XenApp 6.x Logon Sessions are Repeatedly Disabled

book

Article ID: CTX133933

calendar_today

Updated On:

Description

On XenApp 6.x servers, logon sessions are repeatedly disabled even when the setting in the Remote Desktop Session Host Configuration is not changed:

The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections is set to 1 on the servers. Manually changing the value of the registry key resolves the issue temporarily.
The behavior can be forced by running GPUPDATE and avoided by putting the server in an Organizational Unit without inheritance.

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

As this is not originating on Citrix XenApp Servers but affecting Windows Server 2008 R2 Remote Desktop Servers, go to Microsoft Support and refer to KB 2083411.

Workaround

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

The setting can be overridden manually with an enforced Domain Policy:

GPO: Default Domain Policy
KeyName: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
Value: 0, 0, 0, 0
State: Enabled

Set the Default Domain Policy to enforce.

Problem Cause

This is caused by an Active Directory Group Policy that changes the setting even when it is not explicitly configured. This issue exists with Windows Server 2008 R2 Remote Desktop Servers where XenApp is not installed or was removed.