Solved: Netscaler VPX (on VMWare) Problem.

During my latest project I ran into a problem where Netscaler VPX stops responding to any sort of request.

  • Logon to Netscalers management interface: Netscaler immediately stops responding.
  • Connect to Netscalers Access Gateway VPN server: Netscaler immediately stops responding.
  • Connect to Netscalers Access Gateway Logon Interface: Netscaler immediately stops responding.

The state of the netscaler is as follows:

  • Netscaler is no longer reachable via management Interfaces (SSL/SSH, etc)
  • Netscaler is not replying to ping requests (to NSIP)
  • Netscaler IS reachable and response via VMWare console

Via WMWare console the netscaler is responsive and when issueing command “Show Interface” netscaler responds by listing al it’s network interfaces. I thing I noticed that the interface of the NSIP was shutdown because of administrative reasons (cannot recall the exact message). When enabling this Interface with command: enable interface 0/1 everything seemed to be working again until you try one of earlier mentioned actions.

If you experience this, there is a good change that the VMWare server on which the Netscaler VPX is running was upgraded with patches from VMware ESXi 5.5.0 U2 both VMWware and Citrix Have released KB documents about this issue:

from VMware document we learn more about the issue:

  • This issue occurs when the NetScaler virtual machine driver resets TDT to 0 after 511 while the TX ring size is shown as 1024.
  • This is not a VMware issue. To resolve this issue, upgrade the NetScaler appliance.

According to Citrix there are 3 workaround

  1. Revert to a non updated VMWware host (not recommended)
  2. Upgrade to NetScaler 10.5 build 55.8 or above (recommended if possible)
  3. change the TX ringsize (last option if no other option works out)

from the document we can extract the procedure:

  1. SSH and log on to Citrix NetScaler VPX appliance as nsroot.
  2. Type shell.
  3. Change directory (cd) to /flash/boot.
  4. Create file /flash/boot/loader.conf.local (if not present) with same permissions as /flash/boot/loader.conf. Add the following line and reboot:
    Note: To create the file, use command touch loader.conf.local.

vi Commands

The following are the vi commands to edit the document:

  1. From NetScaler shell type:
    vi <filename>
  2. Move the cursor to the last character of text in the file, type “a” and click Enter.
  3. Type the line:
  4. Press the ESC key and then “:” key. The cursor will move to the bottom of the page, then type wq!.


After this procedure reboot the netscaler and all should be working fine again.


HOW TO: Netscaler 10.5 – Change Password / Secure LDAP configuration

During my current project I had to build a Netscaler cluster for Access Gateway functionality. After initially configuring the Access Gateway vServer I noticed that user account that are marked for “Change Password on next Logon” could not authenticate not via Access Gateway Logon Page nor Via Dell Wyse ThinClient that are configured for StoreFront access (via Netscaler Access Gateway). Password Change direct via StoreFront 2.6 was working flawlessly. After some googling I managed to get this working I followed these steps to succesfully configure “Allow Password Change” via Netscaler.

  1. Create Root CA on Netscaler
  2. Enable Secure LDAP on domain controllers (without Microsoft CA services)
  3. Configure Authentication Server object on Netscaler
  4. Configure Access Gateway vServer on the Netscaler

1. Create Root CA, RSA Key

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create RSA Key

Enter required information:

  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Size = 4096
  • Public Exponent Value = 3
  • Key Format = PEM
  • PEM Encoding Algorithm = DES3
  • PEM Passphrase = somepassword (2x)
create ssl rsa /nsconfig/ssl/RootCA.key 4096 -keyform PEM -des3 -password somepassword

2. Create Certificate Signing Request

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create Certificate Signing Request (CSR)

Enter required information:

  • Request File Name = /nsconfig/ssl/RootCA.csr
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Format = PEM
  • PEM Passphrase (For Encrypted Key) = Earlier created password
  • Country = Enter desired value
  • State or Province = Enter desired value
  • Organization Name = Enter desired value
  • Common Name = Enter desired value (This name is visible on the certificate)
create ssl certreq /nsconfig/ssl/RootCA.csr -keyFile /nsconfig/ssl/RootCA.key -keyform PEM -CountryName US -StateName NY -OrganizationName PrivateInc -commonName RootCAPrivateInc

3. Create RootCA Certificate

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create Certificate

Enter required information:

  • Enter Certificate File name  = /nsconfig/ssl/RootCA.cer
  • Certificate Format = PEM
  • Certificate Type = Root-CA
  • CSR File = /nsconfig/ssl/RootCA.csr
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Format = PEM
  • PEM Passphrase = Earlier created .key password
  • Validity Period = 365 (max 3650)

Now import this new certificate to the Netscaler Certificates store.

  • Browse to NetScaler > Traffic Management > SSL > Certificates and click Install
  • Certificate-Key Pair Name = “Name it you like
  • Certificate File Name = /nsconfig/ssl/RootCA.cer
  • Key File Name = /nsconfig/ssl/RootCA.key
  • Certificate Format = PEM
  • Password = Earlier created .key password
  • Certificate Bundle = Enabled


4. Enable Secure LDAP on domain controllers  

After we created the RootCA account we need to enable secure LDAP om the domain controllers. For this to work we need to create a CSR on the Domain Controllers. To do this you need to login on (all) your domain controller(s) and create a CSR. Copy the contents of this file to notepad and name the file request.inf. Save the file to c:\windows\temp

;----------------- request.inf ----------------- 


Signature="$Windows NT$" 


Subject = ""
KeySpec = 1 
KeyLength = 4096 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 





now open a command-prompt (elevated rights) and issue the command:

cd \windows\temp
certreq -new c:\request.inf servername.csr

Upload  the newly created CSR file(s) to the Netscaler /nsconfig/ssl/ folder (via Manage Certificate > Upload)

5. Sign Domain Controller certificate.

Now Sign this CSR with the RootCA certificate created earlier via Create Certificate

  • Enter Certificate File name  = /nsconfig/ssl/servername.cer
  • Certificate Format = PEM
  • Certificate Type = SERVER
  • CSR File = /nsconfig/ssl/servername.csr
  • Key Format = PEM
  • Validity Period = 365 (max 3650)
  • Key Filename = /nsconfig/ssl/RootCA.key
  • CA Certificate File Name = /nsconfig/ssl/RootCA.cer
  • CA Certificate File format = PEM
  • CA Key File Name = /nsconfig/ssl/RootCA.key
  • CA Key File Format = PEM
  • PEM Passphrase = RootCA PEM Password
  • CA Serial File Number = /nsconfig/ssl/servername.serial

 6. Export RootCA as PFX

On Netscaler SSL Administration page click Export PKCS#12

  • PKCS12 File Name = /nsconfig/ssl/RootCA.pfx
  • Certificate File Name = /nsconfig/ssl/RootCA.cer
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Export Password =  thisisanewpassword
  • PEM Passphrase = RootCA PEM Password

7. Import RootCA Certificate on Domain Controllers

Download the PFX file to C:\windows\temp on your domain controller and import it to the Trusted Root part of the Machine Certificate Store. When importing select “mark this key as exportable” repeat this step on all your Domain Controllers.

8. Import Server Certificate

Download the servername.cer file from the Netscaler to the domaincontroller c:\windows\temp, open command-prompt with elevated rights and issue command(s)

cd \windows\temp
certreq -accept servername.cer

Test your secure ldap with ldp.exe, select connect and enter the servername on which you just imported the certificates. Use port 636, and check the SSL option.


9. Configure Authentication Server object on Netscaler

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > System > Authentication > LDAP and in the right pane click Servers and then Add.

Enter required information make sure to use these settings to enable secure LDAP connections:

  • Security Type: SSL
  • Port: 636
  • DO NOT enable “Validate LDAP Server Certificate”
  • Allow Password Change: Enabled

Bind this new server object to a Authentication Policy.

10. Configure Access Gateway vServer on the Netscaler

Open your Access Gateway vServer:

  • Bind Root Certificate as to CA Certificates
  • Bind the secure LDAP Autentication Policy to the vServer.
  • Enable “Client Authentication” in “SSL Parameters


All is done, now test it and hopefully this works for you too.



Microsoft KB321051



Windows 2012 R2: Black logonscreen after App-V 5 (SP2) Client installation

While I was building a proof of concept for my customer I ran into some issues that where seemingly unrelated. I was building a brand new Windows 2012 R2 / XenApp 7.5 environment including RES Automation Manager, RES Workspace Manager and App-V 5 (SP2). After installing and testing the core XenApp infrastructure, I started to configure the XenApp (Worker/Application Servers) this is when I ran into problems. After installing the App-V (SP2) client and rebooting the server I was no longer able to logon to the Published Desktop I’ve created and successfully tested earlier.

The Citrix receiver keeps hanging on a black logon screen (did not launch pfwsmgr.exe) and after a while the session was ended. I knew there was an issue on Windows 2008 R2 that resulted in a black screen only this was merely a cosmetic issue, because in Windows 2008 logon succeeded and a desktop was presented. To solve this issue you had to create the registry key:

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon
Name: DisableStatus
Value: 00000001


As I was not sure if this still applies to Windows Server 2012 R2 I decided to add this registry key to the application server. After logging on Windows revealed its error message that was not show before (User profile service). The EventVwr error message corresponding to this visual error contains:

Windows cannot copy file \C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Control Panel.lnk to location \?\C:\Users[userid]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Control Panel.lnk. This error may be caused by network problems or insufficient security rights.

DETAIL – The process cannot access the file because it is being used by another process.

This error led me to following knowledge base document: 2985344

This document addresses problems that some may experience after installation of hotfix KB2919355. The document also links to  hotfix 5 for App-V 5 (SP2) Client after installing this hotfix all was working again.


SOLVED: Adobe Reader X hangs after opening a PDF file

Some time ago i noticed that when I opened a PDF file, Adobe Reader X stopped responding for sometime. I noticed it happens on Windows 2003, Windows 7 and Windows 2008. after some investigation I found a solution in disabling Adobe’s “new” Protected Mode feature.

  1. Open Adobe Reader X
  2. navigate to Edit->Preferences->General
  3. clear the check-mark at “Enable Protected Mode at startup”
  4. Click OK to save the changes (acknowledge the warning)
  5. Shutdown Adobe Reader X

You can also disable protected mode through a registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown]


EDIT: In Acrobat Reader XI the location hast changed to: Edit->Preferences->Security (Enhanced)



Solved: XenApp 5 HRP 7 results in 0x000000CF BSOD

While installing a new Citrix XenApp  farm for a customer I upgraded the servers to Hotfix Rollup Pack 7 (HRP7, PSE450W2K3R07). The XenApp 5 farm is build as virtual servers on a  VMWare vSphere 4.1 cluster. Installing Hotfix Rollup Pack 7 via RDP console session (mstsc /console) succeeded  with no error and the farm booted nicely after installing the HRP.

The troubles started when I tried to connect to the farm via an ICA connection, only few seconds after initiating the connection the selected server crashed with an 0x000000CF (TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE)BSOD. After the BSOD the server rebooted nicely but an ICA connection was never setup.

Investigating this problem led me to some specific solutions to the problem like:

  • Copying an older version of twexport.sys to “C:\Program Files\Citrix\Drivers” and “C:\Windows\System32\Drivers” [Source]
  • Installing hotfix PSE450R07W2K3011

but none of them solved my solved the problem. Eventually the problem was solved by installing HRP7 NOT via RDP BUT via the VMWare console


Solved: 0x0000007B BSOD after unattended install of PVS Target Device

While building a deployment sequence for a XenApp 6 farm using SCCM, I ran into the problem that the unattended install of the PVS Target Device (5.6 SP1)  succeeds but after after creating a VHD file using “XenConvert P2VHD” and booting the newly created vDisk the Provisioned Server crashes with a BSOD 0x0000007b (inaccessible boot device).

After some investigation on the source machine I noticed the “Citrix Virtual Hard Disk Enumerator PVS”  device did not install correctly and displayed an yellow exclamation mark in Device Manager (devmgmt.msc).  After searching the citrix forums I ran into a thread in which the others experienced the same problem.

Unfortunatly a real solution is not provided in within the thread (other than a manual installation). So digging down the internet I found the solution for this problem. Somehow the drivers files are not transferred to the “%windir%\System32\Driver” folder during unattended (SCCM/Wisdom) installation.  Copy CFsDep2*.* files from “C:\Program Files\Citrix\Provisioning Services\drivers”  to “%windir%\System32\Driver”  afterwards you can install you can install the PVS Target Device client unattended by running “PVS_Device_x64.exe /S /v /qn

After the installation the exclamation mark has disappeared, a newly created vDisk booted successfully.



SOLVED: Citrix Receiver Error 61 on OS X

In my test environment I have installed all Citrix components (required) to access applications from remote locations.


  • Citrix Access Gateway (VPX) Express
  • Self-Signed certificate. (Generated by CAG)
  • Citrix Webinterface (configured Services Site)
  • XenApp 6

This setup works for the following device OS’es:

  • Windows 7
  • IOS 5
  • Android 2.2
Only when trying to connect an OS X machine to the published application (via Citrix Receiver 11.4.3 It did not work.

After importing the self-signed certificate (crt/cer) to the keystore (login or system) I try to setup up a connection to the published application.  After some time the connection failed with I receive the following error:

Citrix ICA SSL Error 61: You have not chosen to trust FQDN, the issuer of the server’s security certificate.
Error number183

After trying some stuff, like importing it in different formats I eventually found the solution while doing the following steps:
  1. Export your self-signed certificate to a convenient location.
  2. Open Terminal and enter :
  3. Enter:
    Sudo su
  4. Enter your admin user password
  5. Enter:
    mkdir /var/CTXScert
  6. And:
    mkdir /var/CTXScert/cacerts
  7. Now copy your certificate to the just created folder, cp <your location> /var/CTXScert/cacerts/
  8. quit Terminal.
Instantly after connecting again I was presented the Published application, the error had disappeared.

HOWTO: XenServer configure an ISO repository on Local Storage

When building my homelab with XenServer 5.6 FP1, I needed an ISO repository on local storage. Although I found some guides on the internet none of them actually worked/suited my needs. However after some research I found this way working. In my case I wanted to use the free space of volume SDA3.

Only use this procedure in your LAB environment as it is not supported.

Before you start you have to delete existing SR’s/LVM’s/VG’s on SDA3 [search]

Now create the File System the filesystem on empty sda3.

  • mkfs.ext3 -m 0 /dev/sda3 <where sda3, is the volume I want to use on local disk>

Create a mount point for your new created File System.

  • mkdir /mnt/iso_import

Add the following line to /etc/rc.local to mount the filesystem on boot.

  • mount /dev/sda3 /mnt/iso_import

To prevent a reboot, let’s mount it manually.

  • mount /dev/sda3 /mnt/iso_import

Now add the repository to XenServer

  • xe sr-create name-label=<desired name> type=iso \device-config:location=/mnt/iso_import \device-config:legacy_mode=true content-type=iso

Now the repository should be available within XenCenter. Copy your ISO’s to the repository location with your favorite SSH client.