Jump to content
Welcome to our new Citrix community!
  • 0

IE11 on 2012R2 VDA - user registry hive not saved


Stefano Losego1709152505

Question

Hi all,

 

i've a strange behavior with xa 7.6 and 2012r2 vda.

I was able to reproduce the issue in a clean lab enviroment installed from scratch.

 

the enviroment:

(domain w2012r2 level, 1 dc)

1 server with ddc 7.6, storefront, db (sql express) - w2012r2

1 server with vda 7.6, terminal server, w2012r2

 

standard windows patch (update at january 2015), no citrix hotfix in place.

 

the issue:

when a standard user open IE11 and set a personal home page, this is not retained after a graceful logoff and login. Digging more in detail, i've seen that the registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

is correctly filled during the session, but when user logoff the registry is not write into the NTUSER.DAT.

 

for troublehooting purpose, the user profile is not configured / managed (local profile) and there is NO policy at all in the lab, neither antivirus.

 

please note:

i've verified that with a windows 2012r2 server with RDS roles the issue does NOT occur so i suppose is something  related to Citrix (UPM?)

I've also disabled (via services) the Citrix UPM but no change.

 

Anyone with same issue with IE11 on 2012R2?

I've read something similar:

http://discussions.citrix.com/topic/357284-ie11-on-2012-r2-roaming-usernames-and-passwords/

but at the moment i've not verified if i have the same problem too.

 

any help is appreciated!

thks

Stefano

 

 

Link to comment

Recommended Posts

  • 0

Hi Martin,

 

unfortunately no.

I've opened a case with Citrix support, but still no solution/workaround.

Meanwhile i've update upm to v5.2.1, but did not resolve the problem - strangely you don't find this update under support/hotfix section, but under xenapp 6.5 -> component update after feature pack 2 -> profile management 5.2.1

 

http://www.citrix.com/downloads/xenapp/components/xenapp-component-updates-after-xenapp-6-5-feature-pack-2-enterprise.html

 

It seems a bug related to upm, hope Citrix will fix soon!

I'll post any update on this case.

 

regards,

Stefano

Link to comment
  • 0

Well I have tried installing the VDA without UPM using some switches and this doesn't seem to have helped which is disappointing.

 

Useful information, as i though that was UPM's fault....

What installation switch did you use to install VDA without UPM? as soon as i can i'll try this on my own lab;

 

about your previous question (VDA version) we start to see the issue with VDA 7.5, then updated to 7.6, with the same behavior.

Link to comment
  • 0

I tried VDA 7.0 but it just caused endless reboots on server 2012 R2 - maybe not compatible?

Getting same problem with VDA 7.5 and 7.6

 

I used the following switches....

 

VDAServerSetup.exe /components vda /exclude "Citrix User Profile Manager"

 

which I took from this website....

 

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-install-standalone-vda.html?_ga=1.15128830.93541086.1411463461

 

I tried using all the switches in the article but didn’t get anywhere, so just used less switches and completed setup with the GUI

 

I downloaded VDAServerSetup.exe from MyCitrix download section

 

After install there was no UPM folder in program files, so I was hopeful but still have this problem

 

I don’t understand how this issue isn’t more widespread on the web

Link to comment
  • 0

Hi all,

 

we have a possible workaround from Citrix; unfortunately, it requires the recreation of a the user profile, so if your enviroment is already in production with configured profiles, maybe you don't want to lose them all - but for new enviroment could be a solution.

 

Long story short, you've to modify the default user profile adding the key "Main" in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.

 

To do so please follow the steps outlined below. Please make a backup of registry beforehand in case of any issues and we are required to roll back

The location of where new profiles copy their registry settings is from %SYSTEMDRIVE%\Users\Default\NTUSER.DAT, we need to edit this and add the mentioned key above.

 

1.       Launch Regedit as Administrator, navigate to HKEY_USERS and left click

2.       Go to the File menu and select 'Load Hive'

3.       Browse to %SYSTEMDRIVE%\Users\Default\NTUSER.DAT , select and give it any name e.g. Default Profile

4.       Once loaded browse to the new registry hive, expand and add the following key HKEY_USERS\Default Profile\Software\Microsoft\Internet Explorer\Main

5.       Once completed go to File, Unload Hive and the changes will have been saved

 

Note that the steps outlined above are configured locally so should be implemented on the server that the new user will be logging into initially i.e. if using UPM you want the initial login to take place on the server that has the above configuration in place so that the profile uploaded to the UPM profile share has this setting in place.

