Thanks for that info Rick. One quick question .. "With local flex profiles and a bit of fairly neat scripting we had login times down to sub 10 seconds." How are you deleting local profiles off the box when users log off ? Regards ----- Original Message ----- From: "Rick Mack" <Rick.Mack@xxxxxxxxxxxxxx> To: <thin@xxxxxxxxxxxxx> Sent: Tuesday, October 11, 2005 12:49 PM Subject: [THIN] Re: Slow login with Windows Server 2003 SP1 Hi People, Had a bit of fun on a customer site. Win2k XP FR3 to 2003 PS4 upgrade, upgraded all the front and back end servers with new faster hardware, all gigabit, CSG MSAM, all the latest hotfixes, the works. With local flex profiles and a bit of fairly neat scripting we had login times down to sub 10 seconds. Then while we were finishing up the back end stuff, login times suddenly went dead slow and took over a minute. The Citrix Client connection status screen stayed frozen on "restoring network drives" for about a minute. RDP connections just showed a blue, blank screen for what seemed like forever, but was a bit over a minute. This happened for ICA or RDP connections, but not on the console, or if the RDP client used the /console switch. Customer wasn't real happy since they'd been told how much better everything was going to be :-( Had a look at everything, and even found I could shave a couple of seconds more off the login, but it still took over a minute. Filemon and regmon only told me there was a delay, but not where. I started to get a clue when I enabled userenv.dll debugging. Everything was working fine until a certificate autoenrollment event happened just about when userinit.exe kicked in. 60 seconds later userinit started up again and login scripts etc ran to complete the login. I later found there were also a few Autoenrollment errors (event id 15) in the event log. Reading up on certificate autoenrollment, an interesting part was a description of a 60 second delay while the autoenrollment UI was supposed to kick off for a user. Sounded kind of like what was happening, but why? And why wasn't there a UI? One of the things we did while finishing up the back-end servers was to install certificate services on one of the DCs so we could generate private certificates to enable SSL connections from the DMZ into the internal network. We had also set our logins to run silently. Made me wonder .... If you follow KB310461 you can disable certificate autoenrollment. Did that and we were back to fast logins, sub six second. Life was wonderful again ;-) So basically what I found is that if you install a CA into active directory, AND you've got 2003 SP1 then it appears that certificate autoenrollemnt is enabled by default. If you happen to have your login scripts running sliently then you may just have bought yourself a 60 second login delay with damn little indication of what's broke. I guess I'm adding that to my feature list for SP1. Regards, Rick Ulrich Mack Volante Systems ############################################################################ ######### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this e-mail has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this e-mail is prohibited. If you have received it in error please notify the sender immediately by reply e-mail and destroy all copies of this e-mail and any attachments. All liability for direct and indirect loss arising from this e-mail and any attachments is hereby disclaimed to the extent permitted by law. ############################################################################ ######### ******************************************************** This Weeks Sponsor: Cesura, Inc. Know about Citrix end-user slowdowns before they know. Know the probable cause, immediately. Know it all now with this free white paper. http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mc=TBCC ******************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor: Cesura, Inc. Know about Citrix end-user slowdowns before they know. Know the probable cause, immediately. Know it all now with this free white paper. http://www.cesurasolutions.com/landing/WPBCForCitrix.htm?mc=WETBCC ******************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm