagerSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesEnvTestServiceSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesHostingUnitServiceSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesMonitorDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesOrchestrationSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesStorefrontSchemaDataStoreConnections

HKEY_LOCAL_MACHINESOFTWARECitrixXDservicesTrustSchemaDataStoreConnections​


Example

Delete the value for the ConnectionString Registry Key:

User-added image
3. Restart the Citrix Services. Open elevated PowerShell and run:

Get-Service Citrix* | Start-Service

4. Open Studio. You will see the option to create a new site. Follow the wizard to create a new database for your site.

5. Once completed, add any additional DDC(s) as needed.

Related:

Re: unable to claim Netapp volumes on Vplex as LUNs are not divisible by 4k

Have you seen this?

https://support.emc.com/kb/461229

Many years ago a customer created this script for his environment

#!/usr/bin/ksh

#run “netapp_vplex_resize.ksh arrayname lunname” to resize the LUN until it is 4K divisible

#requires extra space in the volume for increased LUN sizes

#requires you to be able to remotely execute commands on the filer through remsh

#you must rediscover the array through VPLEX once resizing is complete.

ARRAY=$1

LUN=$2

COUNT=0

SIZE=$(remsh $ARRAY lun show -v $LUN | grep $LUN | awk ‘{print $3}’ | sed ‘s/[()]//g’)

ORIGSIZE=$SIZE

NEWSIZE=$SIZE

echo “current size is $SIZE”

DIVSIZE=$(echo “$SIZE / 4096” | bc -l)

#echo “LUN divided by 4096 equals $DIVSIZE”

INTERGER=$(echo $DIVSIZE | grep -c 00000000000000000000)

while [[ $INTERGER -eq 0 ]]

do

COUNT=$(( $COUNT + 1 ))

NEWSIZE=$(remsh $ARRAY lun resize $LUN $(( $NEWSIZE + 1 )) | awk ‘{print $NF}’ | sed ‘s/[()]//g’)

DIVSIZE=$(echo “$NEWSIZE / 4096” | bc -l)

echo “new LUN size divided by 4096 equals $DIVSIZE”

INTERGER=$(echo $DIVSIZE | grep -c 00000000000000000000)

done

echo “LUN is divisible by 4096”

echo “$2 added $(( $(( $NEWSIZE – $ORIGSIZE )) / 1048576 )) MB in $COUNT resizes”

echo “$2 added $(( $(( $NEWSIZE – $ORIGSIZE )) / 1048576 )) MB in $COUNT resizes” >> /home/cschm/netapp_vplex_resize.out

I just looped through it for each of the LUNs on the arrays with

for LUN in $(remsh ahnetap002 lun show| awk ‘{print $1}’)

do

/home/cschm/netapp_vplex_resize.ksh ahnetap002 $LUN

Done

And

for LUN in $(remsh ahnetap001 lun show| awk ‘{print $1}’)

do

/home/cschm/netapp_vplex_resize.ksh ahnetap001 $LUN

Done

Related:

unable to claim Netapp volumes on Vplex as LUNs are not divisible by 4k

Have you seen this?

https://support.emc.com/kb/461229

Many years ago a customer created this script for his environment

#!/usr/bin/ksh

#run “netapp_vplex_resize.ksh arrayname lunname” to resize the LUN until it is 4K divisible

#requires extra space in the volume for increased LUN sizes

#requires you to be able to remotely execute commands on the filer through remsh

#you must rediscover the array through VPLEX once resizing is complete.

ARRAY=$1

LUN=$2

COUNT=0

SIZE=$(remsh $ARRAY lun show -v $LUN | grep $LUN | awk ‘{print $3}’ | sed ‘s/[()]//g’)

ORIGSIZE=$SIZE

NEWSIZE=$SIZE

echo “current size is $SIZE”

DIVSIZE=$(echo “$SIZE / 4096” | bc -l)

#echo “LUN divided by 4096 equals $DIVSIZE”

INTERGER=$(echo $DIVSIZE | grep -c 00000000000000000000)

while [[ $INTERGER -eq 0 ]]

do

COUNT=$(( $COUNT + 1 ))

NEWSIZE=$(remsh $ARRAY lun resize $LUN $(( $NEWSIZE + 1 )) | awk ‘{print $NF}’ | sed ‘s/[()]//g’)

DIVSIZE=$(echo “$NEWSIZE / 4096” | bc -l)

echo “new LUN size divided by 4096 equals $DIVSIZE”

INTERGER=$(echo $DIVSIZE | grep -c 00000000000000000000)

done

echo “LUN is divisible by 4096”

echo “$2 added $(( $(( $NEWSIZE – $ORIGSIZE )) / 1048576 )) MB in $COUNT resizes”

echo “$2 added $(( $(( $NEWSIZE – $ORIGSIZE )) / 1048576 )) MB in $COUNT resizes” >> /home/cschm/netapp_vplex_resize.out

I just looped through it for each of the LUNs on the arrays with

for LUN in $(remsh ahnetap002 lun show| awk ‘{print $1}’)

do

/home/cschm/netapp_vplex_resize.ksh ahnetap002 $LUN

Done

And

for LUN in $(remsh ahnetap001 lun show| awk ‘{print $1}’)

do

/home/cschm/netapp_vplex_resize.ksh ahnetap001 $LUN

Done

Related:

StoreFront Loopback Feature

Citrix recommends that you modify the hosts file on your StoreFront servers to ensure that Receiver for Web always talks to the local StoreFront server instead of the load balancer. In StoreFront 3.0, we leverage a new feature in the .NET Framework 4.5 to implement loopback communication between Receiver for Web and the rest of StoreFront Services.

This is configurable using PowerShell cmdletSet-DSLoopback, which syntax is

Set-DSLoopback [-SiteId] <Int64> [-VirtualPath] <String> ` [-Loopback] <String>

[[-LoopbackPortUsingHttp] <Int32>]

User-added image


The valid values for Loopback are:

  • On – This is the default value for new Receiver for Web sites. Receiver for Web uses the schema (HTTPS or HTTP) and port number from the base URL but replace the host part with the loopback IP address to communicate with StoreFront Services. This works for a single server deployment and a deployments with a non SSL-terminating load balancer.

  • OnUsingHttp – Receiver for Web uses HTTP and the loopback IP address to communicate with StoreFront Services. If you are using an SSL-terminating load balancer, you should select this value. You have to also specify the HTTP port if it is not the default port 80.

  • Off – This turns off loopback and Receiver for Web uses the StoreFront base URL to communicate with StoreFront Services. If you perform an in-place upgrade this is the default value to avoid disruption to your existing deployment. For example, if you are using an SSL-terminating load balancer, your IIS is configured to use port 81 for HTTP and the path of your Receiver for Web site is /Citrix/StoreWeb, you can run the following command to configure the Receiver for Web site:

    Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb ` -Loopback OnUsingHttp -LoopbackPortUsingHttp 81


Switch off loopback if you want to use any web proxy tool like Fiddler to capture the network traffics between Receiver for Web and StoreFront Services. Delegating Authentication to the Backend Providers StoreFront 2.x always communicates with the Active Directory to authenticate users. This requires that the domain hosting StoreFront servers has at least one-way external trust to the domain hosting the backend XenApp/XenDesktop farms/sites. This may not be possible in some deployments. StoreFront 3.0 adds the capability to delegate authentication to the XenApp/XenDesktop farms/sites. This can be enabled by running the following PowerShell commands. Replace the store and authentication virtual paths appropriately.

## set some variables relevant to your deployment $SiteId = 1 $StoreVirtualPath = “/Citrix/Store” $AuthenticationVirtualPath = “/Citrix/Authentication” # change auth service to use XML Service auth instead of domain auth Set-DSXmlServiceAuthentication -SiteId $SiteId -VirtualPath $AuthenticationVirtualPath $fs = @(Get-DSFarmSets -IISSiteId $SiteId -VirtualPath $StoreVirtualPath) | where { $_.Name -eq “Default” } Update-DSFarmSet -IISSiteId $SiteId -VirtualPath $AuthenticationVirtualPath -Farmset $fs

Note: From StoreFront 3.5 and newer, you can enable loopback in the StoreFront Console.

Related: