Improving Citrix Logon Times

Most of you know that one of the most important user experience metrics in a Citrix environment is the logon time. A 2018 survey by eG Innovations and DABCC found out that Citrix logon time was the number one problem for administrators: 59% of respondents rated logon time as their biggest problem.

A Few Best Practices to improve Citrix Logon Times

There are many best practices to improve Citrix logon times. Slowness during the logon processing can, of course, increase logon times. Issues with group policies or slow profile loading is often a cause. At the same time, considering performance during the design of your Citrix environment will help keep Citrix logon times low.

  • For instance, one of the best practices is to make sure that your VMs are deployed on the quickest available storage. Having the fastest storage for your profile servers can help reduce logon times several fold.
  • If you are using Machine Creation Service (MCS) and Provisioning Services (PVS), use caching device RAM with overflow on hard disk to speed up logon times.
  • Tuning your hypervisors by using best practices recommended by the respective vendors is also essential.
  • Hyperconverged infrastructure technologies, such as Nutanix can also be used to minimize processing and storage latencies.

While design choices for the core Citrix servers can go a long way towards ensuring fast and optimum logon times, the Citrix infrastructure does not function in isolation–it depends upon other infrastructure services too. This blog covers an important component that is involved in the logon process and is usually one of the last areas most admins check when troubleshooting slow Citrix logon times. Yes, it is the Active Directory!

Role of Active Directory in the Citrix Logon Process

An Active Directory (AD) is required for authentication and authorization. The Kerberos infrastructure in AD is used to guarantee the authenticity and confidentiality of communications with the Delivery Controllers. When a user logs in, he/she is validated in the AD. Authentication of the user is also handled by the AD.

Citrix logon process

Figure 1: The Key Steps in the Citrix Logon Process

Authentication is an often-overlooked piece of the logon puzzle. Authentication happens at multiple steps, including logging on to Citrix ADC (NetScaler) or Citrix StoreFront, and then using Citrix Workspace App, authenticating and connecting to the actual virtual desktop or virtual apps server. Additionally, authentication may also be done when users access specific applications. All of this means that if your AD is overloaded or inaccessible, it can have a dramatic impact on logon times.

After a user is authenticated, the VDA queries the AD for user-specific GPOs and applies them to the OS. So, a slow AD further affects other steps of the logon process as well.

hand-icon
Authentication processes try connecting to the AD server for up to 30 seconds before failing over to a secondary, adding additional time to logon. For fast logon times, ensure that your primary AD server is up and is reachable from all your Citrix management and worker servers.

Besides the logon process, the AD is relied upon by the Citrix management servers for discovery, time synchronization, and various other functions. Because of its integration with all functions of the EUC stack, the AD’s importance goes well beyond just the logon process.

Did you know that the Active Directory plays a greater role in Citrix 7.x as compared to Citrix 6.x?

monitoring-scripting-questionsIn Citrix version 6.x, when the Citrix Web Interface was used as the frontend, it was the Citrix Delivery Controller (also, called XenDesktop Controller) that communicated with the AD.

With the Citrix version 7.x architecture, when Citrix StoreFront is used as the front-end, both Citrix StoreFront and the Citrix Delivery Controller rely on Microsoft Active Directory. That is, the dependence on Microsoft Active Directory is higher in the Citrix 7.x architecture. For more details,
check out this blog: https://blog.citrix24.com/web-interface-vs-storefront-logon-process/.

Key Active Directory Checks to Ensure Fastest Possible Citrix Logon Time

Here are the key checks you should do to make sure your AD service is healthy:

  • Check forest and domain functional levels
    • To find the Domain Functional Level, use this powershell command:
      Get-ADDomain | fl Name,DomainMode
    • To find the Forest Functional Level, use this powershell command:
      Get-ADForest | fl Name,ForestMode
  • Make sure all your Domain Controllers are global catalog servers. This ensures better load distribution across the servers in a forest and ensures the lowest possible authentication time.
    • To check on the current DC you are connected to, use the following powershell command:
      Get-ADDomainController | ft Name, IsGlobalCatalog
    • Alternatively, you can get a list of all DCs and verify that all are Global Catalog servers using this powershell command:
      Get-ADDomainController -Filter * | Select Domain,Name,IPv4Address,IsGlobalCatalog,Site,OperatingSystem
  • Avoid manually created Connection Objects in Sites and Servers
  • Make sure all subnets are correctly defined in Sites and Subnets. This is critical because if your Domain Controller is not defined correctly, clients will connect to any Domain Controller and this may result in a higher than expected latency.
  • Remove orphaned Domain Controllers.
  • Configure your primary Domain Controller to be the domain authoritative time server.

How does a client find a domain controller to validate a logon?

To validate a logon, a client finds a domain controller, as per the following steps:

  • DCs register SVR and records it in the Domain Name System (DNS).
  • The client requests a DC by providing its site name to DNS.
  • DNS uses the client’s site name to find a DC in that site or the closest site.
  • DNS provides the IP address of the DC to the client.

DNS Resolution Can Also Affect Citrix Logons

Citrix DNS resolutionAs you have seen above, the Domain Name Service (DNS) helps clients locate a Domain Controller to validate a logon. Very often, the DNS is co-hosted on the AD servers themselves. Clients use DNS for forward (name to IP) look-ups. Other Citrix management servers may use reverse lookups (IP to name) as well.

If the DNS is slow or not working, users may not be able to get the servers they need to connect to and this could lead to a poor logon experience.

To ensure fast logons:

  • Be sure to monitor DNS service availability and responsiveness, so you can be proactively alerted to possible issues affecting Citrix logons.
  • Create reverse DNS lookup zones for all subnets in your Citrix Sites and Services.
Citrix-Logons-Hour-glass

Tips to Avoid Slow Citrix Logons

  • Ensure the servers running the AD have enough resources to handle the load.
  • Monitor the availability and responsiveness of your AD servers, especially the primary AD server. An unavailable PDC may block the authorization process for up to 30 seconds before failover to the secondary server happens.
  • Monitor latencies to your domain controllers. DCs at remote sites can increase latency, thus resulting in slow logons. In such a case, you may need to review your AD topology and ensure that enough of your AD servers are strategically placed so that query times to the AD are as low as possible.

3 Ways in which Citrix Admins can Proactively Monitor Active Directory Performance

By now, it is clear that monitoring Active Directory performance is crucial for troubleshooting slow Citrix logon issues. One challenge though is that often you need to install an agent on each Active Directory server to monitor its performance, and your Active Directory admin may not agree to install an agent on his/her servers.

Then, how will you, the Citrix admin, get an idea of Active Directory performance? You’ll need a Citrix monitoring tool to get the job done.

eG Enterprise, the flagship monitoring solution from eG Innovations, can help in several ways:

  • Citrix Logon Simulation provides details of authentication time. The Citrix logon simulator emulates user accesses to a Citrix farm. It opens a browser, automatically connects to your Citrix StoreFront/ADC, authenticates the user, checks to see if the logon succeeded, picks the desktop/application to connect with and then uses the Citrix Workspace App to launch the application or the desktop.Figure 2 below depicts the result of a simulation. The authentication step highlighted here is when the user is authenticated by Citrix StoreFront using Active Directory. A slowness in this step highlights a potential Active Directory issue that needs attention.

    Citrix logon times dashboard

    Figure 2: Breakdown of Citrix logon time measured through Logon Simulation
  • Monitoring Citrix virtual apps’/desktops’ communication with the Active Directory: Using agents on the Citrix virtual app servers and virtual desktops, eG Enterprise can monitor real user logons to the Citrix site. Using Citrix APIs and Microsoft Windows APIs, eG Enterprise provides breakdowns of logon time highlighting where time is spent during the Citrix logon and why.Figure 3 below shows a snapshot of some of the metrics that eG Enterprise provides while highlighting the time taken at different stages of the Citrix logon process. Here, we have focused on the client-side latency when a user connects to Citrix and the group policy processing details.

    Citrix Active Directory performance dashboard

    Figure 3: A snapshot of Active Directory-related performance metrics collected by eG Enterprise during the Citrix logon process

    The first section has DNS resolution times while the second section shows various details about Active Directory health.

    Metrics of particular interest relating to AD include Domain Controller discovery time, LDAP bind time to Active Directory, and estimated bandwidth between the virtual apps server and the Domain Controller. These metrics can highlight if it takes time to discover the Domain Controller, if the Active Directory server is slow to respond, or if there is a network issue connecting to the Active Directory server. Details like these can help Citrix admins troubleshoot Citrix logon slowness issues quickly and narrow down to whether Active Directory is the cause of slowness or not.

  • Citrix time synchronizationDetecting time synchronization issues in your Citrix site. One of the functions of the Active Directory service in a Windows domain is to be the network time source (that is, an NTP server also runs on the Active Directory server).All devices in the domain can then synchronize their times with the Active Directory service. Over time, clocks of different systems can drift from the NTP server’s time. When this happens, it can lead to service outages.In a Citrix site, the clocks of the VDAs and the Delivery Controllers must remain time synchronized. If the time difference between a VDA’s system clock and the Delivery Controller’s system clock is greater than the maximum difference that Kerberos allows (5 mins), communication between the VDA and the Delivery Controller will fail and the VDA will show as being unregistered in Citrix Studio (Check out https://support.citrix.com/article/CTX227517).

    One of the many checks that eG Enterprise includes is a time synchronization check. If there is a significant deviation between a VDA, Delivery Controller or Cloud Connector’s clock from the NTP service, administrators will be alerted proactively.

Conclusion

As we have seen in this blog, the Active Directory is a key component of the Citrix architecture and plays a vital role during user logons to a Citrix site. Tuning your Active Directory servers to provide the fastest possible response time is one way of making Citrix logons faster.

At the same time, given its importance in a Citrix infrastructure, make sure that you are proactively monitoring the key touch points between the Citrix components and your Active Directory services.

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.