[THIN] Re: Slow login with Windows Server 2003 SP1
- From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 11 Oct 2005 23:27:21 +0100
Thanks for that - very useful.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Rick Mack
Sent: 11 October 2005 12:50
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Slow login with Windows Server 2003 SP1
Hi People,
Had a bit of fun on a customer site.
Win2k XP FR3 to 2003 PS4 upgrade, upgraded all the front and back end
servers with new faster hardware, all gigabit, CSG MSAM, all the latest
hotfixes, the works. With local flex profiles and a bit of fairly neat
scripting we had login times down to sub 10 seconds.
Then while we were finishing up the back end stuff, login times suddenly
went dead slow and took over a minute. The Citrix Client connection status
screen stayed frozen on "restoring network drives" for about a minute. RDP
connections just showed a blue, blank screen for what seemed like forever,
but was a bit over a minute. This happened for ICA or RDP connections, but
not on the console, or if the RDP client used the /console switch.
Customer wasn't real happy since they'd been told how much better everything
was going to be :-(
Had a look at everything, and even found I could shave a couple of seconds
more off the login, but it still took over a minute.
Filemon and regmon only told me there was a delay, but not where. I started
to get a clue when I enabled userenv.dll debugging. Everything was working
fine until a certificate autoenrollment event happened just about when
userinit.exe kicked in. 60 seconds later userinit started up again and login
scripts etc ran to complete the login. I later found there were also a few
Autoenrollment errors (event id 15) in the event log.
Reading up on certificate autoenrollment, an interesting part was a
description of a 60 second delay while the autoenrollment UI was supposed to
kick off for a user. Sounded kind of like what was happening, but why? And
why wasn't there a UI?
One of the things we did while finishing up the back-end servers was to
install certificate services on one of the DCs so we could generate private
certificates to enable SSL connections from the DMZ into the internal
network. We had also set our logins to run silently. Made me wonder ....
If you follow KB310461 you can disable certificate autoenrollment. Did that
and we were back to fast logins, sub six second.
Life was wonderful again ;-)
So basically what I found is that if you install a CA into active directory,
AND you've got 2003 SP1 then it appears that certificate autoenrollemnt is
enabled by default. If you happen to have your login scripts running
sliently then you may just have bought yourself a 60 second login delay with
damn little indication of what's broke.
I guess I'm adding that to my feature list for SP1.
Regards,
Rick
Ulrich Mack
Volante Systems
********************************************************
This Weeks Sponsor: Cesura, Inc.
Know about Citrix end-user slowdowns before they know.
Know the probable cause, immediately.
Know it all now with this free white paper.
http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mc=WETBCC
********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
