Summary
This document describes Citrix ICA shadowing and provides troubleshooting information as well as links to related information.
General Configuration
Note: For XenApp 4.5 and later the Citrix Connection Configuration tool is no longer available. It has been replaced by the ICA-tcp entry in TS Config.
Click link for more information – http://support.citrix.com/proddocs/index.jsp?topic=/xenapp5fp-w2k3/ps-sessions-slct-conn-set-v2.html
To configure ICA shadowing, follow the steps below:
1. Go to Citrix Connection Configuration on each server (to enable cross-server shadowing) in the farm.
2. Highlight the connection type you are working with.
3. Click security > permissions.
4. Add a user or group.
5. Highlight the user or group you added in the previous step.
6. Click advanced.
7. Double-click the user or group/ or click view > edit.
8. Add the permission to shadow.
9. Select one of the methods below that you want the users to shadow with:
Connect to or publish Wshadow.exe for the shadow taskbar.
CTX101986 – Shadow taskbar does not connect to the proper session
Connect to or publish Mfadmin.exe for the Citrix Server Administrator Tool for MetaFrame 1.8 servers.
Connect with or publish the Citrix Management Console for Presentation servers.
For custom administrators, see CTX109578 – Shadow Button is Unavailable for Custom Administrators.
When attempting to shadow using the Citrix Management Console from MetaFrame XP Feature Release 2 from a Windows 2000 Service Pack 2 Pro Workstation after changing the Feature Release 2 server ICA port number, the shadower receives the following error message:
“The Citrix server is not accepting connections.”
The Citrix Management Console for MetaFrame XP Feature Release 3 addresses this issue.
MetaFrame XP Feature Release 2 and later allows granular policies, through the Citrix Management Console, to control shadowing. Shadowing must enabled on each Citrix server involved during installation.
CTX787589 – Shadow Options are Unavailable in the ICA Listener or Presentation Server Console
MetaFrame XP Feature Release 2 or Later User Collaboration
When creating a shadow policy in the Citrix Management Console. The policy must be defined and enabled. The policy details are written to the data store. The policy is assigned to a user.
CTX101677 – Shadow policies with a priority higher than 2 are ignored.
Notes:
The shadower is given permission to shadow in the Assign Shadowing Permissions.
The shadowee is added by right-clicking the policy and then clicking Assign Users.
When the shadower logs on to the Presentation Server, the data store is queried to see if a policy for that user exists. The policy is then loaded on the MetaFrame server in the registry under:
HKEY_LOCAL_MACHINESOFTWARECitrixpolicy
and also under:
HKEY_CURRENT_USERSoftwareCitrix
For the shadowee, only an empty numbered folder is loaded under HKEY_LOCAL_MACHINESOFTWARECitrixpolicy. The policy shows only in the registry of the server in the farm where the user is logged on. When the user logs off, the policy unloads from the server and is no longer in the registry. Disconnected sessions also hold the policy in the registry.
If the user does not have shadowing rights granted in a policy, they will receive the following error message:
"Shadow failed. Error Code 5 – Access is denied."
CTX101886 – Error: Shadow failed. Error code 5 when using Citrix Management Console Policies
CTX103473 – Error 5 – Access Denied …when Shadowing
CTX106677 – Userdump.exe May Affect Certain Virtual Channels for Non-administrator User Accounts
CTX106138 – Error: Shadow Failed. Error code 6
Functionality Explanation
Enumeration
The Shadow Taskbar in MetaFrame 1.8 may not enumerate users across domains.
Launch the client installed on the console back to the server (loopback) and then shadow sessions through MetaFrame Administration.
CTX101780 – Shadow Taskbar enumerates all users when using restictive shadow policies
CTX704096 – Shadow Taskbar Fails to Enumerate Users and Buttons are Unavailable
CTX104873 – Differences In Shadow Behavior With the Shadow Taskbar and the Management Console
From Hotfix XE102W064:
Users who had shadowing rights to specific users could view all users when using the shadowing taskbar. With the installation of this hotfix, users can view only those users for whom they have shadowing rights.
From XE104W2K3R01:
Enumerating users from the shadow taskbar failed for sessions with session IDs greater than 255. This occurred because the session IDs were being truncated to a single byte.
From Hotfix MPSE300W2K3R02
Users were sometimes unable to shadow other users and they were unable to enumerate the necessary objects from the Shadow Taskbar (wshadow.exe). This fix corrects the issue and also introduces the following functionality change:
By default, only local and Citrix administrators can enumerate the Applications node. To enable other users to enumerate the node, you must create the following registry key:
HKEY_LOCAL_MACHINESOFTWARECitrixIMA
Name: EnableAppEnumForUsers
Type: REG_DWORD
Data: 0 (Disable) or 1 (Enable)
You must restart the IMA Service for the registry change to take effect.
Connection
The Shadow Taskbar and Citrix Management Console dynamically generate an ICA file to accommodate user shadowing. Using either utility, an administrator or user picks a user to shadow. The selected utility then generates an ICA file in the administrator’s or user’s <TEMP>shadowdirectory.
Note: If the file cannot be located, search the server drive for *.ica. Ensure the folder options for the drive are configured for the viewing of hidden files and folders.
The ICA file is launched by the ICA Client on the server (see More Information). When shadowing is stopped, the ICA file is deleted, and as the ICA connection logs off, its temporary directory is deleted also. Each shadow session uses a separate ICA connection.
Refer to the following:
CTX106559 – Application Error Caused by cshadow.exe
Note: Citrix Server Administration, MFAdmin.exe, and Terminal Server Administration, TSAdmin.exe, do not behave in the above manner.
Note: Shadowing with the Presentation Server Console requires that the Client be installed on the server or workstation.
Example:
The generated ICA file resembles the following:
[WFCl
ient]
Version=2
[ApplicationServers]
username,ServerName,3=
[username,ServerName,3]
Address=x.x.x.x
ICAPortNumber=1494
InitialProgram=%SystemRoot%system32CSHADOW (Note the Executable)
3 /MB /SERVER:SERVERNAME
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
Username=username
Domain=DOMAINNAME
Password=000a7987248e90874cd680
DesiredVRES=640
DesiredHRES=480
DesiredColor=2
The taskbar obtains the session ID of each user and inserts an initial program parameter into the rendered ICA file that shadows the appropriate session ID.
Cross-Server Shadowing
Even when permissions are set to disallow shadowing on a particular server, users can still shadow any user on another server using the Citrix Server Administration utility, MFAdmin.exe. In addition, configuring a MetaFrame XP Feature Release 2 policy to prohibit cross-server shadowing from the Citrix Management Console fails to produce the desired results.
These issues were resolved by Microsoft in TechNet Article 281951. This is now part of Service Pack 3 for Windows 2000.
CTX741852 – Error: "7050 – Shadow Failed" When Attempting to Shadow a User From the Citrix Management Console
CTX103508 – Cross Server Shadowing may not function
From Hotfix XE103W2K036/XE103W2K064:
Users on a MetaFrame server with Citrix Feature Release 3 installed could not shadow sessions on a MetaFrame server with Feature Release 2 installed.
A problem was found in the way the IMA Service in Feature Release 3 queried the Feature Release 2 server for its ICA port number, which is needed to make the shadowing connection.
The IMA Service in Feature Release 3 now correctly reads the ICA port number from a server with Feature Release 2 installed.
From Hotfix XE103W2K056:
An administrator on a Feature Release 3 server could not enumerate users on a Feature Release 2 server from the shadow taskbar. An empty list was returned.
With this fix, the administrator is able to enumerate the users on a Feature Release 2 server when he is using the shadow taskbar on a Feature Release 3 server.
