Microsoft OneDrive: There was a problem - 0x8004de46

Tucker Gibson  June 17, 2019  ,   No comments

Microsoft OneDrive: There was a problem - 0x8004de46

Problem

We ran into the "Please try again in a few minutes. (Error code: 0x8004de46) error recently when testing the OneDrive client connecting to multi-geo regions. The client was looking to connect with non-default urls since the users "Preferred Data Location" or PDL was not our default region.  See error below from the OneDrive sync client.  Microsoft has a kb on this but for us it was network related as you'll see below.


Microsoft OneDrive - There was a problem signing you in.  Please try again in a few minutes. (Error Code: 0x8004de46)

 For us, we have all our Office 365 clients using modern authentication (i.e. those ADAL regkeys) already setup and were sending network traffic directly to the internet (not via proxy) per Microsoft recommendations.  But guess what, we weren't doing that for the newer multi-geo urls which are xxx-my.sharepoint.com and found out that the network traffic was going through our proxy.

Troubleshooting

To confirm this, I did a fiddler trace of a working OneDrive client and a non-working client.  In short, you can see the client attempt to create a HTTPS connection which results in a 401 error.  As you can see the proxy was decrypting the traffic resulting in the OneDrive client error.

Client Not Connecting

Example of the client not connecting and client is seeing a 401 resulting in the error.


 The "Issuer" is not Microsoft (Sorry I had to block it out but trust me!)

Client Connecting

Example of a client connecting properly.


 And notice the "Issuer" associated with the tunnel is.Microsoft.
A side note on this,  I did see references to the errors below in the fiddler trace and saw some other solutions out there but since this was already working for our default region I was a little suspect that it would fix for us.  
  • MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.
  • Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.

Solution

Long-term you will want to allow this traffic to route directly to the internet but in this case to get it working, we disabled decryption on all the "my.sharepoint.com" urls and we were back in business.  Moral of the story is follow best practices for Office 365 and bypass proxy when you can.
Read More

Slow and Choppy Day: Using Citrix Director and HDX Insight

Tucker Gibson  May 09, 2016  , , ,   No comments

When you’ve been supporting remote users, you hear it all.   Someone called the help desk or worse you.
“Not sure what it is but my vm is slow today?”
“My mouse just keeps wigging out?”
“Everyday from 3pm to 5pm it gets boggy?”
“I’m at my grandmother’s house today and nothing works.” (Yup…True story)

They are tons of great 3rd party monitoring tools out there and many would help you troubleshoot the issue.   We all wish we could buy them all but hey we are on a budget right!   So let’s use what we have.  For those that are running Citrix XenDesktop 7.x with the Platinum license, you have many of the tools and information to help your users specifically XenDesktop Director and NetScaler HDX Insight.  

Here is some key info to pass along to the Level 1 or 2 helpdesk staff.

The General Windows Stuff via Director
It is always a habit to pop open Task Manager or Resource Manager on Windows to check things out and this is still a great place to start even in a virtual environment. The nice thing is you can do it right from Director.    Check to see if something is “Not Responding”?  Something pegging?  Using a ton of memory?  Basic but always a good place to start.  





Session Details in Director
Do not overlook the info here. Often we jump right to the Latency and say must be some poor connection.   Often it can be…like your grandmother’s wifi she shares with all her condo friends.  But the  simple things like “Connected via” and “Launched via”  can tell you a lot of how the user is connecting too.  For example,  we’ve seen users who have VPN’d in first then connected via StoreFront to their XenDesktop vm or XenApp app.  This has added 100ms since they were VPN’ing in first.   “Launched via” may actually show your VPN controller or some other internal server signifying they are connecting from the “inside” but you know they are remote. Why the do this?  Because they always have done it that way.




Machine Details via Director
I usually look at Session Details first to get a sense of the users network conditions.  Assuming they are ok …say < 250ms … based on the issue, I look at the storage.  Storage has been an issue for VDI performance for a long time.  Many are moving to Flash Arrays and this is becoming less of an issue but still something to check as it can greatly contribute to a poor user experience.   In the example, below you can see the disk is queue up….no wonder nothing is happening.



NetSclarer HDX Insight
Again this advanced feature makes it possible to isolate and manage your ICA network performance.    When users are accessing remotely, the big challenge is determining if the issue is internal or external.  Remember that example where someone said everyday from “3-5am” it is slow.   The screenshot below isn’t flashy and at first glance is boring but it does show that the WAN latency has been consistent over the past week.   So maybe it isn’t your stuff that is causing the slowness.   Internet surge?  Partner’s WAN connection?




Hopefully this help give you a sense of how to use the information in Director and HDX insight to start that troubleshooting exercise.  No tool will flat out tell you the problem.   You need to look at the info and read those tea leaves a little.

Good luck.
Read More

Where can I download VMware Tools (vmtools.exe)?

Tucker Gibson  August 27, 2014  ,   No comments
I'm in the mists of updating my Citrix XenDesktop 7.5 Win 7 image and wanted to include the latest VM tools.  They are hard to find on the VMware download site but came across this site....

https://packages.vmware.com/tools/esx/index.html  

Pick your the ESX version and operating system and manually download away!
Read More

Citrix Desktop Studio: Found invalid data while decoding

Tucker Gibson  September 12, 2013  , ,   1 comment
We just added another Citrix Desktop Deleivery Controller (DDC) 5.6 FP1 to our farm.   But when launching Desktop Studio on the new server and viewing HDX policy was blank and a refresh threw the following error:


The "Found invalid data while decoding" tipped me off that it couldn't read or render the polices from the database.  Low and behold we didn't have the same or latest Citrix Group Policy Management installed on the new DDC. So just closed Desktop Studio, installed them, and re-opened Desktop Studio and there they were. 

Citrix outlines it in in CTX1314601 for XenApp but applies to XenDesktop as well.  Citrix Group Policy Management comes with the latest XD install media as well.


Read More

Using Infoblox TFTP for Citrix PVS

Tucker Gibson  September 12, 2013  , ,   No comments
People always say that "tftp is anything but trivial" and if you've implemented it, you know how true this is.  We have multiple Citrix XenDesktop and Provisioning Server farms were looking for a simple highly avaialble solution to provide TFTP to a dozen or more vlans.  Each PVS farm services 5+ or more vlans and used the solution outlined here to stream to multiple networks from one PVS server.  But how do you provide the TFTP boot file to all these networks?
 
Along came Infoblox TFTP and this is how we did it:
 
Infoblox TFTP Configuration and Setup (Recommend Infoblox version 6.6.5 or higher)
  • One TFTP service in each datacenter (total of 3)
  • Globally Load Balance URL using DNS Topology which would direct the client to typically request the boot file (ardbp32.bin) from the local TFTP server.
  • Created a virtual directory for each vlan/subnet (make sure to keep the folder name at 13 character or less - known bug.)
  • Create the ARDBP32.BIN files for each network using the Provisioning Services Console by:
    • Going to Servers > Right click on a Server > Select Configure Bootstrap > Config as needed and click Ok. 
    • Then grab the ARDBP32.BIN file from C:\ProgramData\Citrix\Provisioning Services\Tftpboot to upload to the Infoblox TFTP virtual directory. 
    • Repeat for each network.
    • Note: Another option is to rename the file and place in the root virtual directory (i.e. ARDBP32_123.BIN)
  • TFTP virtual directories replicate to other members in the Grid so you only need to upload to one virtual directory.
Infoblox DHCP Configuration and Setup (Recommend Infoblox version 6.7.3 or higher)
  • For each DHCP Scope, setup the following:
    • General > Advanced Tab > check off Ignore DHCP Client Unique Identifier (UID) when a new lease is requested if not inherited from Grid
    • IPv4 DHCP Options > Basic tab
      • Lease time should be at minimum of 1 day
    • IPv4 DHCP Options > Advanced Tab
      • Check off the Ignore optionlist requested by client and return all defined options if not inherited from Grid (Note: This resolves known issues with PVS targets having two preferred ip addresses.)
    • IPv4 BOOTP/PXE > Basic tab
      • Under BootP Settings
        • Boot File = ARDBP32.BIN (Note: This is case sensitive and needs to match the case used for the file in the TFTP virutal directory)
        • Next Server = GTM/GSLB alias/url (i.e. tftp.yourdomain.com) Note: you could simply testing by entered an IP address of the Infoblxo TFTP servers as well but that won't get you HA!)
    • In the Infoblox Grid Properties or Member Properties for DHCP, select the DNS Resolver tab, and then select Enable DNS Resolver. This allows DHCP to resolve the tftp.yourdomain.com alias and past an IP address to the client in the Next Server field.