Or, you can configure via UPM policies a Default user profile to load from a network share.

 

Again, please note that changes will only take affect for new profiles created from this modified Default profile.

 

 

We asked Citrix an 'ETA' for a fix but we still don't have.

 

Hope this helps,

bye

 

Ste

Link to comment
  • 0

I have implemented this and from my testing it works great. the homepage now works, but I haven't tested the saving password issue.

 

Very weird issue and you can see why its a problem. if you open up the ntuser.dat in the registry on a windows 7 machine, the reg key already exists, but in 2012 R2 it doesn't, and creating it seems to fix it - very odd

Link to comment
  • 0

Hey Danny,

 

We had the same issue with passwords and managed to fix this for us. Within Citrix UPM we did the following.

 

 Directories to Synchronise,

 

AppData\Local\Microsoft\Credentials
AppData\LocalLow\Sun\Java\Deployment\security
 
Folders to Mirror
 
AppData\Local\Microsoft\vault
 
Process internet cookies on logoff
 
Enabled
 
Our users passwords are now saved and follow them around. Server reboots happen every 2 days with us and users passwords are kept.
 
Thanks
 
Clinton.
  • Like 1
Link to comment
  • 0

HI,

 

I can confirm none of the above are saving password in "Manage your credentials" - "Web Credentials"

Is this really something that is caused by Citrix UPM? Seems the whole credential manager is changed with windows 8.1/windows2012R2. Anyway, this ruins our whole setup, since we have a environment that its absolutely a requirement that users can save their password inside IE11. Its working only on the Current VDA once inside, but upon rebooting or logging onto another VDA, all credentials are gone. I dont really see why you are saying that its working with the above solutons, because it doesnt.

Maybe Im misunderstanding the whole scenario, but Web Credentials are not working for roaming to a central location with citrix UPM. And I belive its the same when running normal Microsoft roaming profiles.

post-12350342-0-75839800-1432169507_thumb.jpg

Link to comment
  • 0

Hi Anders,

 

For me to get this to work, I first did the work around as mentioned by Stefano, I then was experiencing correct saving of passwords including logging off and back on to a single server.  However when this server rebooted it lost the password save.

 

I then change UPM profiles settings as per Clinton's suggestions and tested with success not only via single server but then over the Citrix Farm and upon reboot of the servers.

 

The only thing I can think that might be the issue is did you re-create the profile after making the change to the Registry Hive?

 

Cheers
Danny

Link to comment
  • 0

Hi Danny,

 

I only did the changes I listed above on the UPM. I have not adjusted the NTUser.dat as mentioned in the other post. 

 

HI Anders,

 

From what I could see is that the web credentials are saved in the Microsoft Vault and if I mirrored that folder using UPM it would copy the folder out with my profile when I logged off. Along with the other settings I mentioned above in my post I was able to get the passwords to save across servers, including reboots. Danny mentioned he got it working as well, so this would mean something might not be correct set in your environment.

 

I am sure you will get it working soon.

Link to comment
  • 0

Awesome info Clinton.

 

I'm trying your suggestion on a customer site where they are experiencing this issue. However I would suggest it needs to be synchronized and not mirrored. Mirroring is for transactional folders, which I understand the "Windows Vault" is not.

 

With IE11 you need to "roam" the "Windows Vault" (%AppData%\Local\Microsoft\Vault).

 

It's already a best practice to synchronize the following directories:

- !ctx_localappdata!\Microsoft\Credentials
- AppData\LocalLow\Sun\Java\Deployment\security
 
I've now added the "Windows Vault" to this and we'll see how it goes:
- !ctx_localappdata!\Microsoft\Vault

 

Setting the "Process internet cookies on logoff" policy to Enabled is not required on IE10 or later, but it doesn't do any harm to leave it set. When referencing Cookies, you also set the following folders to mirror:

 

- !ctx_localappdata!\Microsoft\Windows\INetCookies
- !ctx_localappdata!\Microsoft\Windows\WebCache
- !ctx_roamingappdata!\Microsoft\Windows\Cookies
 
That's documented here:
- http://support.citrix.com/proddocs/topic/user-profile-manager-5-x/upm-manage-cookies.html

 

Anders, If synchronizing or mirroring the Windows Vault doesn't work for you, can you clear the profile and try again? I am wondering if the “%AppData%\Local Microsoft\Credentials” and “%AppData%\Local\Microsoft\Vault” need to be in sync with each other?

