Wednesday, October 28, 2015

Citrix Receiver 4+ rants and "Your apps are not available at this time. Please try again in a few minutes or contact your help desk with this information"

The environment I'm working in is a mix of XenApp 6.5, 5.0 and Presentation Server 4.5.  The 6.5 and 5.0 farm also have a nearly identical test farm.  We've been migrating the applications off the Presentation Server farms and are moving them to XenApp 6.5.  At this point in the migration we have around 5-10 applications left on 4.5 to move, with around 400-450 on the 6.5 farms and probably around 20-30 or so on the 5.0 farms.  These farms utilize a Citrix Webinterface 5.4.2 frontend for web interface and PNA.

We have standardized the environment on mostly Citrix Receiver 3.3 and some 3.4.  Time has marched and we've been tasked with getting Receiver 4+ working the Windows 7/8/10 rollout.  We were not able to do so with the earlier versions of Receiver 4 because things like sort icons into custom folders on the desktop and Start Menu.  This feature came in around 4.2.  In our environment memberships to applications are granted through group membership and Citrix PNA allowed the user to 'roam' from computer to computer only displaying the applications they have access to, as opposed to a bunch of applications they do not have access with the onus on them to pick and choose the correct applications.

So we started work on planning this migration and have started with the latest greatest (as of today) Citrix Receiver 4.3.  We have been able to come close to simulating all the features of the Enterprise editions of 3.3 and 3.4.  Namely:

Citrix Receiver automatically connects and populates a folder (MyApps) in the Start Menu and on the desktop.
No self-service.  Applications are automatically presented to you and defined by Group Membership.
Single sign-on.  Receiver will take your Windows logon credentials to use for authentication.

We do have some outstanding items.  We've set the client to have all applications as 'MANDATORY' which does populate the applications in the MyApps folders; but applications marked as 'Create shortcut on the desktop' in the applications properties in AppCenter are not created.

Anyways, onto the problem.  Now that we have Receiver 4.3 setup, SSON working, PNA working, we logged onto our system and watched the applications populate.

Slowly.

Really Slowly.

Eventually a dialog popped up.




Then another, and another, and another.


And these dialogs are completely custom!  They are NOT native Windows dialogs!



So if you have multiple ones of them, sometimes clicking the X (close button) or OK doesn't work because the dialog appears 'modal' and you need to click the button on the 'active' window.  But you generally don't know which one that is so you have to go through and select each dialog from the task bar and try clicking ok until you magically get lucky and select the one that has priority.  Then you do it all over again as the next primary window *may not be the one on top*.

video
1 minute 24 seconds to populate 470 applications

Just for giggles, how fast does Receiver 3.3 populate the same list?

video
8 seconds.  And all the icons show up.


Alright, so you've passed that point and are now looking at your applications.  But they are missing icons!



But not all applications are missing their icons...  Only some.

So let's find out what's consuming all this time and maybe, just maybe, we'll solve our "Your apps are not available" error message.

First thing we need to do is enable Citrix Receiver Logging:


Next is to exit and restart receiver and logs will start to generate.  They are located here:
%USERPROFILE%\AppData\Local\Citrix\Receiver
%USERPROFILE%\AppData\Local\Citrix\AuthManager
%USERPROFILE%\AppData\Local\Citrix\SelfService

The most important log tends to be the 'SelfService.txt' log.  If you search that log for the "Your apps are not available" error message it pops up in locations like this:

So this dialog popped up for an application called 'BMTServe'.  And what does BMTServe look like?

Generic icon!
But BMTServe was not the only application that encountered this dialog.  From my video it popped up numerous times.  Searching the SelfService.txt file for 'Your apps' and looking for the application it references points to an application with a blank icon 100% of the time.  Not every application that produces a blank icon causes this prompt, as we literally have ~250 applications with blank icons and the dialog pops up anywhere from 0 to 10 times.  Sometimes it pops up 2 times, sometimes none, sometimes 10 times.

So, why are these icons blank?

Citrix Receiver 4.3 seems to only prefer 32bit icons or icons of a particular size.  I haven't confirmed what exactly yet, but I do know that 8bit 32x32 icons don't seems to get 'translated'.  The Citrix logs all but confirm this as well.

I confirmed with Citrix that icons are required to be 32bit and the order they are checked is 48x48, 32x32 then 16x16.

This is how Receiver processes icons that are formatted correctly:

The icons were processed instantly. 00:00:00. But if they are formatted in a way that Receiver decides it needs to 'reformat' them:
This call to get an icon took 11.6 seconds!!! If it doesn't get the icon formatted in the way it wants, it appears the SelfService.exe setups a queue of icons that it needs and 're-requests' them from the server. Could it be that Receiver is submitting too many queries? The error mentions to check the authmansvr.txt log file. This log file shows the following:
The error appears to start at "CWindowsReceiver::CallARGetConnectedVpnGateway" When this call is successful it returns:
So, I guess it's possible that trying to re-pull the icon data is causing authmansvr.exe to crash...?  Another crazy thing is I was attempting to automate this process of terminating Receiver and relaunching it to see if I could get a gauge on the frequency of this occurrence and this is what I saw:


Ok, I thought, not so bad.  Just two messages the first couple launches?  It shouldn't be too much of an issue...  But then I looked at my application folder:

Left is when I get all my apps (and usually the message box) the left is all those 'successes'
It appears Receiver removed all applications producing that dialog box.  When I was terminating and relaunching receiver it was ONLY populating 195 applications as opposed to 493 it was supposed to. No wonder I wasn't getting any messages!  On a hunch, I looked at each of the 195 applications it kept and they all had good icons.  I then took a random sampling of about 30 of the 300 or so applications that it did not keep and none of them had proper icons, all blank.  So another bullet towards icons causing my issue.

Sunday, October 25, 2015

Force Internet Explorer 10 or 11 to always use 64bit version

I was working on an issue where a user was always prompted to 'Install' the Citrix ICA client.  No matter how many times they downloaded and installed the client it continuously prompted them to install it again from the Web Interface:



I checked the add-on's and saw the following:


No Citrix plugins in site.  I then checked Task Manager to confirm the IE type (32bit vs 64bit) and this is what I saw:
Without the *32, Internet Explorer is running in 64bit mode.  Currently, Citrix does not provide a 64bit plugin to IE so it won't run and it won't be detected.  I then exited IE and browsed to the Internet Explorer folder (C:\program files (x86)\Internet Explorer\iexplore.exe) and attempted to launch iexplore.exe from there.  Still came up as 64bit.  So now this got interesting...  Microsoft does not allow or provide a way to force a 64bit default for IE on Windows 7.

So how is this happening?

It turns out there is a registry key you can set that will force IE to ALWAYS be 64bit:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth (or HKLM)

If the REG_DWORD is 0x0 it will always force IE to be 64bit.  Deleting or changing this value will default IE to 32bit.  So this key *could* be used to force IE to be 64bit.  There is a potential issue to be aware of, this will force IE to use the same process as the launcher for tabs, as opposed to spanning new processes.  Whether that increases/decreases stability would be something you'd have to test.

Tuesday, October 20, 2015

AppV5 - Integrating Certificates into your AppV package

These are the steps I've found to sequence root certificates into your AppV5 application.



Where do you get certmgr.exe from?

The visual studio downloads apparently contains this tool.

Once you've started your sequencer and run the command it will add the certificate to these two places:
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\ROOT\Certificates

And that's how you add certificates to a sequenced package.