Configure NetScaler Appliance to allow administration with Active Directory accounts

One of the most common configurations I’ve done for clients with NetScaler Appliances is to allow administration with Active Directory accounts since the nsroot account should be protected and logging in with individual user accounts can provide auditing trails.  I’ve found that NetScaler documentation from Citrix is usually a hit and miss as most still demonstrate configurations with version 8 or older even though version 10 have so many of the configuration settings reorganized into different nodes.  This post serves to provide a clear demonstration of configuring AD authentication with version 10 or higher.

Begin by logging into the NetScaler administration console via the NSIP:

Navigate to System > Authentication > LDAP and click on the Servers tab:

Continue by clicking on the Add button to create Active Directory Domain Controller server objects:

Note that from here, you have the option of creating Domain Controller objects that use regular LDAP on port 389 which does not encrypt traffic or LDAPS on port 636 which does.  Using LDAPS requires a CA and configuration on the domain controllers.  For more information, see my previous post here:

Configure LDAPs an Active Directory Domain Controller for LDAP over SSL Connections
http://terenceluk.blogspot.co.uk/2013/10/configure-ldaps-active-directory-domain.html

Proceed by filling in the following:

Name: <Logical name representing the domain controller>

Server Name: <You can user a DNS name or IP address>

Security Type: <PLAINTEXT, TLS or SSL>

Port: <This gets automatically assigned>

Server Type: <AD>

Time-out (seconds): <Default of 3 seconds)>

Base DN (location of users): <Where you want the NetScaler to start looking for accounts. I usually just put the root of the domain in>

Administrator Bind DN: <The Distinguished Name of the service account that will be used to authenticate the user>

BindDN Password: <The password of the Administrator Bind DN account>

Server Logon Name Attribute: <sAMAccountName>

Create as many domain controller objects as required:

Proceed by clicking on the Policies tab and then the Add button to create an authentication policy using the server objects that were created:

In the Create Authentication LDAP Policy window, provide a logical name for the policy then select a domain controller server object that was created for the Server field, type in ns_true for the Expression and then click on the Create button:

Repeat the same procedure for the other domain controllers:

With the policies created, click on the Global Bindings button:

Add a policy created earlier and assign an appropriate priority:

With the first policy binded, repeat the same procedure and add the other created policies by clicking on the Add Binding button:

Next, navigate to System > User Administration > Groups and click on the Add button to create a group object in the NetScaler to represent the Active Directory group in the authenticating domain:

Type in the group name of the Active Directory group and make sure it is *exactly* the same then click on the Insert button under Command Policies:

In the Command Policies window, select superuser if you would like to grant nsroot permissions then click on the Insert button:

With superuser permissions granted, proceed and click on the Create button to complete the creation of the System Group:

Ensure that your Active Directory group is named exactly the same:

You should now be able to log into the NetScaler appliance with domain\<username> as the User Name with the appropriate AD password.

Configuring a Cisco Wireless Controller to redirect to a URL instead of 1.1.1.1 for web page authentication

I don’t usually deal with Cisco wireless controllers aside from setting AAA / RADIUS authentication but I was recently asked to complete the process of requesting a certificate from a public Certificate Authority to secure the web page sign-in page presented by a Cisco WLC 5508 wireless controller. For more information about generating a CSR and completing the certificate process, see my previous post:

Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html

After completing the certificate process, I noticed that a certificate warning would still be presented when the user is redirected to the web logon page and that’s because the WLC redirects the user to the URL https://1.1.1.1 and we all know that we cannot issue a certificate with the name 1.1.1.1.  The Cisco documentation found here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/5-1/configuration/guide/ccg51/c51users.html also does not provide a clear way of handling this issue.  With a big of digging around in the WLC administration page, I was able to locate where to set the URL that will be used for redirecting traffic and the configuration is located here:

Click on the Controller tab:

Click on Interfaces then on the virtual Interface Name:

The DNS Host Name field is where you would enter the URL used for redirecting traffic:

You can use a URL such as wlc.domain.com for the redirection:

With the URL out of the way, the last problem is how we can handle resolving the URL to the IP address 1.1.1.1 which presents the login page.  A bit of searching on Google brought me to the following post:

WebAuth: WLC Certificate 1.1.1.1 without DNS entry for virtual interface
https://supportforums.cisco.com/discussion/11145901/webauth-wlc-certificate-1111-without-dns-entry-virtual-interface

Basically what’s suggested is to create a public DNS A record that maps wlc.domain.com to the IP address 1.1.1.1.  From here, I went ahead and created the A record and was immediately able to get the URL to match the certificate as well as properly getting redirected to the 1.1.1.1 IP address presenting the web page.

