Search This Blog

Tuesday, August 28, 2012

Citrix pass-through and NTLM

When using Citrix pass-through on the web interface with Kerberos authentication, everything seems to work very well at first.
But then you might discover that some of your applications running on the XenApp server depend on NTLM for authentication.
This is where the fun part starts, how do you disable Kerberos and only on the applications started from the XenApp server?
What worked for us in the lab is to change the local file c:\Programs Files (x86)\Citrix\ICA Client\WFClient.ini and change the line SSPIEnabled=On to SSPIEnabled=Off.
This will disable Kerberos and allow NTLM to work on the applications.
This requires no change to your Citrix client GPO settings or requires that you change the configuration on the web interface.
The change to the WFClient.ini file can be pushed out by a GPP (Group Policy Preference).
It looks like the logon at the web interface is then still using Kerberos but from there NTLM is used, but this still has to be investigated further and maybe someone out there can shed some light on the subject?
This has been tested on the Receiver version 3.2 and 3.3 against XenApp 6.5 Rollup 1 and web interface 5.4.

Wednesday, August 22, 2012

Compressing Windows 2003 Profiles

After cleaning yet another Windows 2003 Terminal server for Excessive Registry Entries in the users HKCU caused by the HP universal Printer Driver, we noticed that the ntuser.dat file in there roaming profile still was very large up to 20 MB.

The reason for this is that even though we deleted all the registry entries which we didn’t need, this just gave a lot of blank spaces in the ntuser.dat file, so we needed a way to compress the file.

One tool I personally didn’t knew about is the Windows 2003 tool called cProfile, with cProfile we were able to compress all users ntuser.dat files in there roaming profiles so that many of them jumped from 20 MB to less than 1 MB.

cProfile information can be found here cProfile

System Center Configuration Manager 2012 Cumulative Update 1 (CU1)

After installing the CU1 update the Site version will not change so to check if the update has been installed you can check installed updates in control panel or one of the updated DLL files.image


The updated version on the updated DLL files will be 5.00.7711.200, you can see a list of updated files in the hotfix KB2717295.

This is also the case after updating the console no version will change, so again look in the Control Panel or check an updated DLL.



Remote desktop prompting for credentials

This is actually a very old tip, but I tend to forget the keyword myself, so now I will know were to look the next time I need it Smiley

Newer versions of the Remote Desktop protocol will require you to enter credentials before the client can establish a connection to the server.


This is normally not a big problem but it might be in some circumstances e.g. you are required to change password.


To jump directly to the server logon screen and be able to change your password, change your default.rdp file or the specific rdp file you are using.

This file is in your document folder and also typically hidden. Add the line


to the file and you will go directly to the server logon page next time you connect.


Monday, August 13, 2012

Lync schema version

Just like Exchange we are able to check our Lync schema version with adsiedit.msc.

Connect to the Schema context:

Expand the nodes and drill down to the name ms-RTC-SIP-SchemaVersion.

Right click on ms-RTC-SIP-SchemaVersion and select Properties.




Now find the attribute rangeUpper




The possible rangeUpper values are listed in this table (so this example is taken from a Lync 2010 installation):

Version rangeUpper value
Live Communications Server 2005 1006
Office Communications Server 2007 R1 1007
Office Communications Server 2007 R1 1008
Lync Server 2010 1100
Lync Server 2013 1150