When attempting to view the active users on my Citrix servers I receive the message “There are no items to display”. This is my new Citrix 4.5 farm and this feature works in our old 3.0 farm and is relied upon quite a bit for locating users and such. A bit of googling turned up nothing, other people have seen the problem, but nobody knows the resolution.
A bit of testing and I realized that my test system (which has lots of non-standard stuff on it and configured) does list the active users, so the UI can show active users, but the other systems aren’t working. So what’s different on my test box:
· 32 vs. 64 bit – my test system is 32bit, and some of the problem systems are also
· hotfix level – same on all systems
· system used in discovery – executing discovery locally on a problematic server still fails to list active users
· installed components – I updated a system to have all the same components
· license level – I changed the license levels to Enterprise on both, same issue
· zone name – both are in the same zone
· OS version – both are W2k3 SP2
· Connectivity to the data collector – I can successfully telnet to port 2512 on the DC from all systems
No differences appear to be identifying the issue. I contacted our vendor who put me in contact with a Citrix rep and we tried a few more things: various qfarm commands, some cleaning of the datastore, moving a server into its own farm, etc… Nothing seemed to resolve the issue.
Finally we deleted and recreated the ICA listener and the connections started showing, something in the ICA config was broken and since most of these servers were built from an image they all had the same problem. I started researching the differences between the working ICA listeners and the broken ones and noticed that the security was different. On the working listeners, the Local Service and Network Service accounts had Query and Message rights, and the broken listeners didn’t have any rights.
I added the two users with rights to the ICA listener on a broken system and logged off. In the AMC I looked for Sessions and the ICA-Tcp session appears, logged back onto the server and my name appears. A little more research shows that the RDP listener was failing due the same issue, resetting the security on it allows the sessions and users to be displayed
Before:Changes made to both services on both listeners:After change: