Wednesday, December 23, 2015

Preparing Lotus Notes for Hosted Shared Desktop (XenApp)

To start with Lotus Notes instalaltion use following  command                                                        
D:\Lotus\setup.exe /v"SETMULTIUSER=1 MULTIUSERBASEDIR=H:\notes\data MULTIUSERCOMMONDIR=C:\SharedNotesData CITRIX=1
image
Choose next
 image
image
image
image
After installation right click on the shortcut of lotus notes and add the line "=H:\Notes\Data\notes.ini"
image
  • After this User NSF file is required to be copied to <<MultiUserBaseDir>> path given during installation.
  • Also require copying all the content given in <<MultiUserCommonDir>> to <<MultiUserBaseDir>>
  • There is logon script which we can use to simplify last step
Inputs for this blog is from Vipul Tripathi

Sunday, September 27, 2015

CA issued Client cert based authentication via NetScaler

Where we use this : Let’s say I am publishing my resource via NetScaler AGEE and would like to ensure that user should be bind to the PC while accessing resources externally from non corporate device. For my use case , it was external users who uses dealer management system to update inventories. We choose this method over all the available options like

a) Symantec MPKI b) Two factor Authentication c) Smart Card

One of the reason why we choose below method was for simple reason, it doesn’t evolve extra cost.

To start with we setup enterprise CA on MS windows 2012 R2 server. You will get enough document on how to install CA but I will cover what we needed for this specific use case. We wanted to ensure that user certificate generated is in PFX format. Also we had challenge with given name in AD. When certificate generated based on given name CN it would look like this

image

When CN is checked for certificate via NS profile

image

It use to put + in place of space like this

image

Now it is important that certificate must be generated with SPN name

image

By default CA doesn’t generate certificate using UPN and attribute must be inputs. So let’s discuss how we setup CA to generate user’s certificate with attribute. To generate CA certificate for users, information must be filled manually. CA doesn’t allow certificate to be generated manually hence template properties needs to be set properly. To create certificate template select certificate templates and choose manage under certificate manager.

image

This will open certificate container which will have list of certificate which can be duplicated. Here we have to choose “Users” certificate then duplicate it.  Remember while doing this, ensure that you have logged into appropriate ID since this changes are at Domain level. I have chosen Domain Admin to make changes

image

Once certificate is duplicated, it needs to be enrolled into all the certificate holders. Here I have chosen enrolled certificate hence option is “Reenroll All Certificate Holders”

image

Set the template properties for subject name to manual so it will allow to generate certificate for multiple users. Here we can define certificate validity period

image   image

Set the certificate for “Request Handling ” to “Allow private key to be exported”

image

Now when we browse certificate manager URL and then choose “Request a Certificate”

image

Then choose “Advance Certificate request”

image

Then choose “Create and Submit a request to this CA”

image

Choose correct template under drop down

image

Under Attributes supply SAN as SAN:UPN=Username@domain.com which matches the logon name of the users under users manager

imageimage

Once certificate is created, it will be present under certificate manager then it will provide option to export into PFX format

image

Choose private key and then choose password to export the certificate. Same password will be used to import.

imageimage

Once certificate is installed on client machine this will appear under Personal which can be viewed via IE – Internet option – Content – Certificate . If this doesn’t appear here then it will not work. In the next section we will discuss what setting is required on NetScaler.

image

In this case, I had been using NetScaler build 11.0 55.23Build . So will start with creation on certificate policy . For that we will create certificate profile with two factor ON and user name field as UPN and followed with policy to be set to ns_true

imageimage

Once Policy is ready it need to bind to the AGEE vServer as primary authentication as Cert policy

image

Now SSL parameter needs to be set to client certificate to “Mandatory”

image

Since we have using client UPN for the login, LDAP policy must be set to use “userPrincipalName”

image

Now when client type the AGEE URL for access it will prompt to select client and if machine has multiple client certificate it will provide option to choose. Below example shows machine had multiple certificate and it prompt users to choose

image

Once users choose the certificate users name will populated and all the users will have choice to type password

image

Post login and application is launched it will prompt to choose the certificate. Below example users try to launched notepad and it prompt users to choose certificate. This is known behavior and one would like to fix this can follow CTX200193. There are otherway which I am yet to test.

image

NOTE of caution : At the time of writing this blog, it was found that client certificate doesn’t work with native receiver . So if you have the use case where customer would like to use both native receiver and browser then avoid to choose this option.

Wednesday, September 23, 2015

How to configuring IBM WAS / RAD for PVS streamed Virtual Machine

Maxi Post by our guest Author

Application Name: IBM Websphere Application Server 8.5 and IBM Rational Application Developer for Websphere 8.5

Issue statement: Problem with IBM RAD/WAS faced by users who are using the lock down images was, when they create server profiles in RAD it gets saved in RAD installation directory which is c:\program files(86)\IBM\websphere_WAS8.5\Appserver\Profiles, on next reboot they will with no option but to create a new profile every time they launch RAD/WAS. So the option let with us is to provide Citrix personal vDisk or a persistent VM for these use cases. Instead of moving to PVD and persistent VM, here is how we mitigate to retain these users in streamed disk with modification in application configuration.

Please follow the steps to configure IBM Websphere Application Server 8.5 and IBM Rational Application Developer for Websphere 8.5 for streamed vDisk environment to redirect the IBM Rational Application Developer for Websphere 8.5 profiles in D drive instead of the default C drive path (c:\program files(86)\IBM\websphere_WAS8.5\Appserver\Profiles)

Navigate to path c:\program files(86)\IBM\websphere_WAS8.5\Appserver\Properties\

Files that needs to be modified are a)wasprofile.properties  b) wsadmin.properties c) xd.spi.properties

Find ${was.install.root} and replace with D:/Program Files (x86)/IBM/WebSphere_WAS8.5/AppServer  imageimageimageimage

Navigate to C:\Program Files (x86)\IBM\WebSphere_WAS8.5\AppServer\bin\ProfileManagement\eclipse64\configuration and make changes as shown below

osgi.instance.area.default=D:/AppData/Local/IBM/WebSphere/AppServer/workspaces/WCT85

osgi.configuration.area=D:/AppData/Local/IBM/WebSphere/AppServer/configurations/WCT85 image Navigate to C:\Program Files (x86)\IBM\SDP_RAD8.5\configuration and make changes as shown below

osgi.instance.area.default=@user.home/IBM/rationalsdp/workspace

Change it to:

osgi.instance.area.default=D:/IBM/rationalsdp/workspace 

image 

Once the Changes are modified to properties file, upon launching of WAS/RAD or the Profile management Tool of RAD it’s going to create profile and associated workspace/logs in the D drive.

You may experience error when trying to create Profile using the PMT 8.5 Tool as shown below

image

After investigating the logs at the mentioned location you can get a clue to resolve it. Here is how to?

image

Just create a folder named “properties” in D drive in the mentioned path. This will resolve the profile creation issue.

image

How to retain RAD workspace location

Finally for the users to retain their workspace location on subsequent launches, we need to retain a file from

c:\Program Files (x86)\IBM\SDP_RAD8.5\configuration\.settings\org.eclipse.ui.ide.prefs

to some common location or a script to copy the file from source to D drive and copy it back to source location for user to retain the workspace location on every RAD launch.image

image

A better way is to educate users to create workspace in D drive with the common location like D:\IBM\rationalsdp\workspace. By hardcoding the path in the preference file in the base image on every reboot the preference file will show the common workspace path from the cache file, this will eliminate use of logon script / Appsense configuration for file copy just to retain the workspace preference.

Publish MS Dealer Management System (DMS) application in full screen mode

With XenApp 6.5 we had an option to maximize application by checking the box as shown below
image
Somehow this feature is not available while publishing application via XenApp 7.6 . To workaround we can use CTX132434 and publish application. In the below example I am trying to publish MS DMS application for the users in full screen mode. VBS script used to for DMS looks like this
image
Placed this VBS under shared location and then published application using the path with working directory as %windir%\system32\
image
Now when application will be forced to launched in full screen mode

Sunday, March 29, 2015

Should I upgrade to XenApp 7.6 ?

Are you confused about upgrading your existing XenApp 6.5 infrastructure to new XenApp 7.6?                           

Did someone told you that XenApp 7.6 doesn’t have all the feature of XenApp 6.5 hence don’t upgrade ? Well I tried answering by asking  you 7 question which will help you take decision. Please watch the video

Friday, March 13, 2015

How to enable “Share file instead of Copying it “ for VMM

I came across many deployment and keep forgetting it how to enable “Share file instead of copying it ” option for VMM. Yes I know Microsoft Article explain how to do this but missing screenshot Smile .

image

Provided that all the library share has been setup perfectly , when we try to share the ISO instead of mounting we get following error message

“Error (12700)
VMM cannot complete the host operation on the xyz.com server because of the error: 'xyz' failed to add device 'Virtual CD/DVD Disk'. (Virtual machine ID 86AF5EBE-0B3D-4075-8BF2-DA7117C54322)

'xyz': User account does not have permission required to open attachment '\\Mxyz\DataStore\ISO\XenApp_and_XenDesktop7_6.iso'. Error: 'General access denied error' (0x80070005). (Virtual machine ID 86AF5EBE-0B3D-4075-8BF2-DA7117C54322)
Unknown error (0x8001)

Recommended Action
Resolve the host issue and then try the operation again.”

We need to give access to VMM server for all the node. Select the Hyper V node and then choose “Use any authentication protocol” and add services.

image

Select VMM server as computer name. This will list CIFS share.

image

We need to repeat this step for all the node