Digging in to the Citrix logon process

When you are troubleshooting slow Citrix logons, no doubt that it helps to know a bit about the background events that take place to achieve a successful logon. Unfortunately it isn’t quite as simple as handing your logon credentials to StoreFront and being granted access to your apps and desktops.

No, instead, there are a number of different communications going back and forth between several different components.

It is important to know what components are involved in the logon process, and be aware of some different configurations that can be implemented to improve logon speed as well as knowing which configurations have a negative effect on logon times.

Citrix Logon Process (internal StoreFront, no NetScaler)

1. User contacts and authenticates to StoreFront
2. StoreFront contacts Delivery Controller to enumerate resources for authenticated user
3. Delivery Controller responds to StoreFront with list of resources
4. StoreFront displays list of resources to user
5. User clicks on desktop or application resource
6. StoreFront contacts Delivery Controller to request an available/best available VDA to host the session
7. Delivery Controller finds applicable host, and responds to StoreFront with hostname and IP address of VDA. If VDA is powered off (XenDesktop) it will be powered on at this stage
8. StoreFront creates an ICA file containing information gathered from Delivery Controller and passes to end-user
9. ICA file is downloaded by end-user and opened with Citrix Receiver
10. Citrix Receiver checks that a connection can be made to the VDA and then makes ICA connection
11. VDA communicates with RDS license server for license check-out
12. Delivery Controller creates the user session and processes Citrix policies
13. User Authentication takes place between AD and VDA
14. Users profile loads
15. VDA communicates with Citrix license server for license check-out
16. User GPOs process
17. Application or desktop launch is complete and the resource is usable by end-user

What can cause each of these steps to perform “slowly”?

1. Overloaded AD for authentication, overloaded StoreFront servers. AD Sites and Services incorrectly configured.
2. Overloaded StoreFront, overloaded Delivery Controllers.
3. Overloaded Delivery Controllers, overloaded StoreFront.
4. Overloaded StoreFront.
5. Slow PC, slow Internet connection.
6. Overloaded StoreFront, overloaded Delivery Controller.
7. Lack of available VDAs, overloaded StoreFront, overloaded Delivery Controller.
8. Overloaded StoreFront, slow network connection.
9. Slow network connection, slow PC.
10. Slow PC, latent network connection.
11. Overloaded license server.
12. Overloaded Delivery Controller.
13. Overloaded AD, Sites and Services incorrectly configured.
14. Overloaded profile store, latent network connection between profile store and VDA.
15. Overloaded Citrix license server.
16. Overloaded VDA, overloaded AD servers. DNS misconfiguration, too many GPOs configured to be applied.
17. VDA poor performance.

Obviously this isn’t a definitive list, however it gives some sample ideas of what can cause slowness during the logon and resource launch process.

What can cause all these steps to perform slowly?

1. Constrained bandwidth, overloaded network, storage, server hardware or virtual machine resource deficiency. Infrastructure failure is another impact that can have an adverse effect.

How to overcome?

Use montioring systems to monitor CPU, RAM, bandwidth, database, storage performance etc. and alert when thresholds are breached or failures occur.

Make sure each infrastructure component is redundant from hardware up to clustering and virtual machines. Also make sure storage and network throughput can cope with the demand of users especially during peak periods where logins and resource launches are going to be high.

What other factors can cause a slow logon?

• Large user profiles, roaming profile or using UPM etc.
  • New profile average load time using Citrix Profile Management (Always cache enabled, profile streaming disabled):
  • 7GB profile load average time using Citrix Profile Management (Always cache enabled, profile streaming disabled):
  • OK so you notice the profile load is still virtually nothing, I don’t know why this is because the profile load is what caused 99%  of the 74sec logon duration.
  • Size on disk reporting the profile as 7.19GB on the VDA.
  • Now let’s enable Profile Streaming.
  • And disable Always cache.
  • The logon time is back down to 15-20 seconds and the size on disk reports 57.7MB for the profile because we are now streaming the profile on demand, nothing is cached just yet. This is a good feature within Citrix Profile Management that allows for fast logon times even with large bulky profiles.
• Many GPOs and GPO settings
• Logon scripts when applied via GPO vs AD user level

Some of these recommendations have already been documented http://www.jgspiers.com/citrix-tips-tricks-tweaks-suggestions/

How authentication can be slowed:

1. Overloaded AD, AD failure, AD Sites and Services not correctly configured.

How to overcome?

Ensure AD is highly available and you have enough AD servers to cope with demand based on Microsoft recommendations.

Ensure Sites and Services is correctly configured so that users authenticate with Active Directory servers close by. Regions with a large amount of users should have their own AD servers. Subnets for each office location/site VLAN should be defined within AD Sites and Services and assigned to sites that are closest to them so that AD authentication takes the optimal route.

How profile load can be slowed:

The sheer size of profiles are the culprit of slow loads. Profile bloat is one of the most common reasons why a logon may be slow for affected users. Other reasons can include a failed file server which hosts the roaming profile or network issues which prevent the profile from being fetched.

File server overloaded, lack of performance, too many users connecting to retrieve profiles or insufficient storage resources are other failure points.

How to overcome?

Some solutions such as Citrix Profile Manager include streaming and directory/file exclusion which help improve logon speeds. See http://www.jgspiers.com/citrix-profile-management-overview/ for more information on Citrix Profile Management.

If Citrix Profile Management takes a long time to process, you can enable logging using the Citrix Profile Management ADMX template.

Redirect as many folders as possible within a users profile. Exclude directories and files that simply are not needed from being redirected or roamed/cached to the VDA. Do test in a pre-production environment first before deploying any profile optimisations within a production environment.

Large vs small profile logon times was shown above and how Citrix Profile Management can combat large profiles to ensure fast logon.

How GPOs and logon scripts slow down logon

1. Serveral small GPOs containing a few settings rather than one or two larger GPOs.
2. Scripts that take a long time to run.
3. Numerous Group Policy drive maps or maps to locations that are inaccessible.
4. Not disabling User Configuration or Computer Configuration sections of a policy when they are not in use.
5. Many policies, not to mention many different Citrix policies as these should also be taken in to consideration at all times.
6. Printer mapping via GPOs can cause slow logons when many printers are created. Citrix does have the policy setting Wait for printers to be created which is disabled by default and only applies to Server OS VDA. This allows a session to start without waiting for all printers to be mapped from client device (printer redirection). This does not help in situations where GPOs are mapping printers directly to a Citrix session.

Applications can slow down logon

When a user launches an application, depending on when they see the initial application landing screen is how they judge how quickly the logon process has taken. If applications make backend connections to database servers or file shares as some do, you must ensure those connections are established with minimal time. To ensure this, make sure database and file servers are highly configured and have enough resource to cope with demand when under load. Application prelaunch can help achieve quicker launch times. Also, authentication should pass-through to the application eliminating any additional authentication steps so as to not affect the user experience.

To read up on Application Prelaunch see http://www.jgspiers.com/citrix-application-prelaunch/