RADIUS Client limit on Windows Server 2008 R2 Standard Edition

You’re using a Windows Server 2008 R2 Standard Edition server as a NPS (Network Policy Server) but noticed that when you attempt to add the 50th RADIUS Client, you receive the following NPS Error message:

The service being accessed is licensed for a particular number of connections. No more connections can be made to the service at this time because there are already as many connections as the service can accept. (Exception HRESULT: 0x80070573)

As per the following TechNet article:

NPS Fast Facts for Windows Server 2008 R2
https://technet.microsoft.com/en-us/library/dd365355(v=ws.10).aspx

NPS provides different functionality depending on the edition of Windows Server 2008 R2 that you install:

• Windows Server® 2008 R2 Enterprise and Windows Server® 2008 R2 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 R2 Enterprise and Windows Server 2008 R2 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
• Windows Server® 2008 R2 Standard. This server edition includes NPS. With NPS in Windows Server 2008 R2 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
• Windows® Web Server 2008 R2. This server edition does not include NPS.

The Standard edition of Windows Server 2008 R2 actually has a 50 RADIUS client limit and the only way around this limit is to upgrade to either Enterprise or Datacenter which removes this limit providing unlimited clients.

Another way to get around this is to upgrade the operating system to Windows Server 2012 R2 Standard which does not have the 50 client limit.

Lync 2013 client prompts the message: “You have the newer version of Lync called Skype for Business…”

I’ve recently received a lot of emails from clients and colleagues about a message prompt that they’ve been receiving on their Lync 2013 clients shown in the following screenshots:

Restart Skype for Business

You have the newer version of Lync called Skype for Business. However, your admin would like you to use Lync or it’s the only version your server supports.  Please restart now to use Lync.

The reason why this message is presented is because the April 14th, 2015 updates for the Lync 2013 client contains the Skype for Business client and if you’ve installed this update then this message will be presented upon the first time Lync 2013 is launched.

Most of my clients prefer not to switch to the new client as it will likely generate unnecessary calls to helpdesk so to remove the prompt as shown in the above screenshot, simply use the registry key edits as shown in the following Microsoft Office article to disable it:

Switching between the Skype for Business and the Lync client user interfaces
https://support.office.com/en-in/article/Switching-between-the-Skype-for-Business-and-the-Lync-client-user-interfaces-a2394a4c-7522-484c-a047-7b3289742be0

In the event that you would like to enable the Skype for Business interface, you’ll need to install the February 2015 or later updates such as May 2015 onto your Lync Front-End servers, then set the EnableSkypeUI variable to True as shown here:

Get-CsClientPolicy

Set-CsClientPolicy -EnableSkypeUI $true

Get-CsClientPolicy

**Note that this enables the Skype UI globally but you can also enable it on per policy or per user basis.

Now when users launch the Skype for Business client, they will no longer be prompted with the message and will be brought straight into the Skype interface:

Note that the new client also bundles a tutorial upon launch and it could also be disabled via registry keys as demonstrated in the Microsoft Office article included above.

Removing New Profile First Run Items for XenApp, RDS and Terminal Server with GPO

Having deployed numerous Citrix XenApp and Microsoft RDS over the past few years, I’ve found that I constantly refer to my notes for removing new profile first run items and seeing how I haven’t written a blog post for this year, I figured I’d write one now so I can refer my colleagues to it.

Several add-ons are ready for use

There are two ways to disable the Several add-ons are ready for use prompt when Internet Explorer is first launched:

\

The first is to edit the local policy of the server by running gpedit.msc and navigate to:

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Automatically activate newly installed add-ons

… or:

User Configuration > Administrative Templates > Windows Components > Internet Explorer > Automatically activate newly installed add-ons

Note that both would provide the same result but I prefer using the Computer Configuration because it is applied to the computer rather than the User Configuration which is applied to each user’s profile.

