Citrix Xenapp Logon Process Through Web Interface

This can be sort of confusing when logging in through a web interface that is configured to “Authenticate at the Web Interface”. First of all, that’s not what that setting means — When it’s clicked, it actually means that you’ll be authenticated at the XML broker. Whether you are troubleshooting slow logins, or just trying to configure the optimal architecture for faster logins — Knowing the Citrix logon process can be helpful. Here is the process flow as we see it, and how it works:

1). Enter credentials at the Web Interface
2). Web interface reaches out to the XML broker, and passes the credentials
3). XML broker reaches out to AD Domain Controller, and authenticated credentials.
4). After being authenticated, user can request an ICA file for application launch
5). The best server will be selected based on load evaluators
6). Best server will respond back to the web interface with ICA file
7). ICA file is passed from Web Interface to client machine
8). Client machine is connected over ICA to given Xenapp server
9). Xenapp server confirms the RDS/TS License is in order
10). AD is queried for roaming profile information
11). Roaming profile is downloaded to the Xenapp server
12). Xenapp server checks with Citrix license server to make sure licensing is in order
13). Microsoft GPO’s get applied
14). Citrix policies get applied
15). User’s “Startup” folder gets executed, launching logon scripts, etc
13). Application / Desktop launches.

http://www.youtube.com/watch?v=FZQAdl9QEPU

Ten printing rules with Citrix XenApp

The Ten Printing Rules

1. Since Presentation Server 4.0 (CPS 4.0) use the Citrix Universal Printer Driver based on EMF for client printers, especially with Windows Clients.
   User Policy\ICA\Printing\Universal Printing = Use universal printing only
   • Presentation Server 4.0 Printing Enhancementshttp://support.citrix.com/article/CTX108170
2. Client network printer (network printer connected to the client) should also be mapped by EMF and the print output should go through the client in indirect mode.
   User Policy\ICA\Client Printers\Direct connections to print server = Disabled
3. Print server should always be located in the same network as the XenApp server, especially when the printers are in a WAN location, branch office. This is when not going through the ICA connection (see point 2) 
4. Once Citrix has released the Universal Print Server (UPS), which is expected by the end of 2011, only use the UPS to connect to printers located on the print server.
5. Set Microsoft group policies to disallow Point-To-Print (P2P), to use print isolation, disallow kernel-mode drivers and render jobs on the print server.
   Computer Configuration\Policies\Administrative Templates\Printers
   • Always render print jobs on the server
   • Execute print drivers in isolated processes
   • Point to Print Restrictions (set to localhost)
   • Disallow installation of printers using kernel-mode drivers
     
     See also
   • How to Restrict Print Drivers From Being Installed on XenApp Servers Hosted on Windows Server 2008/R2http://support.citrix.com/article/CTX128786
   • How to Restrict Print Drivers from Being Installed on XenApp Servershttp://support.citrix.com/article/CTX120618
6. Set Citrix user policies to avoid unwanted in-box printer driver.
   User Policy\ICA\Printing\Automatic installation of in-box printer drivers = Disabled
   
   ----- if you cannot use Citrix universal print driver ----
7. Always use Microsoft native printer driver first, that come with the operating system.
   • How to Distinguish Native/Inbox Print Drivers from Non-native/Manufacturer Ones in Windows Server 2008 R2http://support.citrix.com/article/CTX126093 
8. When you use 3rd party printer driver (HP, Lexmark, Xerox etc.), test them first with StressPrinters and make sure the spooler doesn't crash.
   • Understand and use StressPrintershttp://bit.ly/StressPrinters
9. Do not use 3rd party printer driver with print monitors, try to get drivers without monitors or disable/remove them.
10. Out of experience, avoid PCL6 printer driver if you have to use 3rd party printer driver.

Q&A
Q: When using 3rd party printer driver what can happen?A: If you are lucky nothing but you might see: print spooler crash, delayed logons, stuck logons or the worst blue screen of death (BSOD) - server crash.


Q: Why only use the Citrix EMF universal printer driver?
A: With Windows Clients, EMF actually uses the local client printer driver with all capabilities.


Q: What about non-Windows (MAC, Linux...) clients?
A: Non-Windows clients cannot use EMF and automatically fall back to a Universal Printer Driver (UPD) based on a color laser printer but will not give all capabilities the client printer driver might have.


Q: Why not use HP Universal Printer Driver?
A: The HP UPD should only be used for network printer mapped to the XenApp Server and only until UPS is released. With HP UPD make sure you use at least version 5.x and printer isolation, since the driver has been buggy in the past

• HP Printers Supported in XenApp Environments
  http://support.citrix.com/article/CTX110571

Q: What is printer isolation good for?
A: As it says, it isolates the printer driver and therefore protects the spooler to crash. So if the driver is buggy, the isolation might fail but the driver will not crash the spooler service.


Q: Why disable Point-To-Print (P2P)?
A: P2P automatically installs printer driver without you really knowing it. That can be very dangerous because you might spread a bad driver to all servers in your farm.


Q: Why should a print server be close to a XenApp server and not located in a branch office over WAN?
A: Especially with Office 2010, printers are "live" enumerated and over a WAN might take a long time. Also the XenApp server would do a RPC call over the WAN to the print server and is very slow and sluggish.


Q: Why avoid PCL6 printer drivers?
A: There is no technical reason but experience from the field has shown the PCL6 driver to cause several issues.

Q: What is the Citrix Universal Print Server (UPS)?
A: It's an upcomming printing component, hopefully released by the end of 2011. In short, UPS has two parts the print server service (you install on the print server) and a client service (UPC) that will be installed on a XenApp server. Now network printer between print server and XenApp will be mapped also with the Citrix EMF and therefore no printer driver on the XenApp server needs to be installed! UPS is high secure, optimized and allows even firewall transversal. UPS uses the Citrix common gateway protocoll (CGP) and the UPC will be incl. in future XenApp releases.

Troubleshooting Citrix ICA Printer Autocreation

Summary
This document describes steps for troubleshooting printer autocreation issues with locally defined, physically attached, or network printers.
While some of the ideas in this document apply to imported network printers, troubleshooting that issue can be significantly different than the autocreation of locally defined workstation printers. Refer to CTX881017 - Troubleshooting Imported Network Print Servers with XenApp.
For Universal Print Driver (UPD) troubleshooting information, refer to the following documents:
• CTX089874 – Troubleshooting and Explaining the Citrix Universal Print Driver
• CTX105158 – Troubleshooting Citrix ICA Printing - Quick Reference Guide
• CTX107137 – Troubleshooting Printing Problems In Presentation Server 4.0.
Procedure
To troubleshoot printer autocreation, follow these steps:
1. In Citrix Connection Configuration, double-click the ICA listener port, select the Client Settings button, and ensure Connect client printers at logon is selected. For Presentation Server 4.5 and later, configure these settings using the Terminal Services Configuration tool.
2. Ensure that the following check boxes are not selected under the Client Settings area:

• Disable Windows Client Printer Mapping
• Disable Client LPT Mapping

Both of these settings prevent client printers from being autocreated on the system, and prohibit the client printer from being manually added during the session.
CTX104693 – "Client Printer mapping" and "Client LPT Port mapping" are Grayed Out in ica-tcp Listener
3. If Inherent User Config is selected in step 1, ensure that connect client printers at logon is selected in the UserConfig button for each user account within User Manager for Domains or the Environment tab within Active Directory Users and Computers/Computer Management-Local Users and Groups (for Active Directory 2000, 2003).
In Active Directory 2008, open the Server Manager utility and expand the Configuration node. From there you can manage your users and groups.
4. From the client machine:
a. Make a custom ICA connection directly to the server desktop and log on.
b. Open the printer folder inside the ICA session.
c. Add Printer > Network printer and expand Client network.
d. Select Client printer and try to Add.
e. The result may indicate:

• A suitable driver must be added.
• Access is denied (permissions issue).
• The printer is not seen under the client network (the printer must be defined in the local client print folder).
• If you cannot expand a Microsoft server with a shared printer (possibly an operating system/RPC issue).
• The "Could not connect to the printer" error message is received. Refer to CTX102808 – Error: Could not connect to the printer.
• The client network cannot be seen. Refer to CTX748796 – Users Unable to see the Client Network when in Print Manager or Connect to Printer.

5. Current Microsoft RDP clients allow for the creation of printers. While the RDP does not use the Citrix Client Network Service, as a test, log on with the RDP client. This might help in determining if there is an underlying operating system or permission issue.
6. Ensure the latest compatible driver for its operating system is installed on the client computer. On the Citrix server, install the latest compatible driver for the base operating system (Windows 2000 Server, Windows Server 2003, or Windows Server 2008). This is accomplished by installing a "phantom" printer on the server console. After the printer has been created it can be deleted from the print manager. The driver itself and registry references to the driver remain. You must verify what drivers have been installed on the server in step 7 below. In Windows 2000 Server, Windows Server 2003, and Windows Server 2008, right-click in the white space in the Printers folder, go to Server Properties, and select the Drivers tab.
A printer driver that is compatible with Windows 2000/2003/2008 is not necessarily compatible with the corresponding version of Terminal Server. Installing incompatible drivers might cause crashes (for example, see Microsoft TechNet articles Q191666 and Q249917 with respect to Lexmark drivers), spooler CPU spikes, hangs, print jobs failing to print, and autocreated printers might fail to delete upon log off (one possible cause of this is the lack of an Autocreated Printer definition inside the printer properties comment field).
Issues of this type should follow the recommendation in TechNet article Q135406 to remove the suspect driver from the system and to use the management console (which is known as the Advanced Configuration utility in XenApp and the Presentation Server Console in Presentation Server) to configure exclusions, manual print driver mappings, or to exclusively use the UPD. Syntax, spacing, and capitalization between the quotes within the manual mapping process are critical. A substituted print driver might limit the available printer functionality inside an ICA session with respect to the non-native driver.