Jump to content


Photo

Able to start apps with domain admins but not domain users

Started by Paul Jewell , 17 March 2017 - 02:20 PM
9 replies to this topic

Best Answer George Spiers , 23 March 2017 - 07:10 PM

You could publish say Notepad and see if that launches through Citrix. You can also use Group Policy to add users to the Direct Access users group on the Citrix server.

Open Citrix studio and make sure licenses are available, I am gathering that you have installed all Citrix roles on a single server?

Having all your components AND the application on the one server might be the cause of your problems. I'd recommend deploying a third server and moving the application and VDA software to that machine.

Paul Jewell Members

Paul Jewell
  • 5 posts

Posted 17 March 2017 - 02:20 PM

Hello All, 

 

First time asking for help here so please the lack of information. I will provide whatever else is needed on request. 

 

I am a developer attempting to get familiar with citrix xenapp offerings. I have started using the developer license for my testing. I have two machines, both windows server 2012 R2. One is a active director DC where I have created a new forest. The second machine is joined to the active directory and is where citrix studio is installed. I have gone through most of the standard procedure and now I have an app available in storefront.

 

Everything worked all well when I used the domain admin account, then I tried to add a second account to the active directory and use that. I was able to log into storefront with the second account, but starting the app from storefront froze at "Please wait for the local session manger" for a while and then vanished. 

 

-adding the user to the "remote Desktop Users" group had no effect

-adding the user to the "domain admins" group fixed the issue completely, but this is not desirable because I do not want them to have admin privileges. 

-In the system event log on the application server (where citrix is installed) I see two events at the time when the app was started "from: Tdlca" ; "The Citrix ICA Transport Driver has received a connect request from 10.0.0.70:59561" ; "The Citrix ICA Transport Driver connection from 10.0.0.70:59561 has been closed." No other errors appear there. 

 

Can anyone help me fix this issue, so that regular domain users would be able to use the apps?

 

Thanks, 

-Paul

 

 



George Spiers Members

George Spiers
  • 204 posts

Posted 18 March 2017 - 12:18 PM

Sounds like a permissions issue, where the user cannot start the app due to lack of permissions.

 

Where is the app hosted? On a file share or installed on a XenApp server (VDA)?



Paul Jewell Members

Paul Jewell
  • 5 posts

Posted 18 March 2017 - 04:03 PM

Hi George, 

 

Thanks for the follow up. The app is installed locally on the XenApp Server. 

 

Thanks, 

-Paul



George Spiers Members

George Spiers
  • 204 posts

Posted 18 March 2017 - 04:51 PM

OK - try RDP or console session on to the XenApp server and launch the application as a standard user. You'll get more indication of what the problem is



Paul Jewell Members

Paul Jewell
  • 5 posts

Posted 20 March 2017 - 07:58 PM

Hey George, 

 

I appreciate it, sorry for the delayed response!

 

Trying to log in with a user without admin access (RDP) The authentication succeeds and I see a windows loading screen/spinner but after two or three seconds the RDP session disconnects with no error message. In the event viewer on the server I see one relevant message:

 

"Non-brokered RDP Connection request denied because the user, <redacted>, is not in the Direct Access Users group."

 

I have gone to active directory and added the user to the "Direct Access Users" group, but the same error message persists. Also, if I add the user to domain admins group, I an able to RDP in successfully. 

 

Appreciate whatever advice you can provide. 

 

Thanks, 

-Paul



George Spiers Members

George Spiers
  • 204 posts

Posted 20 March 2017 - 08:46 PM

Check the local server users and groups.

Double click Remote Desktop Users Group, add the user in to that group and test.

If user is already a member of that group, on the VDA launch gpedit.msc

Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services. Check who is on the allowed list



Paul Jewell Members

Paul Jewell
  • 5 posts

Posted 23 March 2017 - 02:41 PM

Hi George, 

 

By 'check the local server users and groups' , I assume that you mean the server where citrix and the application are installed? Proceeding on that assumption I opened the remote desktop users group and added the user, this had no effect either. 

 

By 'VDA' I assume you mean the same server, where the app and citrix are installed. Here in the specified Key there are three items. "Administrators", "Remote Desktop Users", "Everyone". (I think as a debugging step before I posted this thread, that I added "everyone" as a debugging step) 

 

If on this same application server / citrix server I add the user to "Direct Access Users" group, I can then log into the remote desktop, but still hang on "Please wait for the local session manager" with Citrix. Now it is getting somewhere though, because in the event viewer on the app server I see "No connection license available. To resolve, free licenses by closing sessions that are not needed, or add more licenses." I tried rebooting the app server to see if It would free up licenses if there were any hanging connections or something, but the same error is presented. It also does not make sense that citrix would be fine working without licenses if the user is an administrator, but not if the user is a general user. (?)

 

I have added the development / evaluation licenses from the citrix website, but I would not rule out that I might have done something wrong in the process. In the licensing page of citrix studio I can see three licenses "Citrix xenapp Platinum / Advanced / Enterprise" of type "Evaluation" with expiration "6/14/2017" listed. 

 

I also have an issue with the fact that I needed to add the user to the local group 'direct access users' and not only to the 'direct access users' group on the AD controller. This seems to imply that I would need to go around adding the user to this group on every Citrix VDA server which is not maintainable. 

 

Not sure if you can make heads or tails of any of this, but let me know what other information you may need. 

 

Thanks, 

-Paul



George Spiers Members

George Spiers
  • 204 posts

Posted 23 March 2017 - 07:10 PM

You could publish say Notepad and see if that launches through Citrix. You can also use Group Policy to add users to the Direct Access users group on the Citrix server.

Open Citrix studio and make sure licenses are available, I am gathering that you have installed all Citrix roles on a single server?

Having all your components AND the application on the one server might be the cause of your problems. I'd recommend deploying a third server and moving the application and VDA software to that machine.


Best Answer

Paul Jewell Members

Paul Jewell
  • 5 posts

Posted 27 March 2017 - 02:57 PM

Hi George, 

 

Thanks for the helpful advice. I think that the problem turned out to be quite silly at least from my findings today. Under the licensing page in citrix studio, I had installed the licenses but under 'edit product edition' it was set to xendesktop instead of xenapp! After changing this the aforementioned problems seem to be solved. 

 

It was still kind of misleading that the administrative user could use the product and the regular user could not while it was unlicensed, but oh well. 

 

Thanks again for all of your suggestions and help!

 

-Paul



George Spiers Members
  • #10

George Spiers
  • 204 posts

Posted 30 March 2017 - 06:47 PM

Thanks for the update Paul, glad you got it sorted