CPU consumption with Imprivata OneSign + SafeSign Identity Client (UZI card) installed

Though I’m not deeply technical active any more, last week I got involved in a VDI performance investigation. We discovered something that I solved in 2011, back in my days as an engineer, but came back because of the move to a 64-bit architecture. Because this issue is still relevant these days, I thought (after +4 years) let’s write a blog to inform others on how to solve this. Let’s dive in…

Most healthcare organizations are using Imprivata OneSign to provide convenient and safe access to their (Virtual) Desktop environment using proximity cards. Beside that every health care organization in The Netherlands uses the UZI-pass smart card for insurance declaration and other government regulated identifications. This card requires the SafeSign Identity Client to be installed as middleware.

When both products are installed on a Windows bases machine small CPU spikes (±3-4%) are visible in the Windows Task manager every few seconds. This may sound as something to neglect, however imagine this in a Virtual Desktop environment where +60 VM’s have this behavior on a single host. This makes a huge difference in the scalability of the host, but eventually also the user experience.

So what is happening? The Windows Task Manager reveals that the spikes are generated by the SSOManHost.exe process, this belongs to the Imprivata OneSign agent.

When using Process Monitor we discovered that the process is cycling through the following register keys, and all sub keys, every few seconds:

HKLM\Software\Microsoft\Cryptografic\Calais\SmartCards

This key contains all installed smart card drivers. With a few smart card drivers installed (A clean Windows installation only contains three entries) this is no issue at all; however this list contains hundreds of entries causing the CPU usage.

So why is this list so huge? Well, the SafeSign Identity Client is used as middle ware software for a lot of Smart Card implementations. Because of this, a gigantic list of drivers is installed. This explains why the issue is only visible when both products are installed.

We’ve contacted Imprivata to ask for explanation:

The SSOManHost process cyclically reads data from registry and extracts information about the available smart cards using this method to observe if any changes have occurred. Since there are nearly hundred entries it takes some time and uses quite a bit of the CPU to obtain this information for each entry then then to process this information.

However, every Imprivata implementation I know of doesn’t use Imprivata for Smart Card authentication and only uses Proximity Card based authentication. So, this feature is not used at all. Imprivata provided us with a solution to disable the Smart Card functionality with the following steps:

  • In a registry go to HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\PKIS
  • Rename three entries under this registry path: CLSID, ProxyCLSID and StupCLSID
  • Reboot the machine
  • After this the SSOManHost process stop to read smart cards data from the registry.

However, on a x64 system the keys are a little different:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SSOProvider\DeviceManager\Devices\PKISC
  • Rename six entries under the registry path: CLSID64, ProxyCLSID64, StupCLSID64, CLSID, ProxyCLSID and StupCLSID

Because nearly all health care organizations in The Netherlands use this software combination they are facing this behavior for sure without knowing. This ‘fix’ will give a positive boost on resource usage, especially in VDI environments, giving back the resources for more relevant things 🙂

Advertisement

Citrix HDX Flash Acceleration and Internet Explorer crashes

 

Adobe Flash Version 11.8.800.94 and below

Adobe Flash Version 11.8.800.174 and above (including 12)

 

VDA 5.6.400/7.1

VDA 5.6.200/5.6.300

VDA 5.6.400/7.1

VDA 5.6.200/5.6.300

IE8

Fixed by LA3065

Known to crash

Fixed by LA4996 (Still private for VDA 7.1) + rcvr 3.4.300

Known to crash

IE9 and above*

Known to Crash

No crash

Fixed by LA4996 (Still private for VDA 7.1) + rcvr 3.4.300

Known to crash

* Internet Explorer 10 – Citrix Known Issues, Internet Explorer 11 – Citrix Known Issues

Citrix Provisioning Services 6.1 hotfix #18: RAM Cache alert

Finally Citrix made it possible to trigger a alert in the Windows event log of the target device when the RAM cache usage exceeds a set treshold! Details:

With this fix, the target device reports errors to the Windows system event log when the usage of RAM cache exceeds a set threshold (default 90%).
After that warning, every 2% increase in usage triggers the error as well.
This error report will also be redirected to the server side “StreamProcess.log” as a warning message if the log is enabled.

To enable the fix, you must create the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNIStack\Parameters
Name: WcWarningPercent
Type: DWORD
Value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNIStack\Parameters
Name: WcWarningIncrement
Type: DWORD
Value:

[From CPVS61018][#LA3382]

Source: http://support.citrix.com/article/CTX137707

Citrix HDX Plug-and-Play vs USB Re-direction

This table gives a clear overview of the various re-direction methods for different types of USB Devices and how to override re-direction on client side by editing the HKLM registry:

USB Device Type

USB Class Code

Dedicated Virtual Channel

USB redirection default

Local Override

Audio device

01h

RAVE (HDX Mediastream)

disabled

AutoRedirectAudio=1

Video device

0Eh

RAVE (HDX Mediastream)

disabled

AutoRedirectVideo=1

Printer

07h

Printing

disabled

AutoRedirectPrinters=1

Mass storage

08h

CDM (Client Drive Mapping)

disabled

AutoRedirectStorage=1

Image device

06h

TWAIN

disabled

AutoRedirectImage=1

Smart card

0Bh

Smart card

disabled

ALLOW: class=0b

HID (keyboard)

