Net iD Service
 

Information om Windows Server 2008 och 2008 R2 + Citrix

Uppdaterat: 2017-12-06

OBS! Sätt tjänsten "Net iD Trace" till "Manuell" och stoppa den. Det finns lägen där denna tjänst stör servrar.



Nya paketeringar görs med tjänsten inaktiv.

Citrix

1) Sammanfattande artikel hos Citrix om problemområdet

http://support.citrix.com/article/CTX129229

LIMITED RELEASE - Hotfix XA650R01W2K8R2X64017 - For Citrix XenApp 6.5 for Windows Server 2008 R2 - English Document ID: CTX134579
Hotfix package name: XA650R01W2K8R2X64017.MSP

Citrix artikel med hotfixen: http://support.citrix.com/article/CTX1345799 (kräver login)

 

2) Hotfix Rollup Pack 2 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

http://support.citrix.com/article/CTX136248

Especially look at number 2 below

Below a copy of the "Smart Cards" section under "New Fixes and Enhancements in This Hotfix Rollup Pack"

1.
Two-factor USB token authentication for smart cards might fail with the following error message:
"System could not log you on, requested key container does not exist on smart card."

[From XA650W2K8R2X64R02][#LA3620]

2.
Improperly terminated smart card transactions can leave orphaned sessions running on the server and cause new sessions to become unresponsive during logon. Several processes (winlogon.exe, csrss.exe, and logonui.exe) keep running in the orphaned sessions.

To enable the fix, you must set the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: TransactionTimeoutEnable
Type: REG_DWORD
Value: 1 (enable)

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: TransactionTimeoutValue
Type: REG_DWORD
Value: any value more than 5 seconds

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: SendRecvTimeout
Type: REG_DWORD
Value: Minimum timeout value, in seconds; should be 30 seconds or more. Any lesser value defaults to 30 seconds. This value must be at least 10 seconds less than "TransactionTimeoutValue".

[From XA650W2K8R2X64R02][#LA0983]

3.
When using smart card authentication, sites in the Intranet zone do not prompt for credentials and fail to load if protected mode is enabled for the Intranet zone.

To enable this fix, you must set the following registry key:

 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\SmartCard
Name: SupLowIntegrityProc
Type: REG_DWORD
Data: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: SupLowIntegrityProc
Type: REG_DWORD
Data: 1

[From XA650W2K8R2X64R02][#LA2130]

 

3) Hotfix Rollup Pack 3 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

http://support.citrix.com/article/CTX138537

Below a copy of the "Smart Cards" section under "New Fixes and Enhancements in This Hotfix Rollup Pack"

1.
Removing a smart card from the reader might not result in the disconnection of the session.

[From XA650W2K8R2X64R03][#LA4588]

 

4) Hotfix Rollup Pack 4 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

Where is it....?

 

5) Hotfix Rollup Pack 5 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

http://support.citrix.com/article/CTX141075

Below a copy of the "Smart Cards" section under "New Fixes and Enhancements in This Hotfix Rollup Pack"

1.
After authenticating using Citrix Receiver for Linux while a smart card is present in the reader attached to the endpoint, the session can become unresponsive.

[From XA650W2K8R2X64R05][#LC0982]

2.
After logging on to a server using a smart card, the server can become unresponsive at the Welcome screen and refuse to accept new sessions.

Restarting the Smart Card Service resolves the issue and the server continues to accept new sessions.

If the fix for #LC0910 is not installed on systems do have fix #LC0983 installed, then enable the following registry keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: TransactionTimeoutEnable
Type: REG_DWORD
Value: 1 (enable)

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: TransactionTimeoutValue
Type: REG_DWORD
Value: any value more than 5 seconds

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: SendRecvTimeout
Type: REG_DWORD
Value: Minimum timeout value, in seconds; should be 30 seconds or more. Any lesser value defaults to 30 seconds. This value must be at least 10 seconds less than "TransactionTimeoutValue".

[From XA650W2K8R2X64R05][#LC0910]

 

Microsoft

1) Glöm Windows Server 2008. Det finns en hotfix men löser bara ett av flera problemen. R2-versionen är det som gäller.

"No backports to W2k8 available for either 2424375, 2301288 or 2383938 – all 3 issues that have been fixed in W2k8 R2 most likely also exist on W2k8."

2) Se till att du har SP1 för R2 installerad

3) Installera hotfix 2775511
KB-artikel: http://support.microsoft.com/kb/2775511/en-us

4) Installera hotfix 2424375
http://support.microsoft.com/kb/2424375

5) Sätt registervärdet "FilterCSPCardCacheByTSSessionConnectTime" till 1 på det sätt som beskrivs i KB 949538.
http://support.microsoft.com/kb/949538
OBS! Installera INTE den hotfix som finns i 949538, gör bara registerändringen

6) Glöm inte att stänga av Windows inbyggda certifikatspropagering. Vill du ha både hängslen och livrem sätter du både GPOn samt disablar tjänsten. Net iDs CertMover sköter detta istället. Mer info om certifikatspropagering här.

7) "Interactive Logon: Smart card removal behavior" Group Policy setting doesn't work as expected in Windows 7 SP1 or Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2833914

Link to blog entry where Microsoft summarized this:
http://blogs.technet.com/b/instan/archive/2011/03/24/smartcard-redirection-diaries.aspx
Feel free to share this blog entry with customers, it’s as official as a blog entry can get but it’s ultimately just a collection wrapper around the 4 official KB articles that explains how they are connected as all are touching on things related to what we have been working on in this case.