Enable the configuration:

If using a local computer policy is not acceptable, this could be configured using a GPO to modify the following registry key:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext

IgnoreFrameApprovalCheck = 1

Protected mode is turned off for the local intranet zone.

To disable the Protected mode is turned off for the Local intranet zone. message:

… create a new DWORD registry key named NoProtectedModeBanner with a value of 1 at the following location:

HKCU\Software\Microsoft\Internet Explorer\Main

Refer to my previous blog post for more detail:

Notes on Security Banner and IE Settings for Citrix XenApp servers
http://terenceluk.blogspot.com/2013/09/notes-on-security-banner-and-ie.html

Set up Internet Explorer 11

To disable the Set up Internet Explorer 11 prompt:

Create a GPO and enable the following User or Computer Configuration setting:

Administrative Templates > Windows Components > Internet Explorer

Then enable the following setting:

Prevent performance of First Run Customize settings

Office 2013 First Run

To get rid of the First things first. Office 2013 first run prompt:

… load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Privacy > Trust Center

Then enable the following setting:

Disable Opt-in Wizard on first run

Welcome to your new Office

To disable the Welcome to your new Office prompt:

… load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > First Run 

Then enable the following setting:

Disable First Run Movie

Enable the following setting as well:

Disable Office First Run on application boot

Outlook 2013 Cached Exchange Mode

XenApp and RDS servers more often than not operate Outlook in non-cached mode so to ensure that this is disabled, load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2013 > Account Settings > Exchange > Cached Exchange Mode

Then disable the following setting:

Cached Exchange Mode (File | Cached Exchange Mode)

Proceed and also disable the following setting:

Use Cached Exchange Mode for new and existing Outlook profiles

Remove Add Account Citrix Receiver

To remove the Add Account Citrix Receiver prompt for new profiles:

… use the following Citrix KB:

http://support.citrix.com/article/CTX135438

Method 3

Change Registry values post installation to suppress the Add Account window.

1. Under HKLM\Software\Citrix\Dazzle, set AllowAddStore value to N.
   Note: On 64-bit machines, use HKLM\Software\WOW6432Node\Citrix\Dazzle.
2. Restart Citrix Receiver for Windows to apply the new Registry value.

Welcome to Microsoft Office 2010

To disable the Welcome to Microsoft Office 2010 prompt:

… load the Office 2010 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2010 > Miscellaneous 

Then enable the following setting:

Suppress recommended settings dialog

Outlook 2010 Cached Exchange Mode

XenApp and RDS servers more often than not operate Outlook in non-cached mode so to ensure that this is disabled, load the Office 2010 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange > Cachced Exchange Mode

Then disable the following setting:

Cached Exchange Mode (File | Cached Exchange Mode)

Outlook 2010 Do not prompt user to create new profile

If you do not want users to be prompted with the wizard to create their Outlook profile, navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange

Then enable the following setting:

Automatically configure profile based on Active Directory Primary SMTP address

Configuring for Google Earth Pro Direct X mode with Citrix XenDesktop 5.6

It has been awhile since I’ve had to work with a XenDesktop 5.6 as most of the clients I work with have upgraded to 7 but I received a request today to look into why Direct X mode did not work for a new Google Earth Pro installed.  The client told me that they followed the instructions from one of my previous blog posts:

Updated: Starting Google Earth on Citrix XenDesktop 5.6 virtual desktop prompts the message: ‘DirectX’ mode not supported
http://terenceluk.blogspot.co.uk/2014/02/updated-starting-google-earth-on-citrix.html

… but wasn’t able to get Google Earth Pro to start in Direct X mode:

‘DirectX’ mode not supported

The first thought that crossed my mind was that I’ve actually never configured the HDX Optimization Pack for Google Earth for Google Earth Pro so I sort of figured the instructions I had in my blog post probably wasn’t complete.  After an hour of verifying that the d3d9.dll file was copied into the folders for an Google Earth install, I discovered that the following folder also needs the file:

C:\Program Files (x86)\Google\Google Earth Pro\alchemy\ogles20

I was able to start Google Earth Pro in Direct X mode as soon as I copied the d3d9.dll file into the folder.

The version of Google Earth Pro I tested this with is 7.1.2.2041: