Security Log Randomly omits login entries on Citrix server
The Windows Security log randomly omits login attempts to our Citrix server.
We run a a batch job that tracks user logins on our Citrix server (Windows 2008 Server OS) using the Auditlog.exe command:
DEL C:\CTXLOGON\CITRIXLOGON.LO
AUDITLOG.EXE /WRITE:C:\CTXLOGON\CITRIXL
After noticing some logins weren't logged, I checked the Security log via Event Viewer, and confirmed the user was not in the Security log. I watched this user login to the Citrix server and invoke Word, so I know a successful login attempt occurred. This seems to occur randomly.
We run a a batch job that tracks user logins on our Citrix server (Windows 2008 Server OS) using the Auditlog.exe command:
DEL C:\CTXLOGON\CITRIXLOGON.LO
AUDITLOG.EXE /WRITE:C:\CTXLOGON\CITRIXL
After noticing some logins weren't logged, I checked the Security log via Event Viewer, and confirmed the user was not in the Security log. I watched this user login to the Citrix server and invoke Word, so I know a successful login attempt occurred. This seems to occur randomly.
Carl Webster
Are they connectly directly to this server or via web interface?
ASKER
They are connecting directly. We also have a remote Citrix server we use for failover, though we had not failed over during this time. However, it's possible access was routed via the remote server due to load balancing - had not considered that when I posed this question. I'm going to check whether Event Viewer on the remote server has logged the entries. If you have other thoughts, please share. Otherwise I will update (and possibly close) this post once I've checked the other server.
If they connect directly to the server, load balancing does not come into play. Is there only this one XenApp server plus the remote one for failover?
When you say they connect direct, are they connecting via RDC to the server's desktop, are you using a custom ICA file, are you using Program Neighborhood?
When you say they connect direct, are they connecting via RDC to the server's desktop, are you using a custom ICA file, are you using Program Neighborhood?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It all depends on how your users connect to servers. The way it is supposed to work is:
connect to web interface
user enters login credentials
web interface passes credentials to the XML Broker who passes them on to a DC
DC validates credentials
If invalid, login failed msg is displayed
If valid, XML Broker talks to zone data collector (usually one in the same server) and retrieves the list of applications and desktops for that user
Web Interface then displays a customized WI
user clicks an icon
WI goes back to ZDC (and depending on version os PS/XA and HRP level) and will either see if the user has a session on a server and if so connect to that session to run the app and if the user has no existing session, then will ask for the Least Busy Server and run the app from that server.
connect to web interface
user enters login credentials
web interface passes credentials to the XML Broker who passes them on to a DC
DC validates credentials
If invalid, login failed msg is displayed
If valid, XML Broker talks to zone data collector (usually one in the same server) and retrieves the list of applications and desktops for that user
Web Interface then displays a customized WI
user clicks an icon
WI goes back to ZDC (and depending on version os PS/XA and HRP level) and will either see if the user has a session on a server and if so connect to that session to run the app and if the user has no existing session, then will ask for the Least Busy Server and run the app from that server.
ASKER
I am amazed at your level of knowledge. Thanks so very much for your help.
Nothing to be amazed about. I'm just little ol' me. :)
ASKER
Appears the remote Citrix server is also trapping logins, perhaps due to load balancing.