greenwin
asked on
User locked-out when attempting to print through Citrix
We experience intermittent user lock-outs (domain policy - lock-out after 5 incorrect attempts) after a user attempts to print something through Citrix.
To replicate the event, a user launches a published application (any app - Word, Lotus Notes, Excel, etc), attempts to print and from the printer dialogue box, notices that not all printers have been mapped. If the user's ID properties are viewed in AD Users & Computers, the account is locked-out.
The intermittent lock-out has been occurring for a long time, with the thought being an NT PDC/BDC sync'ing issue. We have since upgraded the entire environment as follows: Citrix Presentation Server 4.0 environment (upgraded from Citrix XPe) running on two Windows 2003 servers, behind a firewall, accessible via Citrix Securegateway 3.0 in the DMZ with Windows 2000 DC's.
This affects users with local printers (remote sites) using local IDs for their machine and logging into Citrix via their Domain ID as well as domain users (logging into Citrix from their head-office machine - i.e. on same network as the Citrix servers). Most users are running Presentation Server Client v9 though there are some v8 clients. Issue affects all users.
And further info ...
Encounter CPSVC.exe (Citrix Print Manager) errors occasionally on the Citrix servers. Service is restarted.
When attempting to view printer properties of session printers, an error message is encountered: You do not have access to this printer -> Reviewed all the ID rights for CtxSmaUser (as per Citrix Knowledge Base article: CTX106393) and everything appears to have been setup correctly by the system at installation.
We have deleted user profiles on the Citrix server incase there was cached password info -> No affect.
In the Security Event Log on the DC, Event ID 529 / Logon/Logoff is logged 5 times:
Logon Failure:
Reason: Unknown user name or bad password
User Name: JoeUser
Domain: MyDomain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MyCITRIX1
And after lock out Event ID 539 / Logon/Logoff is logged numerous times.
Logon Failure:
Reason: Account locked out
User Name: JoeUser
Domain: MyDomain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MyCITRIX1
Issue is incredibely frustrating (for all involved) and any suggestions would be most appreciated. Thank you!
To replicate the event, a user launches a published application (any app - Word, Lotus Notes, Excel, etc), attempts to print and from the printer dialogue box, notices that not all printers have been mapped. If the user's ID properties are viewed in AD Users & Computers, the account is locked-out.
The intermittent lock-out has been occurring for a long time, with the thought being an NT PDC/BDC sync'ing issue. We have since upgraded the entire environment as follows: Citrix Presentation Server 4.0 environment (upgraded from Citrix XPe) running on two Windows 2003 servers, behind a firewall, accessible via Citrix Securegateway 3.0 in the DMZ with Windows 2000 DC's.
This affects users with local printers (remote sites) using local IDs for their machine and logging into Citrix via their Domain ID as well as domain users (logging into Citrix from their head-office machine - i.e. on same network as the Citrix servers). Most users are running Presentation Server Client v9 though there are some v8 clients. Issue affects all users.
And further info ...
Encounter CPSVC.exe (Citrix Print Manager) errors occasionally on the Citrix servers. Service is restarted.
When attempting to view printer properties of session printers, an error message is encountered: You do not have access to this printer -> Reviewed all the ID rights for CtxSmaUser (as per Citrix Knowledge Base article: CTX106393) and everything appears to have been setup correctly by the system at installation.
We have deleted user profiles on the Citrix server incase there was cached password info -> No affect.
In the Security Event Log on the DC, Event ID 529 / Logon/Logoff is logged 5 times:
Logon Failure:
Reason: Unknown user name or bad password
User Name: JoeUser
Domain: MyDomain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MyCITRIX1
And after lock out Event ID 539 / Logon/Logoff is logged numerous times.
Logon Failure:
Reason: Account locked out
User Name: JoeUser
Domain: MyDomain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MyCITRIX1
Issue is incredibely frustrating (for all involved) and any suggestions would be most appreciated. Thank you!
ASKER
There are some non-straightforward printers but with my remote sites (also experiencing issues), they are using vanilla-flavoured printers (HP Deskjets, Laserjets, etc). And since Citrix is running on W2003, the client kernel-mode drivers are blocked and the appropriate Citrix UPD is used.
It's just so random ... I have disabled a Policy in Citrix Pres Server 4 Mgmt Console which seems to have helped (though it was just configured to map all user printers and not much else).
The users aren't power users.
Workstations are varied W2K to XP Pro.
I couldn't follow your thought on autodisconnect, specifically > the credential log in to print fails and retries enough times to cause a lock out.
"Credential login"? - Creditionals established during authentication specific to printing?
Found in my log that CPSVC.exe has errored out again:
Category (100) EVent ID 1000
Faulting application CpSvc.exe, version 4.0.2198.1, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x00007917.
I am reviewing Citrix article CTX107137 to see if there anything jumps out.
Thanks,
Cam
It's just so random ... I have disabled a Policy in Citrix Pres Server 4 Mgmt Console which seems to have helped (though it was just configured to map all user printers and not much else).
The users aren't power users.
Workstations are varied W2K to XP Pro.
I couldn't follow your thought on autodisconnect, specifically > the credential log in to print fails and retries enough times to cause a lock out.
"Credential login"? - Creditionals established during authentication specific to printing?
Found in my log that CPSVC.exe has errored out again:
Category (100) EVent ID 1000
Faulting application CpSvc.exe, version 4.0.2198.1, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x00007917.
I am reviewing Citrix article CTX107137 to see if there anything jumps out.
Thanks,
Cam
Now, I think it is a permissions problem. Can you see which users have permissions to the printer (or printer driver)
The autodisconnect thing is that shares in 2003 go away after x minutes of idle network activity, then reauthentication, to in your case print, apparently can be a nightmare. The simple way to check this is to make some bat file or program maintain a constant connection to a server share (save and read a file once a minute) ...
but i see no posts anywhere involving this line of thinking, so let's table it for a minute or two and look elsewhere for the problem. Along this line though, your
dns settings would be the first thing we might suspect ... in 2003 vs NT, dns is a whole new ballgame! The DNS server ip MUST be set to a DC machine on all clients, including the 2003 server - the dns servers owned by the isp go in as dns forwards.
It seems to have been a NT TSE problem solved by sp6a - but you are past that point now. http://support.microsoft.com/kb/194812/EN-US/
This is what I found googling:
-----------------
"You do not have access to this printer. Only the security tab will be displayed"
“You do not have permission to view or edit the current permission settings for printername on servername, but you can take ownership or change auditing settings”
“Printer properties cannot be displayed. The print spooler is not running”
Symptoms: when you try to print or open the Properties of a networking printer, you may receive these messages:
"You do not have access to this printer. Only the security tab will be displayed"
“You do not have permission to view or edit the current permission settings for printername on servername, but you can take ownership or change auditing settings”
“Printer properties cannot be displayed. The print spooler is not running”
Causes: 1. You just changed a domain computer’s name.
2. You are using XP Home connect to a networking printer in a domain.
3. You just changed the password.
4. You just installed software like pcAnywhere.
You receive these messages because all above make the computer lose the cached credentials or no cached credentials is created.
Resolutions: 1. Make sure you have synchronize your current password with the domain or remote computer.
2. Re-create cached credentials by using net use command line.
3. Re-add the printer with your username and password.
--------------------
OR
Do you think ntdll.dll is ok?
You could try a sfc /scannow from the cmd prompt
----
Accepted Answer from Kenneniah
Date: 08/04/2004 12:57PM PDT
Grade: A
Accepted Answer
When you do a full service pack install, Windows XP stores the files in C:\WINDOWS\ServicePackFile
-----
The autodisconnect thing is that shares in 2003 go away after x minutes of idle network activity, then reauthentication, to in your case print, apparently can be a nightmare. The simple way to check this is to make some bat file or program maintain a constant connection to a server share (save and read a file once a minute) ...
but i see no posts anywhere involving this line of thinking, so let's table it for a minute or two and look elsewhere for the problem. Along this line though, your
dns settings would be the first thing we might suspect ... in 2003 vs NT, dns is a whole new ballgame! The DNS server ip MUST be set to a DC machine on all clients, including the 2003 server - the dns servers owned by the isp go in as dns forwards.
It seems to have been a NT TSE problem solved by sp6a - but you are past that point now. http://support.microsoft.com/kb/194812/EN-US/
This is what I found googling:
-----------------
"You do not have access to this printer. Only the security tab will be displayed"
“You do not have permission to view or edit the current permission settings for printername on servername, but you can take ownership or change auditing settings”
“Printer properties cannot be displayed. The print spooler is not running”
Symptoms: when you try to print or open the Properties of a networking printer, you may receive these messages:
"You do not have access to this printer. Only the security tab will be displayed"
“You do not have permission to view or edit the current permission settings for printername on servername, but you can take ownership or change auditing settings”
“Printer properties cannot be displayed. The print spooler is not running”
Causes: 1. You just changed a domain computer’s name.
2. You are using XP Home connect to a networking printer in a domain.
3. You just changed the password.
4. You just installed software like pcAnywhere.
You receive these messages because all above make the computer lose the cached credentials or no cached credentials is created.
Resolutions: 1. Make sure you have synchronize your current password with the domain or remote computer.
2. Re-create cached credentials by using net use command line.
3. Re-add the printer with your username and password.
--------------------
OR
Do you think ntdll.dll is ok?
You could try a sfc /scannow from the cmd prompt
----
Accepted Answer from Kenneniah
Date: 08/04/2004 12:57PM PDT
Grade: A
Accepted Answer
When you do a full service pack install, Windows XP stores the files in C:\WINDOWS\ServicePackFile
-----
Oh, I made a comprehensive list of printing troubleshooting on citrix ... obviously this is not targeted to your question per se, but it is a good reference and list of things to check... https://www.experts-exchange.com/questions/21535918/Citrix-not-autocreating-printers-suddenly.html
ASKER
THANKS gsgi for all the information you've provided. The issue seems to be a moving target and I'm wondering if I should close this posting and start a new one - Thoughts after reading my comments?
Since disabling the Citrix Policy, user lockout appears to have ceased. Will have to investigate the specific policy setting that's causing the issue when my users aren't actively using the system. Might be a Citrix policy / GPO conflict.
So this lockout issue appears to have gone away.
There is still something going on because every now and again CPSVC (Citrix Print Management Service) stops unexpectedly, citing a fault with ntdll.dll and once with msvcrt.dll. When CPSVC stops (though set to restart) users cannot logon, with the logon process appearing hung at "Running logon scripts..." I have not been able to corelate the stopping of CPSVC with another simultaneous event (i.e. maybe the same user logging on when CPSVC chokes).
As to your points, the mappings hopefully aren't the issue and locking-out the user, since any mappings are created when they log in (I did turf profiles to get rid of any caching to see if that was the issue) and none of the mappings are persistent.
SFC - Ran successfully without any errors.
DNS - There WAS one config issue ... Secondary DNS server had the last octet of the IP address wrong (11 instead of 12) ... But it does use DNS on the DC's. All records (forward and reverse) exist and are fully resolvable.
Where it stands now is I have the CPSVC to restart on first and second failures ... And on subsequent failures it will run a CMD file to 1) restart the service and 2) send me an e-mail / page notifying me the service had to restart.
This at least will give me some breathing room until I can clrearly establish what's happening or uncover further information. Problem is, I don't know how many people are running Presentation Server 4.0 at this point.
I will be picking apart our environment this weekend.
Since disabling the Citrix Policy, user lockout appears to have ceased. Will have to investigate the specific policy setting that's causing the issue when my users aren't actively using the system. Might be a Citrix policy / GPO conflict.
So this lockout issue appears to have gone away.
There is still something going on because every now and again CPSVC (Citrix Print Management Service) stops unexpectedly, citing a fault with ntdll.dll and once with msvcrt.dll. When CPSVC stops (though set to restart) users cannot logon, with the logon process appearing hung at "Running logon scripts..." I have not been able to corelate the stopping of CPSVC with another simultaneous event (i.e. maybe the same user logging on when CPSVC chokes).
As to your points, the mappings hopefully aren't the issue and locking-out the user, since any mappings are created when they log in (I did turf profiles to get rid of any caching to see if that was the issue) and none of the mappings are persistent.
SFC - Ran successfully without any errors.
DNS - There WAS one config issue ... Secondary DNS server had the last octet of the IP address wrong (11 instead of 12) ... But it does use DNS on the DC's. All records (forward and reverse) exist and are fully resolvable.
Where it stands now is I have the CPSVC to restart on first and second failures ... And on subsequent failures it will run a CMD file to 1) restart the service and 2) send me an e-mail / page notifying me the service had to restart.
This at least will give me some breathing room until I can clrearly establish what's happening or uncover further information. Problem is, I don't know how many people are running Presentation Server 4.0 at this point.
I will be picking apart our environment this weekend.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks gsgi - I think that's my recourse at this point. I had already seen the links you noted (thank you!) and in my case, neither were helpful.
I will probably speak with Citrix next week, after using the weekend to gather the fortitude required.
I will probably speak with Citrix next week, after using the weekend to gather the fortitude required.
Ok, lets go back to basics for a 2nd. Drivers on the citrix server are NATIVE to 2003 server (no installed hp, lexmark, crappy printer drivers)
And do you see and failure to create printer driver x in the event log...
Can you correlate the crash to a print event of a particular user, printer, print job, length of job (k bytes)?
How many printers are on print servers, how many lpt cables to client computers, how many usb?
-gsgi
And do you see and failure to create printer driver x in the event log...
Can you correlate the crash to a print event of a particular user, printer, print job, length of job (k bytes)?
How many printers are on print servers, how many lpt cables to client computers, how many usb?
-gsgi
ASKER
Sorry for late response - Been extremely busy.
Looks like issues may be (mostly) resolved.
- Created a new Citrix policy
- Made sure Citrix UPD was used by default and NOT clients' native printer drivers.
- Do not connect direct to network printers, but connect through client.
Users running CPS Client v9 - No issue (as expected) and others being upgraded asap to the new client.
CPSVC is still choking on occasion but seems to be with old ICA clients (and the clients are being addressed so this should disappear).
Thanks for all you assistance.
Looks like issues may be (mostly) resolved.
- Created a new Citrix policy
- Made sure Citrix UPD was used by default and NOT clients' native printer drivers.
- Do not connect direct to network printers, but connect through client.
Users running CPS Client v9 - No issue (as expected) and others being upgraded asap to the new client.
CPSVC is still choking on occasion but seems to be with old ICA clients (and the clients are being addressed so this should disappear).
Thanks for all you assistance.
>not all printers have been mapped. If the user's ID properties are viewed in AD Users & Computers, the account is locked-out.
The reason that the entire list is missing may be that citrix hasn't created them yet, or that it is tripping over a weird printer driver like the peachtree fax driver
Are these users power users?
Are the workstations XP? See threads on autodisconnect of shares... it seems as if (and if this is obvious I apologize) that the credential log in to print fails and retries enough times to cause a lock out.
-gsgi