Situation:
A Citrix farm with a number of servers that are all started from the same basic image through provisioning. This image contains Windows Server 2008 R2, fully patched, with XenApp 6.5 installed. Next to this is a separate Citrix farm that contains a test-environment for applications.
Issue:
User starts MSTSC (Remote Desktop) as an application on Citrix, and tries to connect to various other servers.
- RDP shows a licensing protocol error on connecting to a Citrix server
- RDP connects without any problems to a non-Citrix server
Details:
The remote user logs in through the internet and starts the remote desktop application which has been published for him. Upon starting the application however, and filling in the name of the server you want to connect to, the applications pops up a second 'logon screen' to provide apparently some passthrough credentials to the Remote Desktop application. When re-entering the data for the user, the connection seems to be made but ends in an error: 'The remote computer disconnected the session becase of an error in the licensing protocol.' This happens, regardless of the credentials I use here, even if I use Admin equivalent credentials.
This error seems to point at problems with the registry, specifically the HKLM\Software\Microsoft\MSLicensing and HKLM\SOFTWARE\Wow6432Node\Microsoft\MSLicensing keys. Since we're using an image, these keys are inherently empty, and should be filled with the appropriate license as logons occur. They have been provided with the correct set of permissions that are applicable to this key (i.e. the Users-group is also allowed 'full control' here).
I've looked at the permissions on these keys, and while the Users group (which contains all domain users, including the user I'm testing with) has full access to the 2nd entry, the first one shows the Users only to have 'read only' rights to the key. This is strange, because verification in the base-image shows this to be 'full control' aswell. Even worse, also checking the GPO's that are unleashed on these machines again show specifically that the Users should have 'full control'.
After altering this back manually, and then going back to the remote user, logging in and again failing this login, I found that the 'full control' option I granted has been removed from the MSLicensing key. I have since found this only happens if a user tries to start a remote desktop session. So if the user does not try to run a remote desktop session the permissions remain as-is. This explains why the users only have 'read only' rights, but doesn't explain why this occurs.
After browsing around trying to find any hint of this problem and coming up empty, I was still expecting that there might be something with the client and alterations it makes to the local registry. So just to test that scenario, I've tried just connecting it to one of our domain controllers... which went through without a hitch (after just popping a screen up asking me if I wanted to allow access to this computer). Also a mailserver would just allow me to gain access to the login screen through Remote Desktop. Same with an application and a database server. What's weird tho, is that a connection was made, but nothing was placed under the MSLicensing keys, and no permission alterations were made.
So I then tried connecting as the user to one of the other Citrix servers in the same farm as the Citrix server that has the application started. Which failed in exactly the same way as the connect to a server in a different farm. Even more strange is that there was no alteration in the permissions on the registry keys after trying this connect.
Eventho the user has indirect membership (through a group) of the 'Remote Desktop Users' group of a server I try to remotely control, even adding the user directly to make sure he has access to gain access to the server does not yield a difference in behavior.
In short:
As a user:
* Connecting to a Citrix server in the same farm with Remote Desktop requests some extra Windows credentials, and doesn't connect.
* Connecting to a Citrix server in a different farm with Remote Desktop requests some extra Windows credentials, and doesn't connect, and seems to change the registry permissions on HKLM\Software\Microsoft\MSLicensing to read-only for Users.
* Connecting to a non-Citrix server works without problems, and without asking for extra Windows credentials.
As a locally logged on Admin on the desktop of the same Citrix server the user is using:
* Connecting to a Citrix server in the same farm with Remote Desktop connects.
* Connecting to a Citrix server in a different farm with Remote Desktop connects.
* Connecting to a non-Citrix server works without problems.
I've been looking around for anything else to try here, but I'm running low on options. It sounds like something related to permissions for the user, but I'm not sure what. Anyone here have any possible insiht in what might be causing this problem?