Note: For this fix to work, you must install Hotfix XE102W2K081 or replacement on your MetaFrame XP Version 1.0 Feature Release 2 server(s).
General Troubleshooting
The Remote Desktop Protocol (RDP) through Terminal Server Administration (TSAdmin.exe) can shadow another RDP session. Citrix Technical Support may ask customers to test with the same users, shadowee, and shadower, and to/from the same server(s) that that shadowee and shadower are connected to. This should eliminate or expose any possible configuration or Operating System issues.
Citrix Technical Support may ask customers to troubleshoot with the different ICA shadowing methods to help isolate the issue.
Generally speaking, an administrator, by default, never has issues shadowing other sessions.
These issues are known as of MetaFrame 1.8 SP4 and MetaFrame XP FR3. Check the Citrix Knowledgebase for any updates or new articles that may pertain to an issue that may be occurring.
CTX787589 – Shadow Options are Unavailable in the ICA Listener or Presentation Server Console
CTX106450 – Shadow Indicator Window Does Not Appear in a Shadowed Session
CTX101630 – How to configure shadowing options for an unattended install
When Attempting to Shadow, the Screen Flashes, but the Shadow Does not Occur and no Error Message is Displayed.
In Windows 2000, if the video resolution that is being shadowed is higher than the local one of the shadower, the shadow component incorrectly returns a success instead of a failure, do the following:
1. See Microsoft article 312560
2. Synchronize the video resolutions between the shadowee and the shadower.
3. Check the server event viewer of the shadowee for 1004 licensing errors and provide sufficient rights to the MSLicensing key on the server of the shadower as outlined in CTX564283 – Troubleshooting 1003 and 1004 Terminal Server Licensing Errors.
CTX134162 – Shadow Taskbar Dispalys a Help Message for Wfica32.exe
CTX182496 – Error: " Error 59, Error 10047, Error 10022, Error 7044 or 7045 " When Attempting to Shadow
CTX102637 – Shadow failed. Error Code 231: All pipe instances are busy
CTX102801 – Error: Missing Connection Section when using the Shadow Taskbar
CTX102626 – Error 7025 shadow failed. An attempt has been made to connect to a session whose video mode is not supported by the current client.
CTX625261 – Error: The password is incorrect. Please Retype your password. when Shadowing with NTLM Authentication Enabled
CTX268798 – Shadowing Does not Work when Using the Web Console After the ICA Port Is Changed.
CTX102801 – Error: Missing Connection Section when using the Shadow Taskbar
CTX607275 – Error: You do not have the proper encryption level to access this session..When using the Shadow Taskbar
CTX118253 – Case Study – Slow Session Shadowing Performance
When shadowing a session using the Shadow toolbar and Flattemp is enabled on NT Terminal Server 4.0, the Temp directory is deleted. This behavior is by design.
There are three solutions to this issue:
1. Do not use Flattemp.
2. Use MFAdmin.exe, Citrix Server Administration.
3. Make the registry change described in Microsoft TechNet 243215
To avoid deleting the Temp directory at logoff, set the value DeleteTempDirsOnExit in the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServer to 0 (zero). The default is 1.
Whenever a user logs off, their Temp directory is deleted. When Flattemp is enabled, every user shares the same temporary directory; for example, C:Temp, UNLESS a path is specified to another location.
This document applies to:
- MetaFrame 1.8
- MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
- MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
- MetaFrame XP 1.0 for Microsoft NT 4.0 Server Terminal Server Edition
- MetaFrame XP 1.0 for Microsoft Windows 2000
- MetaFrame XP 1.0 for Microsoft Windows 2003
- Presentation Server 4.0 for Microsoft Windows 2000
- Presentation Server 4.0 for Microsoft Windows 2003
- Presentation Server 4.0 x64 Edition
- Presentation Server 4.5 for Windows Server 2003
- Presentation Server 4.5 for Windows Server 2003 x64 Edition
- XenApp 5.0 for Windows Server 2003 x86
