Ran into some fun with setting up FAS for MFA. I was testing a shorter list of ciphers on a test SSL profile on ADC on the test vServer. Come to find out, when accessing a machine that was using MFA from outside the network, I was getting an SSL error 4 on Windows machines and SSL error 47 on Stratodesk machines. I hadn’t seen that error since Receiver 4.x. It appears there are some additional ciphers needed in regards to the Citrix Workspace App. It appeared to work fine with the other cipher set using the HTML5 Workspace App. This article has the updated cipher set you need to have or it may cause you some issues (Changes To FAS Ciphers). These would be applied to your SSL profile assigned to the vServer on the ADC.
I also ran into an issue with EndGame.
When trying to connect from to VDI Windows 10 machines, you would encounter an incorrect user name or password error if EndGame was enabled, instead of it SSO logging you in.
Checking the event log on the machine, you encounter a Smart Card Logon Event 5.
There are 2 DLLs you have to add to a global exclusion, scardhook.dll and scardhook64.dll. These are located under C:\Program Files\Citrix\ICAService. Just excluding those DLLs got rid of the Event 5 Smart Card Logon error and allowed the Provider DLL to initialize.
After getting these exclusions applied, SSO works normally for accessing the VDI machines.
So you have a new / different vCenter you want to move your VDI machines to. For the power management part, you will need to have the other hypervisor connection configured. You can run the script below to change the hypervisor connection on your VDI machines. You will want to make sure you have the VMs powered down before beginning. The first steps are just information gathering. This is part of migrating machines to new hardware. I will be adding the other pieces at a later date.
First you will need to get your hypervisor names and Uids with this command: Get-BrokerHypervisorConnection | Select-Object Name, HypHypervisorType, Uid.
Then you can get a list of machines with the hypervisor connection you want to change from. This was just getting the first machine that had the hypervisor I wanted to change from. Machine was already moved to a new Uid but it would be 2 in this case. Get-BrokerMachine -MaxRecordCount 100000 | Where-Object SessionSupport -eq “SingleSession” | Where-Object HypervisorConnectionUid -eq “3” | Select-Object -first 1 | Select-Object HostedMachineName, HypervisorConnectionName, HypervisorConnectionUid
<# Script to change Hypervisor connection and power systems back up. This was done with PowerShell ISE 5.1, default profile configured on CitrixCloud SDK, and ESXi 7.0 with connection
to vCenter. This was built from Ben McGirt and slightly modified to get the machine names with a specific configured HypervisorConnection via Get-BrokerMachine command.
As it is best to change these settings and power the VM on, you will need to have the VMs powered down before beginning. The Uid in the example is "2" to get the machines using a different
HypvisorConnectionUid that you wish to change from and setting in this example to HypervisorConnectionUid "3."
#>
Get-XDAuthentication -ProfileName "default"
$getVDIMachines = Get-BrokerMachine -MaxRecordCount 100000 | Where-Object SessionSupport -eq "SingleSession" | Where-Object HypervisorConnectionUid -eq "2" | Select-Object HostedMachineName, HypervisorConnectionName, HypervisorConnectionUid
$citrixVMs = $getVDIMachines.HostedMachineName
Function PowerOnVM ([string] $Name) #, [string] $Hostname)
#From https://thecloudxpert.net/2016/04/25/howto-power-on-a-vmware-virtual-machine-with-powercli-powercli-101/
{
$VM = Get-VM -Name $Name
Switch ($VM.PowerState)
{
PoweredOn { Write-Host "$VM already Powered On.";break}
PoweredOff { Write-Host "Powering on $VM"; Start-VM -VM $VM;break}
Suspended { Write-Host "$VM suspended.";break}
Default {break}
}
}
ForEach ($VM in $CitrixVMs){
Set-BrokerMachine -MachineName ("*\" + $VM) -HypervisorConnectionUid 3
Start-Sleep -Seconds 2
PowerOnVM $VM
}
Third in the series of moving the control plane to Citrix Cloud…. So you had your daily user report kicking out everyday (Surely you created one from this other post: https://xenapplepie.com/2022/04/12/if-you-could-get-those-user-counts-today-that-would-be-great/). It was working its happy way through life. Then you just moved parts it talked to into the cloud. I have created this updated report script to allow for it to pull from Citrix Cloud. This requires that you have already setup your API access with the secureclient.csv, that you added the CustomerID to your secureclient.csv, and you have installed the Citrix Cloud SDK. If you don’t have those, you are gonna have a bad day. I left the comment for the #Get Licensing Info so you can see what all other fields you can get if needed from there. If you are using VS Code, when you run that section, you can create a new variable and assign it as “$content.” and it will show the other available pieces of information you can assign such as “deviceLicenseUsage.”
**Update: Removed line with Get-XDAuthentication as it is doing a double authentication. Changed SDK commands to use $headers.Authorization to pass same bearer token**
One of the other things you will have to do, is create an API access account that will download a secureclient.csv that you will use to authenticate and allow you to run commands against Citrix Cloud.
Logon to the Citrix Cloud at cloud.com and get authenticated.
Click on the hamburger menu in the upper left.
Click on “Identity and Access Management.”
Click on “API Access.”
Fill out the name and click “Create Client.”
Copy and save the “ID” and “Secret.”
Click to download and save the “secureclient.csv” file to store in a safe location.
I added the “CustomerId” field to my secureclient file to pass to the XDCredential setup. To get this, you can see your CCID on the upper-right hand side underneath your name while you are logged into Citrix Cloud.
Below is what I used to configure my access to do the connections. One thing I noticed, if you name the profile anything other than “default,” it prompts for authentication and caused issues for automated scheduled tasks.
# Script to setup Citrix Cloud credential profile
asnp Citrix*
$secureClientProd = “C:\scripts\logs\secureclient-1.csv"
$secureClientTest = “C:\scripts\logs\secureclient-2.csv"
$xdCredsProd = import-csv $secureClientProd
$xdCredsTest = import-csv $secureClientTest
# Set prod profile
Set-XDCredentials -CustomerId $xdCredsProd.CustomerId -SecureClientFile $secureClientProd -ProfileType CloudAPI –StoreAs "default"
# Set test profile if you have a test cloud account
Set-XDCredentials -CustomerId $xdCredsTest.CustomerId -SecureClientFile $secureClientTest -ProfileType CloudAPI –StoreAs "Cloud-Test"
# List profiles
Get-XDCredentials -ListProfile
# Load credentials
Get-XDCredentials -ProfileName "default"
# To change profile credentials
Get-XDAuthentication -ProfileName "Cloud-Test"
# Clear Cloud credentials if you wish to delete a profile
Clear-XDCredentials -ProfileName "profilename"
So what I did to modify most of the scripts I was using before, was to remove the -AdminAddress and add these lines to the top of the scripts, then proceed business as normal. This allowed me to do the same things I was doing before and pass the API securecred file information.
I was looking at a way to compare versions of VDAs installed on various systems to see what systems needed to be updated. I ran into some issues trying to compare the versions as there are different formats and there was not a consistent numbering system going back to 7.15 that I could discern. So with some assistance from https://www.linkedin.com/in/douglas-ruehrwein-56835869/, I was able to get the version check working correctly. This ended up comparing to the target version and returning anything that was less than the target version. I didn’t want to target anything newer than the target as I had reasons for those particular systems to be running a newer VDA. You can combine this with the VDA upgrade script to output the DNSNames of the machines to upgrades machines outside of the target version.
# Script to get VDA versions below target version. This was done in PowerShell ISE 5.1 against 1912LTSRCU5 DDCs.
$adminAddress = "deliverycontroller.fqdn"
$date = Get-Date -Format MMddyyyy
$outputName = "VDAToUpgrade"
$report = @()
[System.Version]$targetVersion = "1912.0.5000.5174"
$getMachines = Get-BrokerMachine -AdminAddress $adminAddress -MaxRecordCount 1000000
foreach($machine in $getMachines){
$line = "" | Select HostedMachineName, DNSName, AgentVersion, WillBeUpgraded
$testVersion = $machine.AgentVersion
$line.HostedMachineName = $machine.HostedMachineName
$line.DNSName = $machine.DNSName
$line.AgentVersion = $machine.AgentVersion
if([System.Version]$testVersion -ge [System.Version]($targetVersion)){
$line.WillBeUpgraded = "Current Version Or Newer"
}
if([System.Version]$testVersion -lt [System.Version]($targetVersion)){
$line.WillBeUpgraded = "Yes"
}
$report += $line
}
$report | Export-Csv -Path c:\scripts\logs\$date-$outputName.csv -Append -NoTypeInformation
# To see only the versions that are not matching the target version
$report | Where-Object WillBeUpgraded -eq "Yes"
Just a quick little script you can add to your daily checks. This has been helpful for me to see if I have something that didn’t want to play nice BEFORE someone calls me and says it is broken. Good to have also if you have multiple hypervisor connections so you can see where at least it is running. Saves you looking around to figure out where it be.
This script allows you to get the list of Delivery Groups by “SessionSupport” type and reports back “MultiSession” as “CitrixApp” and SingleSession as “VDI.”
# Script to get MultiSession and SingleSession counts from Delivery Groups with a non-zero user count. This sorts by MultiSession, then SingleSession. This was ran on a machine with Citrix Studio SDK
# installed. This was tested with CVAD 1912 LTSR.
asnp Citrix*
$adminAddress = "deliverycontroller.fqdn"
$getDG = Get-BrokerDesktopGroup -AdminAddress $adminAddress -MaxRecordCount 100000 | Select-Object Name, SessionSupport | Get-Unique -AsString
$report = @()
foreach($dg in $getDG) {
$line = "" | Select DeliveryGroupName, UserCount, SessionSupport
$userCount = (Get-BrokerSession -AdminAddress $adminAddress -DesktopGroupName $dg.name -MaxRecordCount 100000 | Select-Object BrokeringUserName).count
if ($userCount -ne '0' -and $userCount -ne $null){
$line.DeliveryGroupName = $dg.name
$line.UserCount = $userCount
if($dg.SessionSupport -eq "SingleSession") {
$line.SessionSupport = 'VDI'
}
else{
$line.SessionSupport = 'CitrixApp'
}
$report += $line
}
}
$citrixAppTotal = (($report | Where-Object SessionSupport -eq "CitrixApp"| Select-Object UserCount).UserCount| Measure-Object -Sum).Sum
$citrixVDITotal = (($report | Where-Object SessionSupport -eq "VDI"| Select-Object UserCount).UserCount| Measure-Object -Sum).Sum
$appTotal = write-output "`r`nTotal Citrix App users: $citrixAppTotal"
$vdiTotal = write-output "Total VDI Users: $citrixVDITotal"
$report += $apptotal
$report += $vdiTotal
$report | sort SessionSupport, @{Expression="UserCount";Descending=$true}|Format-Table
So ran into this fun on Citrix VDI with Windows Terminal. You get it installed. You start it up. It’s all shiny. You press a button….. And…… NOTHING! So we saw this issue on Windows Terminal on Windows 10 20H2 running CVAD 1912 CU5 VDA. A little bit of searching and this article pointed to part of what was up. https://github.com/microsoft/terminal/issues/4448
The fix that had to be done to resolve it in our case was to set the “Touch Keyboard and Handwriting Panel Service” to “Manual” in Services. Then rebooting. After that, it fired right up and worked!
We need more power from the warp core! Captain, I’m givin her all she’s got! Ran across something interesting. Something that I should have thought of before but for some reason, I did not. Windows default power management usually is set for balance even on servers. Didn’t think about it being something similar on Linux distros. It appears that is the case! So…… What I found in an issue with some lag and latency, is that Ubuntu and some other distros use ondemand as a CPU scaling governor as the default power scheme. There are a lot of write-ups on the various scaling governor settings available, so I won’t go into all of those. I will show how to set it to performance. I found that CentOS has this as well, but I am working on how to get it set to performance and will add that here as soon as I get the howto on that. This becomes applicable for your Linux VDI that you could be supporting in your Citrix VDI environment and could run into audio issues or are experience lag with multi-core systems.
So here is the way to set the scaling governor to performance on Ubuntu systems. There are two ways depending on if you are running older than 18.04 or newer than 18.04.
For 18.04 Ubuntu and newer:
Open console and type “cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor” to see what it is set to. If it is set to “ondeman,” it is governing the procs. To change to “performance,” type “echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor.” To confirm the change, type “cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor” to make sure it is showing performance.
For earlier than 18.04 Ubuntu: (from https://itectec.com/ubuntu/ubuntu-how-to-set-performance-instead-of-powersave-as-default/)
Open nano or vi and edit /etc/rc.local and insert these lines before the last line containing exit 0:
sleep 120 # Give CPU startup routines time to settle.
cpupower frequency-set --governor performance
Happy computing with thy VDI! I’ll post the change for CentOS / RedHat when I have the settings available!