 

Cheers,

Jeremy
Link to comment
  • 0

Hi Jeremy,

 

Hope it works for you at the client site. I helped a colleague at another customer with the settings and he reported success. 

 

We used Mirroring after testing and speaking to a few friends within CItrix themselves, who additionally recommended mirroring. When it comes to stuff like this, I don't feel there is a right or wrong. If it works and solves your clients problem that is a good outcome.

 

Also in our case we are able to get away with not mirroring the netcookies, webcache and Cookies, it allows us to save a lot of space on the users profile and not user complaints yet a few weeks into the change.

 

I think you are right about the credentials and vault needing to be in sync with each other.

 

Cheers

 

Clinton.

Link to comment
  • 0
Hi Clinton and All,

 

Based on the fact that you've been dealing with Citrix representatives, I've changed it back to mirroring.

 

Further testing has found that the “AppData\Local\Microsoft\Vault” folder and the “4BF4C442-9B8A-41A0-B380-DD4A704DDB28” subfolder are not consistently created. My customer manually created the folder structure, and was then able to save credentials. You can track this with Sysinternals Process Explorer. It will give you the error “PATH NOT FOUND” when trying to save web credentials. Kudos to my customer for discovering that.

 


 

Here he created a login script. I’ve simplified it.

 

IF NOT EXIST "%LOCALAPPDATA%\Microsoft\Vault" MD "%LOCALAPPDATA%\Microsoft\Vault"

IF NOT EXIST "%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28" MD "%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28"

IF NOT EXIST "%LOCALAPPDATA%\Microsoft\Vault\UserProfileRoaming" MD "%LOCALAPPDATA%\Microsoft\Vault\UserProfileRoaming"

 

You'll also notice the reference in that thread to the "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" key. This leads me to the reference to it on page 1 of this thread to create the “HKEY_USERS\Default Profile\Software\Microsoft\Internet Explorer\Main”. Perhaps there is a timing issue, sometimes referred to as a race condition or deadlock. ie. The key structure is missing when it looks to create the “vault” folder. Not sure yet, haven't looked that deep. Just thinking aloud as there was no substance to their instruction.

 

Rens Hollanders from RES has some further paths documented that we should also be considering: http://renshollanders.nl/2014/10/res-workspace-manager-save-ie-and-windows-credentials/

 

In fact testing across different Operating Systems seems to have a slightly different variation of where things are stored. Then try different versions of Office and it gets weirder. The last response in this thread is interesting in relation to the different builds of Office365: http://www.reddit.com/r/sysadmin/comments/2wbhm8/outlook_and_exchange_online_does_not_support/. I wonder if this relates to Office 2013 too?

 

But also look at the second last response in that thread that talks about VMware View.

 

So I think to cover all bases you need to make sure the following folders are "managed".

%APPDATA%\Microsoft\Vault

%APPDATA%\Microsoft\Credentials

%APPDATA%\Microsoft\Protect

%APPDATA%\Microsoft\Crypto

%LOCALAPPDATA%\Microsoft\Credentials

%LOCALAPPDATA%\Microsoft\Vault

 

And be aware of the following registry keys:

IE Forms AutoComplete (if enabled): HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1

IE Password AutoComplete (if enabled): HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

 

And perhaps even load the hive from the default profile and create the “HKEY_USERS\<Default Profile>\Software\Microsoft\Internet Explorer\Main” key.

 

In all my deployments I do not redirect AppData (Roaming). I leave it as part of the UPM profile. I also have Profile Streaming enabled. Have thought about disabling it, but there is no evidence. And I’m using UPM 5.2.0 and 5.2.1 for testing.

 

It would seem as though there is not a lot of great information known about this process. Microsoft have certainly muddied the waters with all the variations.

 

So at the end of the day I believe this is a Microsoft issue to resolve, and we can only do our best to manage it by including everything possible in our profile mechanism of choice. Furthermore, it doesn’t hurt to run the suggested login script to ensure the “%LOCALAPPDATA%\Microsoft\Vault” folder structure is always created!

 

Hope this thread gets some further discussion.

 

Cheers,

Jeremy

  • Like 2
Link to comment
  • 0

HI,

 

Just want to confirm that the environment is now working.

Infact it was mirroring including creating the loginscript that finaly solved and got it working.

Now the VDA hosts can be restarted on daily basis and users can login through all servers, and the autocomplete and password are hanging by.

 

Thanks alot all for contributing, was trying Google Chrome. But seems Chrome does not support multiple sessions, among same users on the same servers. We have a environment where same user can logon from upto 10 different machines.

 

BR Anders

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...