Tuesday, October 03, 2006
Ctx_SmaUser Domain Account
After having finalized the implementation of a small Citrix farm for a client, and we're less than a week to go-live, I'm told I need to change the design. :( I was originally told that most users don't need to print, and if they do, it's handled automatically through the application to the printer(s) defined on the server. Great - so I disabled user printer mapping which saves some bandwidth and just makes for a simpler environment.
Changing all of that is not so difficult, however, the domain policy puts restrictions on which users can logon as a service. PS4 has a new print subsystem, where things are handled by the Citrix Print Manager Service which by default runs under the context of the local Ctx_SmaUser account. The bummer is that this local account cannot be added to group policy to be allowed to run as a service.
Fortunately, Citrix provides a good document on how to recreate the Ctx_SmaUser account, but still assumes it is a local account, not a domain account. The good news is that it works the same for a domain account, which can be added to the group policy. One added advantage is that you then have just one, centralized service account instead of local service accounts on each and every Citrix server. I was even able to remove the local Ctx_SmaUser account with no noticable adverse effect.
Two things of note:
1) In the above article on Citrix's support site, step 5.h.iv has you changing the Change Configuration Permissions on the Citrix SMA Service DCOM object, but those permissions do not include Local Access or Remote Activation, so they can't be granted to the Power Users group. The Power Users group by default has some special permissions to Change Configuration, and it seems to be sufficient. So this is not an issue, other in Citrix's documentation (which always frosts me - get it right, damnit!)
2) After making all of the necessary changes in the development environment, the Citrix Print Mangler Service started okay, but I saw the following errors in the Application event log:
There were also errors in
It might be one of those instances in which that's giving the account too much access (similar to the dreaded fix, "just make it a local administrator!"), but I'm okay with it since it is only view-only access, it's a secured service account, and it's only rights to the farm, not the whole server.
Changing all of that is not so difficult, however, the domain policy puts restrictions on which users can logon as a service. PS4 has a new print subsystem, where things are handled by the Citrix Print Manager Service which by default runs under the context of the local Ctx_SmaUser account. The bummer is that this local account cannot be added to group policy to be allowed to run as a service.
Fortunately, Citrix provides a good document on how to recreate the Ctx_SmaUser account, but still assumes it is a local account, not a domain account. The good news is that it works the same for a domain account, which can be added to the group policy. One added advantage is that you then have just one, centralized service account instead of local service accounts on each and every Citrix server. I was even able to remove the local Ctx_SmaUser account with no noticable adverse effect.
Two things of note:
1) In the above article on Citrix's support site, step 5.h.iv has you changing the Change Configuration Permissions on the Citrix SMA Service DCOM object, but those permissions do not include Local Access or Remote Activation, so they can't be granted to the Power Users group. The Power Users group by default has some special permissions to Change Configuration, and it seems to be sufficient. So this is not an issue, other in Citrix's documentation (which always frosts me - get it right, damnit!)
2) After making all of the necessary changes in the development environment, the Citrix Print Mangler Service started okay, but I saw the following errors in the Application event log:
Event Type: Error
Event Source: WSH
Event Category: None
Event ID: 1
Description:
Citrix Monitoring Script Event 2
Citrix MetaFrame Session In Down State:
WMI error checking sessions:
Received error: 0x80041001: Generic failure
[WBEM_E_FAILED]
Event Type: Error
Event Source: WSH
Event Category: None
Event ID: 1
Description:
Citrix Monitoring Script Event 2
Citrix MetaFrame Session Idle Too Long:
WMI error checking session:
Received error: 0x80041001: Generic failure
[WBEM_E_FAILED]
There were also errors in
%windir%\system32\wbem\logs\wbemess.log
at the same time with more detail, but the same 0x80041001 error (Access Denied). (NOTE: The logs have since been overwritten so I don't have the detail to share, sorry!) They did mention access denied to the root\subscription
WMI namespace; I checked permissions on it and other WMI namespaces (Computer Management - Services and Applications - WMI Control, Properties - Security tab) but there was no explicit mention of the local Ctx_SmaUser account. On a hunch I added the new domain service account as a MetaFrame Administrator (view only) in the PS Console and that resolved the issue. It might be one of those instances in which that's giving the account too much access (similar to the dreaded fix, "just make it a local administrator!"), but I'm okay with it since it is only view-only access, it's a secured service account, and it's only rights to the farm, not the whole server.