A bunch of network traces and even a case or two and finally have it all working -  Highly Available TFTP for PVS!  Below is an example of how it all could work.




Note: If Infoblox is not at 6.7 or higher you may see these PXE errors on boot if your virtual directories are longer than 13 characters.

PXE-T04 Request not null-terminated
PXE-E36 Error received from TFTP server
PXE-M0F: Exiting Intel PXE ROM


Read More

Citrix PVS to multiple vlans

Tucker Gibson  October 25, 2012  , ,   No comments
Citrix provides basic guidance on how to multi-home your Provisioning Servers (PVS) with CTX120955.  But what if you have multiple vlans for desktops in which you want to stream to?  Well this is how we did it.

 Environment
Citrix XenDesktop 5.6.1 
Citrix Provisioning Server 6.1
VMware ESX 4.1 U1
Cisco Nexus 7000

 Network/Firewall
A few things to point out.
- All vlans were separated by the firewall.
- Used one PVS farm for all desktop vlans.
- All firewall rules were setup to all outbound access to the DDC.

 Citrix Provisioning Services (PVS) Setup
PVS Physical Server Specs
- HP DL380 (dual-core 48G RAM)
- 1G Network Team for management vlan access
- 10G Network Team for desktop vlans
- 2 x 146GB (RAID1) for OS
- 6 x 146G (RAID5) for local vDisk storage
We are using this PVS configuration for XenDesktop so...

  • the 1G team is for all PVS, DDC, SQL, AD, etc communication. 
  • the 10G team (streaming only) is setup using the HP Network Configuration Utility (NCU) and vlan tagging and has 5 desktop vlans on it. We could just have 1 vlan but each desktop vlan is segmented by a firewall and we don't want to stream through that which is why trunk down all the desktop vlans to the PVS 10G ports and configure with 802.1q so they are directly on the vlan. 

Citrix XenDesktop Setup
Each XenDesktop virtual desktop (VDA) has 1 vnic on a desktop vlan. 

 TFTP Setup
There are a few options here but first we
- Had a pair of Citrix TFTP server(s) on each desktop vlan providing TFTP/PXE but...
- are moving to Infoblox TFTP services to provide this so we don't need all those TFTP servers.

 It is seems overly complex but is fairly straight forward and best of all meets the requirements for desktop segmentation and allows you to manage only 1 PVS farm.

 Interested to hear how you do PVS.
Read More

PVS: An unexpected MAPI error occurred

Tucker Gibson  June 15, 2012    No comments
A lovely error Citrix Provisioning Services (PVS)  "An unexpected MAPI error occurred" error. Fortunately, Jeff found the fix and shared it here.  This is a bug in PVS 5.6.


Solution: In short, when you edit the properties of the PVS vDisk, set the disk status to Standard and select “MAK” on the Licensing TAB and press OK. Now you will not receive the error. Then set it back to KMS and click Ok.
Read More