IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

This article describes the steps required to setup a resiliant 802.11x Wifi RADIUS authentication infrastructure; a must for any SMB.

This article assumes you have configured your Wireless Access Point with the desired radius server IP addresses / FQDNs and a shared secret.

IAS/Certificate Services Installation/Configuration Primary RADIUS Server

To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller.

  1. First, install IIS on your Domain Controller.
  2. Next, install Enterprise Certificate Authority Root – Enterprise Root Server Mode> Give the CA the same name as the server’s name
  3. Next Create a new Global Group > ‘Wireless Users and Computers’ Add Computer AND User Objects into this group that you wish to grant IAS RADIUS Access.
  4. Ensure that Users Account are configured to grant Remote Access (Dial In) permissions.
  5. Next Install IAS (via Add/Remove Programs > Windows Components)

You will also need to request a NPS/IAS/RADIUS Server Authentication certificate for each IAS server you wish to configure.

Create IAS RADIUS Clients

Next load the IAS MMC Snap-In Select Clients

  1. Rt-Click Clients > New > Enter a Friendly Name
  2. Ensure that Protocol is ‘RADIUS’
  3. Enter Access Point IP Address
  4. Select RADIUS Standard as the client vendor.
  5. Tick the Client must always send the signature attribute in the request
  6. Enter the shared secret as configured on the AP
  7. Click Finish


Configure Remote Access Policies

  1. Select Remote Access Policies
  2. Rt-Click Remote Access Policies > New Remote Access Policy>
  3. Enter a friendly name
  4. Click Next
  5. On the conditions window, click Add
  6. Select Windows Groups and click Add
  7. Click Add and then set Domain as location and earch for the Global Group, then click OK, you will return to the conditions window
  8. Click Add, select NAS-Port-Type and then select Wireless – IEEE 802.11
  9. Click Add, select Wireless – Other and then Click Add, you will return to the conditions window.
  10. Click Next
  11. Select Grant Remote Access Permission
  12. Click Edit Profile then select the ‘Authentication’ tab
  13. Enable Extensible Authentication Protocol, select PEAP as the EAP type from the drop down box
  14. Disable all other authentication types
  15. Click Configure under the Extensible Authentication Protocol group
  16. Ensure that Secured Password (EAP-MSCHAP-V2) is listed
  17. Select the IAS/RADIUS Server Authentication certificate you wish use for authentication (note if the certificate is to be replaced in future change it here)


    18. Click OK

    19. Click OK until the Remote Access Policy Configuration Window disappears!


Perform the steps as above on the Secondary RADIUS server.

Client Configuration

Once laptop has detected AP, configure advanced options:

                Network Authentication should be set as: WPA using TKIP Data encryption
                Under Authentication select Protected EAP
                                Select Properties
                                Ensure Validate Server Certificate is selected
                                Ensure that Connect to these servers contains the RADIUS servers FQDN’s
                                Scroll down and select both RADIUS server certificates under Trusted Root Cert. Authorities
It may be necessary to manually install one of the Certificates to your client.

Client configuration can be completed using Group Policy; Computer Configuration/Windows Settings/Wireless (802.11) Policies

Manual Certificate Installation

Navigate Internet Explorer to:

  • http://your-certificateserver1/certsrv
  • http://your-certifcateserver2/certsrv

From each server retrieve the CA certificate’; download the CA certificate in DER encoded format.

ON the client load MMC and add the Certificates snap-in, select Computer account > Local computer. Expand Trusted Root Certificate Authorities and Select Certificates  > Right-Click certificates > Import >  Select the first RADIUS server’s CA certificate


Automatic MAPI Profile Creation for Outlook XP / 2000/3/7

Automatic MAPI Profile Creation for Outlook 2000 / XP / 2003 & 2007

Like many Wintel Administrators I was presented with the requirement to automate MAPI profile creation on our Citrix Farm; this requirement was later extended to our Windows XP workstations running a multitude of different Outlook versions.

When auto-generating a MAPI profile in Outlook 2000 (Outlook v9) it is necessary to use the NewProf.exe tool along with a PRF file, newer versions of Outlook (Outlook v10+) are able to read a PRF file directly if configured to read the file on first run for a user.

The following script is Cross Platform (i.e Windows and Outlook) compatible; and must be used along with the PRF file further down:

Const ForReading = 1
Const ForWriting = 2

Set WshShell = CreateObject(“WScript.Shell”)
Set fso = CreateObject(“Scripting.FileSystemObject”)
windir = WshShell.ExpandEnvironmentStrings(“%windir%”)

Set objNetwork = CreateObject(“Wscript.Network”)
currentDomain = objNetwork.UserDomain
currentUser = objNetwork.UserName

‘——————————– Mk2
‘Create an instance of Outlook so that it can be queried for it’s version
Set objOLK = CreateObject(“Outlook.Application”)
OLKVer = left(objOLK.Version,inStr(1,objOLK.Version,”.”)-1)

‘If Outlook version is later than 2000 then make this registry change so that Outlook imports the PRF on first run
If OLKVer > 9 Then
‘Set Wsh = CreateObject(“Wscript.Shell”)
If CheckRegKey(“HKEY_CURRENT_USER\Software\Microsoft\Office\” & OLKVer & “.0\Outlook\Setup\First-Run”) = TRUE Then
RetVal = WshShell.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Office\” & OLKVer & “.0\Outlook\Setup\First-Run”)
End If
RetVal = WshShell.RegWrite(“HKEY_CURRENT_USER\Software\Microsoft\Office\” & OLKVer & “.0\Outlook\Setup\ImportPRF”,_
WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\Outlook.prf”)
‘Set Wsh = Nothing
End If

‘———————— Establish 16bit names for fso – required for newprof tools
arrPath = Split(WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”),”\”)
For Each str in arrPath
If Len(str) > 7 Then
str = Left(str,6) & “~1”
End If
If fullpath = “” Then
fullpath = str
fullpath = fullpath & “\” & str
End If
savePath = fullpath & “\MYDOCU~1\PST\”

If Not fso.FileExists(WshShell.ExpandEnvironmentStrings(“%SYSTEMROOT%”) & “\Outlook.prf”) Then
End If

‘Read contents of Template prf file
Set fsoTextStream = fso.OpenTextFile(WshShell.ExpandEnvironmentStrings(“%SYSTEMROOT%”) & “\Outlook.prf”, ForReading)
strTmpPrf = fsoTextStream.ReadAll

‘Search though the array of lines and replace anything with %username% with logon name
Set vbsRegExp = New RegExp
vbsRegExp.Pattern = “%username%”
vbsRegExp.Global = True
vbsRegExp.IgnoreCase = True
strNewPrf1 = vbsRegExp.Replace(strTmpPrf,currentUser)
Set vbsRegExp = Nothing

‘Search though the array of lines and replace anything with %userprofile% with env var userprofile
Set vbsRegExp = New RegExp
vbsRegExp.Pattern = “%userprofile%”
vbsRegExp.Global = True
vbsRegExp.IgnoreCase = True
strNewPrf2 = vbsRegExp.Replace(strNewPrf1,savePath)
Set vbsRegExp = Nothing

If Not fso.FolderExists(WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\”) Then
fso.CreateFolder WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\”
End If

If Not fso.FileExists(WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\Outlook.prf”) Then
‘fso.DeleteFile(WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\Outlook.prf”)

Set fsoTextStream = fso.CreateTextFile(WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\Outlook.prf”, ForWriting)
fsoTextStream.Write strNewPrf2

‘fso.CopyFile WshShell.ExpandEnvironmentStrings(“%USERPROFILE%”) & “\My Documents\PST\Outlook.prf” ,_
‘ WshShell.ExpandEnvironmentStrings(“%SYSTEMROOT%”) & “\Outlook.prf”, True

End If

‘Add code for Outlook 2K (9) only

If OLKVer =<9 AND fso.FileExists(WshShell.ExpandEnvironmentStrings(“%SYSTEMROOT%”) & “\newprof.exe”) Then
cmd = WshShell.Run(“%comspec% /c (” & WshShell.ExpandEnvironmentStrings(“%SYSTEMROOT%”) & “\newprof.exe -p ” _
& savePath & “Outlook.prf -x)”,0,True)
End If

‘**** CheckRegKey(RegStr)
Function CheckRegKey(RegStr)
On Error Resume Next
Wsh.RegRead RegStr
If Err Then
CheckRegKey = False
CheckRegKey = True
End If
On Error Goto 0
End Function

Save the above code in to a new fie named ‘profgen.vbs.’ A group policy should then be created and this script assigned as a logon script for users.

The following code should be saved into a new file named ‘outlook.prf‘:

; Outlook PRF file for Exchange Server users
; ——————————————-
; Copyright (C), Microsoft Corporation, 1996.
; The following PRF file is included as an example of how to create a PRF file that will
; configure Outlook users with Exchange Server. Section 1, 2, and 3 may be modified.
; DO NOT MODIFY SECTION 4. It will most likely cause Exchange services to crash.
; Be very careful when editing to ensure property values match their property types.
; NOTE: The HomeServer setting for the Microsoft Exchange Server must be filled in
; before using this file.
; For information about how to disable Outlook Profile Setup and instead use the
; the Inbox Setup Wizard, see NONE.PRF in the Office Resource Kit.

; ************************************************************************
; Section 1 – Profile defaults.

; — Required. Indicates that this is a customized PRF file.

; ************************************************************************
; Section 2 – Services in profile.

[Service List]
Service1=Microsoft Outlook Client
Service2=Microsoft Exchange Server
Service3=Outlook Address Book
Service4=Archived Messages

; ************************************************************************
; Section 3 – Default values for each service.


; **** Customized Outlook Client properties ****

; Required.
; — The name of the Microsoft Exchange Server the user should
; connect to (ex: ALEX). You can specify any Microsoft Exchange Server
; in your site, and the correct Home Server will be assigned
; when the user first logs on.

; — Dummy property. Do not delete or modify.



; ************************************************************************
; Section 4 – Mapping for profile properties. DO NOT MODIFY.

; ************************************************************************
; Microsoft Outlook Client definitions

[Microsoft Outlook Client]

; — A boolean value indicating whether or not to empty the
; wastebasket on exit.

; — A boolean value indicating whether or not to select entire
; words when selecting.

; — Indicates what to do after moving or deleting a message.
; Possible values are shown below:
; 0 – Open Next Message
; 1 – Return to Viewer
; 2 – Open Previous Message

; — A boolean value indicating whether or not to close the
; original message after replying.

; — A boolean value indicating whether or not to generate
; a read receipt on sent mail.

; — A boolean value indicating whether or not to generate
; a delivery receipt on sent mail.

; — The default sensitivity to send mail with.
; Possible values are shown below:
; 0 – Normal
; 1 – Personal
; 2 – Private
; 3 – Confidential

; — The default priority to send mail with.
; Possible values are shown below:
; 0 – Low
; 1 – Normal
; 2 – High

; — A boolean value indicating whether to save a copy of
; sent messages in the sent items folder.

; **** Custom entries added by [email protected] ****

; — A boolean value indicating whether Outlook should close original
; message when replying or forwarding.

; — A boolean value indicating whether Outlook should mark comments
; in a reply message with the users name.

; — A boolean value indicating whether Outlook should allow a comma
; to be used as an address separator.

; — The default is to auto archive every 14 days.
; Possible values are shown below:
; 1 – 60

; — The path and file name for the default auto archive file.
; ex: c:\home\rickva\outlook\archive.pst

; ************************************************************************
; Microsoft Exchange Server service definitions.

[Microsoft Exchange Server]

; — The name of the user’s Exchange Server Mailbox

; — The name of the Microsoft Exchange Server the user should
; connect to. You can specify any Microsoft Exchange Server
; in your site, and the correct Home Server will be assigned
; when the user first logs on.

; — The path to the Offline Store File that contains
; local replicas of the user’s Mailbox and Favorites.
; If you do not specify a value, no Offline Store will
; be created. If you specify a path, an Offline Store
; will be created and the Inbox, Outbox, Deleted Items,
; and Sent Items folders will be replicated to it.

; — The path to the directory to store offline address
; book files in.

; — Flags that control behavior when connecting to the Exchange
; Server.
; The following values are possible:
; 4 Normal
; 6 Ask whether to connect or work offline at startup.
; 12 Allow clients to be authenticated via the Internet
; 14 Combination of 6 and 12.

; — A boolean value indicating whether NEWPROF should
; attempt to resolve the Exchange mailbox name at run time.
; If set to TRUE, NEWPROF will copy the name to the profile
; without resolving it.
; If FALSE, the name will be resolved. Invalid server or
; mailbox name will not be copied to the profile.

; ************************************************************************
; Microsoft Mail service definitions.

[Microsoft Mail]

; — The path to the users post office. Mapped network drives, UNC and NETWARE paths
; are acceptable. NETWARE paths of the type NWServer/share:dir\dir1 are converted to
; UNC paths of the type \\NWServer\share\dir\dir1.


; — The users mailbox name. eg. in a NET/PO/USER address,
; this is USER. The maximum mailbox name is 10 characters.


; — The users mailbox password. The maximum password is 8 characters.


; — A boolean value indicating whether the users password is
; to be remembered in the profile or not. This is useful because
; if the password is remembered the user can bypass the logon prompt
; if his server path, mailbox name and password are all supplied.


; — The connection type. This may be one of CFG_CONN_AUTO, CFG_CONN_LAN,
; 0x0 — LAN type connection. Used to connect to the post office using a
; UNC path or pre-existing mapped drive.
; 0x1 — Dial up connection using Dial-up Networking.
; 0x2 — Not connected.
; 0x3 — Automatically detect whether the connection type is LAN or REMOTE.
; This connection type is only available on Win95.


; — A boolean value indicating whether session logging
; is on or off.


; — The path to the session log file.


; — A boolean value which indicates whether mail in the outbox
; is sent.


; — A boolean value which indicates whether mail in the server
; mailbag is downloaded.


; — A bit array which allows the user to indicate which addresses
; for which the transport is to attempt delivery. This is useful
; in order to allow a user to specify that a transport only handle
; delivery for a subset of the addresses it can really process.
; When multiple transports are installed and the user wants a
; different transport to handle some specific address types they
; can use this bit array to specify that the MSMAIL transport
; only handle a specific set of addresses.
; Possible values as defined below include:
; 0x00000001 — Local Post Office and External Post Office address types
; 0x00000002 — PROFS address types
; 0x00000004 — SNADS address types
; 0x00000008 — MCI address types
; 0x00000010 — X.400 address types
; 0x00000040 — FAX address types
; 0x00000080 — MHS address types
; 0x00000100 — SMTP address types
; 0x00000800 — OfficeVision address types
; 0x00001000 — MacMail address types
; 0x000019df — All of the above address types


; — A boolean value which indicates whether a netbios notification
; is sent to a recipients transport when mail is delivered to
; their server inbox.


; — The polling interval in minutes when the transport
; checks for new mail. 1 <= polling interval <= 9999


; — A boolean value which, if TRUE, only displays the Microsoft Mail Global Address
; list for name selection. The Postoffice list, external post office lists, and gateway
; address lists are not shown.


; — A boolean value which indicates whether the user wants to enable
; headers while working on the LAN. Headers mode allows the user
; to download message headers and selectively choose which mail
; to download.


; — A boolean value which indicates whether the user wants to use
; name resolution based on a local copy of the server address book
; rather than the server address book itself.


; — A boolean value which indicates whether EXTERNAL.EXE, a server process, should be used
; to deliver submitted mail messages. This is sometimes useful when mail is running
; on a slow LAN connection.


; — A boolean value which indicates whether the user wants to enable
; headers while working over a slow speed link. Headers mode
; allows the user to download message headers and selectively
; choose which mail to download.


; — A boolean value which indicates whether the user wants to use
; name resolution based on a local copy of the server address book
; rather than the server address book itself.


; — A boolean value which indicates whether EXTERNAL.EXE, a server process, should be used
; to deliver submitted mail messages. This speeds up message delivery when mail is
; running on a Dial-up network connection.


; — A boolean value which indicates that a Dial-up Network connection should
; be established when the transport provider starts up.


; — A boolean value which indicates that a Dial-up Network connection should
; be automatically terminated when headers are finished downloading.


; — A boolean value which indicates that a Dial-up Network connection should
; be automatically terminated after mail has finished being sent
; received.


; — A boolean value which indicates that a Dial-up Network connection should
; be automatically terminated when the provider is exited.


; — The name of the Dial-up Network profile that the transport will use by
; default to attempt the connection.


; — Number of times to attempt dial for connection.
; 1 <= retry attempts <= 9999


; — Delay between retry attempts in seconds.
; 30 <= retry delay <= 9999


; ************************************************************************
; Personal Folders service definitions.

[Archived Messages]
ServiceName=MSPST MS

; — Path to personal folders.


; — A boolean value that determines if the personal folders password
; should be cached.


; — A value that designates the type of encryption that is used to
; compress the data in the PST:
; No Encryption 0x80000000
; Compressable Encryption 0x40000000
; Best Encryption 0x20000000


; — PST password.


; ************************************************************************
; Personal Address Book service definitions.

[Personal Address Book]
ServiceName=MSPST AB

; — Path to personal address book.


; — Determines if PAB entries are first, last, or last, first.
; first last 0
; last, first 1


; ************************************************************************
; Outlook Address Book service definitions.

[Outlook Address Book]
; — Dummy property. Do not modify.

Finally we have to ensure the availability of the required files for the profgen.vbs VBScript. This is completed by running a machine start-up script attached to a group policy. First, copy the NewProf.exe, outlook.prf into your domains NETLOGON share (i.e \\mydomain.com\NETLOGON). Then copy the code below into a new text file and save it as comp-startup.vbs. Assign this script as machine startup script for all machines you wish to automate MAPI profilecreation on.

Set objNetwork = CreateObject(“Wscript.Network”)
Set fso = CreateObject(“Scripting.FileSystemObject”)

Set oShell = CreateObject( “WScript.Shell” )
windir = oShell.ExpandEnvironmentStrings(“%windir%”)

target = windir & “\NEWPROF.EXE”
If Not (fso.FileExists(target)) Then
‘If it exists overwrite it.
fso.CopyFile “\\mydom.com\netlogon\NEWPROF.EXE”, windir & “\” ,True
End If

‘target = windir & “\Prfpatch.exe”
‘If Not (fso.FileExists(target)) Then
‘If it exists overwrite it.
‘ fso.CopyFile “\\mydom.com\netlogon\Prfpatch.exe”, windir & “\” ,True
‘End If

target = windir & “\outlook.prf”
If Not (fso.FileExists(target)) Then
‘If it exists overwrite it.
fso.CopyFile “\\mydom.com\netlogon\outlook.prf”, windir & “\” ,True
End If



VBScript ; Enable Remote Desktop Remotely

VB Script Enable Remote Desktop Remotely

I recently came across the following useful script that will enable Remote Desktop connections (access via RDP) on a remote server as long as you have permission to do so with your current logon credentials.

The script below will function on both Windows Server 2000 and Windows Server 2003 machines.

strComputer = InputBox (“Enter Machine Name”)
Set objWMIService = GetObject(“winmgmts:” _ & “{impersonationLevel=impersonate}!” & strComputer & “\root\cimv2”)Set colTSSettings = objWMIService.InstancesOf(“Win32_TerminalServiceSetting”)
For Each colTS in colTSSettings
Wscript.Echo UCase(strComputer) & ” Remote Desktop Is Now Enabled”

VBScript ; Create Active Directory Organisational Unit (OU)

VB Script Create Active Directory Organisational Unit (OU) – ADSI

Another useful time-saving tip when deploying a new Active Directory Tree.It is possible to script the creation of all Organisational Units in the Active Directory Tree using vbscript. This can save a great deal of time when it comes to the deployment of a new domain.

The following script will create a tree as follows: yourdomain.com > Sites – {new Top Level OU} > UK – {new sub-OU}

It will then create sub-OUs for each site listed in the object arrOus.

Site names must be seperated by a semi-colon (;)

For each Site sub-OU created a Users container and Computers container will be created.Again, the script is simple to modify for your environment.
Dim objRoot, objDomain, objOU, arrOUsDim strOUContainerDim intUser
Set oRoot = GetObject(“LDAP://rootDSE”)
oDomain = oRoot.Get(“defaultNamingContext”)
Set oDomain = GetObject(“LDAP://” & oDomain)strOUContainer =”OU=Sites”
Set objOU = objDomain.Create(“organizationalUnit”, strOUContainer)
objOU.SetInfostrOUContainer =”OU=UK,OU=Sites”
Set objOU = objDomain.Create(“organizationalUnit”, strOUContainer)
arrOUs = “Belfast;Birmingham;Bristol;Chessington;Dublin;Glasgow;Greenwich”arrOUs = Split(arrOUs,”;”)
For Each ou in arrOUs
        strOUContainer =”OU=” & ou & “,OU=UK,OU=Sites”
        Set objOU = oDomain.Create(“organizationalUnit”, strOUContainer) objOU.SetInfo strOUContainer =”OU=Users,OU=” & ou & “,OU=UK,OU=Sites” ‘
        ‘On Error Resume next
        Set objOU = oDomain.Create(“organizationalUnit”, strOUContainer)
        objOU.Put “Description”, “User Object Organisational Unit”
        WScript.Echo “New OU created = ” & strOUContainer strOUContainer =”OU=Computers,OU=” & ou & “,OU=UK,OU=Sites” ‘
        Set objOU = oDomain.Create(“organizationalUnit”, strOUContainer)
        objOU.Put “Description”, “Computer Object Organisational Unit”
        WScript.Echo “New OU created = ” & strOUContainer

 The script has been tested on Windows Server 2000 and 2003 Domains.

VBScript ; List All Processes On Remote Computer

VBScript list all processes on remote computer

VB Script to echo all processes running on a remote system, including the process [email protected]

strComputer = “computer_name”
Set objWMIService = GetObject(“WinMgmts:” & “{impersonationLevel=impersonate}!” & strComputer & “\\\\root\\\\cimv2”) \r\n
Set colProcesses = objWMIService.ExecQuery (“Select * from Win32_Process”)
For Each objProcess in colProcesses
ProcessID = objProcess.ProcessID
Wscript.echo objProcess.ExecutablePath i=i+1

Understanding and configuring the Citrix XML Service

Understanding and configuring the Citrix XML Service’, ‘Recently caught out by modifying the Citrix XML Service port I thought I would share my experiences!

Citrix XML Service Port / ctxxmlss

The Citrix XML Service Port is used by the ICA Client for connection to the Citrix server / published application:When TCP/IP + HTTP is selected and you specify servers in the Address List box, the client communicates with the Citrix XML Service on a specified server for Enumeration.If you modify the XML service port from port 80 and rely on your clients to connect via HTTP & TCP/IP using the dns host entry for ‘ica’ for round-robin DNS resiliency you will find that this round-robin DNS for this entry will fail. This is because you cannot specify the port number, which the XML service is running on in DNS.Therefore, if the first Citrix server in your farm becomes unresponsive or is taken offline connections to the farm will failAs a result you need to configure your clients to use the default server address if ica:pn where pn is the port number you are using for the XML Service. For example’; ica:8080:

 This can be manually specified in an unattended install of the ica client. Run msiexec /a ica32pkg.msi and create an extracted network install source. Then once created edit the \\yourserver\yourshare\ Program Files\Citrix\Application\ICA Client\appsrv.ini file and add the following line at the end of the file:


This will also affect Thin Client devices that utilise HTTP & TCP/IP. For example WYSE 1200LE and S10 Thin Client devices. The solution for these devices is to edit the wnos.ini file on you FTP server so that the port number is specified:


You’ll find that without this if the first server in the list goes offline the TC devices will NOT connect to the next server in the list.


Changing the XML Service Port

You have two options when configuring the XML Service port; one, run the XML Service alongside IIS; two, run it on a dedicated port.To configure the XML service to run alongside IIS on port 80 see the following guide:


To configure the XML service to use a dedicated port:

First un-register the XML Service on the server you wish to modify the port:ctxxmlss /u

Now re-register the service on your desired port number:ctxxmlss /r8080

Troubleshooting ICA Client / PNAgent Error 2306

Program Neighbourhood Agent / PNAgent Error 2306

On setting up the ICA Client 10.105 I received the following error on trying to connect via the applications listed under the PNAgent.’, ‘On setting up the ICA Client 10.105 I received the following error on trying to connect via the applications listed under the PNAgent:

This was being caused because the ICA file was being deleted before the PNAgent had finished reading it… very strange. After browsing a few forum posts I found that by modifying my local workstation registry I could resolve the issue by changing the ‘RemoveICAFile’ entry to equal false:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Client Engine\ICA File

Alternately, if you are an Administrator wanting to resolve this for all of your PNAgent users and Web Interface users simply follow these instructions:

Modify the \Inetpub\wwwroot\Citrix\MetaFrame\conf\default.ica on all of your Citrix Servers that have the web interface.

Change the line “RemoveICAFile=yes” to “RemoveICAFile=no”

Deploying Outlook 2007 via Group Policy

Deploying Outlook 2007 via Group Policy

There are 2 options for deploying Outlook 2007 via Group Policy:

1) Using the supplied MSI and modifying the config.xml file

2) Calling setup from a group-policy machine start up script and installing using a customised MSP file.


Option 1 Cons / Option 2 Pros

Option 1 is limiting in that you are not able to integrate service packs and updates by adding the MSP files to the Upgrades directory in the root of your installation folder. Option 2 allows you to achieve this. This means you cannot automate integration of SP1 with Option 1.

Option 1 also limits your setup options, whereas you can use the following command to create an entirely modified and personalised Outlook 2007 setup: setup /adminOption 1 will not allow you to upgrade a previous version of Outlook to 2007 unless you specifically deployed Outlook via group policy and not a complete Office Suite installation that included Outlook.

If you attempt to upgrade using Option 1 setup will install the files but Outlook 2007 will show as ‘Not Available’ when you try to modify the setup. This is due to Group Policy; even though you specify the ‘Setting Id=”RemovePrevious” Value=”OUTLOOKFiles” ’ setup will not upgrade the previous version as group policy does not see the installation as an upgrade.

Furthermore, instructing the new Outlook 2007 GPO to upgrade your previous version of Office will also fail.Option 2 will allow you to upgrade a previous installation of Outlook to 2007, even if your Outlook install is part of an full Office Suite.


Option 1 Pros / Option 2 Cons

Option 2, however, will not allow you to ‘manage’ the software; if a machine falls out of the scope of the install script Outlook will not be uninstalled. Option 1 would enable you to manage software in this way.



With the above in mind I opted for Option 2 as I was performing an upgrade to 2007 from 2000 so it really was a no brainer. I combined the MSP based setup with a start-up script written in vbScript. This is configured in a new GPO and set as a machine start-up script. The scope of the GPO depends upon machine membership within a particular group within AD: thus providing a granular and controlled method of deployment.

Const HKEY_LOCAL_MACHINE = &H80000002
Set WshShell = CreateObject(“WScript.Shell”)
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objNetwork = CreateObject(“Wscript.Network”)
strComputerName = objNetwork.ComputerName
InstallDIR = WshShell.ExpandEnvironmentStrings(“%PROGRAMFILES%”) & “Microsoft OfficeOffice12”
target = InstallDIR & “OUTLOOK.exe”
If NOT fso.FileExists(target) Then ”If there is no Outlook 2007 executable install Outlook 2007
    cmd = WshShell.Run(“file_serveroutlook2007$setup.exe /adminfile file_serveroutlook2007$Outlook2K7UPDT.MSP”,0,True)
    ‘Create Outlook Desktop Icon
    Set objNetwork = CreateObject(“Wscript.Network”)
    Set wmiLocator = CreateObject(“WbemScripting.SWbemLocator”) ”Object used to get StdRegProv Namespace
    Set wmiNameSpace = wmiLocator.ConnectServer(objNetwork.ComputerName, “rootdefault”) ‘ Registry Provider (StdRegProv) lives in rootdefault namespace.
    Set objRegistry = wmiNameSpace.Get(“StdRegProv”)
    objRegistry.CreateKey HKEY_LOCAL_MACHINE, ”   SoftwareMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{00020D75-0000-0000-C000-000000000046}]”
End If 

Troubleshooting Citrix Slow Performance Issues

Troubleshoot Citrix / Thin Client Performance’

After a long project that was aimed at improving Thin Client performance I though I would post my experiences and solutions in order to aid those in a similar situation.


Citrix Server Performance Improvement

I was recently tasked with improving a Citrix XP and PS 4.5 Farm’s performance; by no means was this simple project which I could simply throw more servers at the farm hoping to resolve the issue.

By far, the most useful tool in diagnosing slow logons is the userenv.dll debugging available in your Windows out of the box. This will really spell out where your problem is coming from.

For further information read this link: http://support.microsoft.com/kb/221833


External File Server Performance

External file servers, especially servers holding roaming user profiles can cause significant delays; if these are running out of free connections or worker threads then logon delays are inevitable.

Symptoms: Long pause / very slow / hangs at logon ‘Loading Your Personal Settings”

Long logon delays often indicate issues with remote file access; namely GPO’s and Profile data if roaming profiles are used. Not only are these logon delays a nuisance for end-users, they have a knock-on effect; the duration of the delay often effects all users on a particular server. I have seen logon delays of 50+ second’s effect all users on a single server until the logon process has finished for the user

To Diagnose: Use userenv.dll debugging – http://support.microsoft.com/kb/221833– log file is located under %Systemroot%DebugUserModeUserenv.log.

Solution: Watch out for ‘Srv’ events in the System Event Log with Error code ‘2022’; see the following KB article for more details: http://support.microsoft.com/kb/317249I would definitely suggest rolling out the MaxFree Connections /MinFree Connections registry tweak described in more detail here: http://support.microsoft.com/kb/830901 Note that Windows Server / Advanced Server 2000 require a hotfix, which is free to obtain form MS Technical support.The following web site is also a great resource: http://support.microsoft.com/kb/324446 – if you’re running RAID cards with battery backup units get the Delayed Write Cache setting enabled!

NOTES: Please note that Microsoft does not support the use of PST files across a network. This can cause significant performance issues to file servers hosting them. For further details please see: http://blogs.technet.com/askperf/archive/2007/01/21/network-stored-pst-files-don-t-do-it.aspx If you’re hosting PST files on the same server as your profiles you’ve more than likely found your problem. I would suggest separating the profiles and PST files on separate servers. Profile access needs to be quick to ensure smooth logons.


Active Directory Access

Slow access to domain controllers, namely Global Catalogue (GC) servers can cause significant delays in logon as group memberships are referenced and permissions are established from the Active Directory.If you have only a single domain in your forest each Domain Controller can be setup as a GC server. In a multi-domain forest you should ensure that the Infrastructure Master FSMO role is not placed on a GC. The first DC in a domain is always automatically configured as a GC, subsequent DC’s are not.

Symptoms: Long pause / delay / hang / slow at logon “Applying computer settings” and loading Logon Scripts

To Diagnose: Use userenv.dll debugging – http://support.microsoft.com/kb/221833 – log file is located under %Systemroot%DebugUserModeUserenv.log.

Solution: Setup dedicated DC’s; DC’s are central to yourActive Directory Domain. Quick access for LDAP queries is essential for performance. Running print/file server roles on these servers is simply not smart and not reccommended.


Citrix Server Hardware / Number of Users Per Citrix Server

There are many myths about the number of users you can effectively have on a single Citrix server. I have seen single servers handle 60 users without any issues what so ever. I have seen servers struggle to handle 20 users when applications or external problems, such as file server access, can cause slowdowns. There isn’t a Citrix reccomended number of users per server. This limit is dictated by the applications your user operates during their session. The only way to find out what your Citrix servers can handle is to test them.

Symptoms: High CPU/ Memory / Page File usage on all Citrix servers within a farm.

To Diagnose: Create a performance benchmark using the built in Window Performance counters. You’ll know if this is an issue when you examine the results.

Solution: Setup and introduce further servers into a farm. Unless you’re seeing high CPU/RAM usage there is little point in adding more servers to the farm; your problem is elsewhere my friend.


Logon Scripts

It’s worth noting at this point a poor logon script can cause more problems than the few issues it may automatically fix. Avoid, where possible, calling network applications held on File servers – these shares will be in high demand at peak hours and could cause delays.Script type; I’m not going to get into which is better and which is worse programming language wise. I’ve had great success implementing vbscript over KIX scripts and DOS scripts; this may not be the same in your environment.Scripts to look at in particular; • Scripts being called by UsrLogn2.cmd (found under %SystemRoot%System32)• Group Policy Active Directory Account Logon Scripts

Symptoms: Long pause after the ‘Applying your personal settings’ box disappears.

To Diagnose: Test a user account with the same profile settings other than logon script; ensure it has no logon script.

Solution: Scale back / Streamline your scripts where possible. Alternatively you’re looking at a long night rebuilding them. There is no one-fix-fits all here; your scripts are bespoke to your network… good luck!


Network Adapter Configuration

UPDATE 31/01/2008: Simple, yet easy to overlook is the Network Adapter configuration.

Symptoms: Running Citrix Presentation Server 4.5 on Windows Server 2003 I experienced delays of up to 5 minutes for some user accounts whilst logging on. Specifically the logon would get stuck at ‘Loading your personal settings.’

Solution: The cause was simple; a network configuration mismatch. The switch to which the serevr was connected was configured for auto, as was the server. The link infact had auto-negotiated to 10Mb Half Duplex. Forcing the server to 100Mb Full-Duplex reduced logon to around 15 seconds.This can be explained by the use of roaming profiles. The delay was caused by the slow NIC configuration. This means that copying users roaming profiles took up to 5 minutes prior to logon.


Antivirus Configuration

UPDATE: 27/09/2009: Antivirus software should be installed and configured correctly for Citrix XenApp/Presentation Server in order to ensure that there is no performance overhead.

Symptoms: Generally slow performance across all applicationsand file access.

To Diagnose: TEMPORARILY disable all anti-virus components (especially the on-access scanner and any application filters/buffer overflow protection)

Solution: You should configure the anti-virus on-access scanner as follows:

• Scan on write events only
• Scan local drives only
• Exclude the pagefile from being scanned
• Exclude the Print Spooler directory to improve print performance
• Exclude the Program FilesCitrix folder from being scanned (the heavily accessed local host cache and Resource Manager local database are contained inside this folder)
• If ICA pass-through connections are used, exclude the user‘s XenApp Plugin bitmap cache and the XenApp Plugin folders

More information is available here


Antivirus Configuration

UPDATE: 11/11/2009: If using McAfee Virus Scan 8.7i ensure that at least patch version 2 is installed.

Symptoms: Slow Windows startup and logon performance. Windows boot takes several minutes and gets stuck on ‘Applying Computer Settings…’

To Diagnose: Set the ‘Network Location Awareness’ service startup type to ‘Automatic’

Solution: Install patch 2 for McAfee 8.7i – there is a known issue with version before this causing network communication requests to be sent prior to the ‘Network Location Awareness’ service starting


Session Latency

UPADTE 26/02/2010: I thought I would streamline this article, incorporating an additional troubleshooting step from another article in the cb-net archives.

Symptoms: Slow responses when entering text into applications. Refresh of application GUI appears slow, menus etc appear ‘sluggish.’

To Diagnose: Use the Metaframe Servers SDK (MFCOMSDK) v2.3 tool; smcconsole.exe. Using this tool you can view individual sessions bandwidth utilisation and latency.This tool is incredibly useful when troubleshooting issues regarding session performance. Session latency can also be viewed using the WMI performance counters for ICA Session that are installed when Citrix is installed on a Windows Server.

SolutionWhen troubleshooting my issues I was receiving figures of 27000ms (yes, 27 seconds!).

Common causes of high latency are:
  Ø Network topology issues including port mismatches
  Ø MTU issues
  Ø Link saturation / QoS misconfiguration

I have seen latency figures as high as 27,000ms (yes, 27 seconds!) due to NIC / switch port mismatches.


Speed Screen Configuration

Symptoms:  Slow responses when entering text into applications

Solution: An often overlooked setting is Speedscreen. Speedscreen will significantly improve the speed at which applications appear to respond to text input from a thin user. You should configure speed screen and replicate settings across the server farm. For instruction see this link:



Virtualised Servers

UPDATE: 28/01/2012

Symptoms: Generally slow performance of virtualised Citrix servers, especially on AMD ESX/ESXi virtualisation platforms. I had similar issues with physical servers which had been converted to virtual servers.

Solution: For AMD RVI deployments beware that on Windows 2003 Hardware-assisted MMU virtualisation (AMD RVI) will not automatically be enabled. This is because of performance related issues in versions of Windows 2003 prior to Service Pack 2. I would suggest that any VM running Windows 2003 SP2 or newer should have hardware MMU manually enabled if your virtualisation platform supports it. You can confirm that Hardware-assisted MMU virtualisation is in use by viewing you vmware.log file that is stored alongised the vmx file, look for virtual exec = ‘hardware’; virtual mmu = ‘hardware’

Less is more; just because your old platform had 4 physical CPU’s, or even more, doesn’t mean that the virtualised platform will perform better. I’ve run 50 users on a single VM with 4GB RAM and 2vCPU’s – performance was good!  Also check the %RDY and MLMTD values for you Citridx VM’s in esxtop; these counters can help identify CPU contention or limits that are affecting VM performance. %RDY should always be below 10-15% higher than this and it’s likely you have an over subscribed host – try reducing physical to virtual CPU ratio’s first. With regard to MLMTD; this should be carefully considered – if this has a value it means that ESX is limiting resources to your VM due to limits you have set (i.e. CPU MHz limits). Further ESX/ESXi performance troubleshooting steps can be found here: http://www.cb-net.co.uk/vmwareesxi-articles/32-performance/61-vmware-troubleshooting-vm-performance