03h (Subclass code=01,prot=01)

Keyboard

Disabled, not recommended

ALLOW: class=03 subclass=01 prot=01

HID (Mice)

03h (Subclass code=01,prot=02)

Thinwire

Disabled, not recommended

ALLOW: class=03 subclass=01 prot=02

Communication and CDC-Control

02h

Disabled, not recommended

ALLOW: class=02

HUB device

09h

Disabled, not recommended

ALLOW: class=09

CDC-Data

0Ah

Disabled, not recommended

ALLOW: class=0a

Wireless controller

e0h

Disabled, not recommended

ALLOW: class=e0

 

Sources:

Citrix Synergy & Summit 2013 Anaheim – Session recordings

Overview of all the available session recordings on Citrix TV:

Synergy

Geekspeak

Keynote

Summit

Citrix XenDesktop: Work-around to prevent Virtual Desktops from ‘hanging’ at logoff using RES Workspace Manager

Windows, and in particular Windows XP, is pretty sensitive when it comes to the log off proccess. When you leave applications running and just choose to log off this can sometime result in a hanging computer. In a traditional environment with physical machines this is not directly a problem because the user always has the ability to just push and hold the power button.

Now in a virtualized environment this suddely becomes a problem because power cycling the endpoint has no effect on the virtual desktop.
And beside that it is (unfortunately) more and more common for users to leave applications running in the background and just disconnect the session instead of logging off and let the disconnect and idle timer do the job.

The Citrix Web Interface contains functionality to let users restart their Virtual Desktop. But this is not a real solution for the more common user, especially when using a locked-down endpoint that is using a PNAgent site.

So this problem results in users calling the service desk telling that they cannot log in (because they get connected to the ‘hanging’ virtual desktop). They will discover this the next day when they want to login again. And this happens mainly at peak time causing queues at the service desk because every virtual desktop has to be restarted manually.

Finding and solving the issue(s) that cause a logoff to fail is a very time consuming proces, especially in environments with > 500 applications. So I came up with a simple, yet very effective work-around.

In a XenDesktop environment a virtual desktop communicates with the broker using the ‘WorkstationAgent’ service. When stopping this service the broker marks the virtual desktop as unregistered. Now after 4hr the broker will poweroff the virtual desktop which automatically solves the issue. We can use this information to create a work-around for the ‘haning’ virtual desktop problem.

We have to stop the ‘WorkstationAgent’ service directly after the logoff is initiated. This has to be done very early in the logoff sequence. A great way to trigger this is to make use of the external tasks feature in RES Workspace Manager. In this way we can execute a command line task at logoff.

Stop the ‘DesktopAgent’ service at logoff using an external task

To allow users to stop the ‘WorkstationAgent’ service we have to change the service rights. This is easely done with SetACL from Helge Klein:

SetACL.exe -ot srv -on WorkstationAgent -ace “n:users;p:start_stop,read” -actn ace

That’s it, with this work-around in place you have created some rest for yourself to search for the real cause and solution for the underlying problem!

Windows 8 Shortcut Keys

While playing around with Windows 8, I quickly discovered that many functions are not easily reachable with only a mouse. So I searched for a list of shortcut keys and discovered that there are some pretty handy ones that every Windows 8 user should know of:

Windows+X = list of direct shortcuts including CMD (both admin and non-admin), Windows Explorer, Search, Run, Control Panel and Network Connections
Windows+C = brings up the ‘right swipe’ settings panel
Windows+Q = list of Apps and search function
Windows+W = standard settings
Windows+R  = run box
Windows+T = running apps tiles
Windows+I  = more settings
Windows+P = projector settings (2nd screen, choose output type, etc).
Windows+L = lock session
Windows+K = 2nd screen output
Windows+H = Share
Windows+F = Files
Windows+D = Desktop
Windows+S = launch snipping tool (for OneNote)
Windows+M = Minimize window

Source: http://blogs.technet.com/b/instan/archive/2012/05/01/windows-8-shortcut-keys.aspx

RES Workspace Manager: Creating a zone for a specific Citrix XenDesktop Desktop Group

RES Workspace Manager is a very powerful product especially when making advantage of all the possibilities. Creating a context based workspace using a specific zone is just one example.

Within a Citrix XenDesktop environment you typically create multiple (pooled) desktop groups, each targetting a specific task.
This is for example a great way for creating an acceptance environment beside the production environment where the acceptance environment runs a newer ‘golden image’ before it is mounted to the production environment.

Now when running RES Workspace Manager on top of these environments you want to apply specific settings based on the used desktop group.
For example to provide a specific application, drive mapping, registry setting etc.

You can manage this by creating a zone for each desktop group:

Create a new zone

Add a rule based on a registry setting

Use the following setting and value, corresponding the name of the desktop group:
Setting: HKLMSOFTWARECitrixVirtualDesktopAgentStateDesktopGroupName
Value: Acceptance-Environment

That’s it, now you can use this zone for access control on almost every object!

Citrix Synergy 2012 San Francisco – Session recordings

Overview of all the available session recordings on Citrix TV:

And of course the keynote sessions:

Citrix Summit 2012 San Francisco – Session recordings

Overview of all the available session recordings on Citrix TV: