https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# microsoft-fslogix
s
This message was deleted.
k
Are you excluding stuff from the profile? If so let's see the redirections.xml file.
IMO the best result is to Entra ID (Azure AD) hybrid-join the device.
a
they are non-persistant, so thats a no go. This is a citrix environment
k
Hybrid-join works perfectly fine in non-persistent, I have done it many times going back to 2012 R2 machines 🙂
Citrix even has an article on how to set it up
a
ok. whats the downside on doing it?
k
Nothing
Server OS?
a
yes 2019
k
Then you don't even have to worry about the devices enrolling into Intune. I haven't found any downsides to hybrid-joining a server OS. If you follow the guidelines from Microsoft and Citrix when dealing with non-persistent machines, it just works.
a
ok. i will consider that. but also want any thougts on how to solve it without enrolling them
k
I have never gotten the IncludeOfficeActivation to work properly. Like you I always ended up with random activation prompts
Maybe @Deyda, @Mike Streetz (O_P) or @Ray Davis has anything to add
Or maybe even the legendary @James Kindon 🙂
I have been out of the Citrix/FSlogix loop for more than a year now, so things might have changed
d
k
Always hybrid-join, right @Deyda? 😄
💯 1
d
always...this is the easiest way to solve so much problems 🙂
💯 3
m
Hybrid-join is a must, especially if you are using Office 365. Makes your job slightly more complicated, but your users will feel a change and should thank you for it 🙂
🙌 1
💯 3
a
this is my redirections file: <?xml version="1.0" encoding="UTF-8"?> <!--Generated 2019-04-29 from https://raw.githubusercontent.com/aaronparker/FSLogix/master/Redirections/Redirections.csv--> <FrxProfileFolderRedirection ExcludeCommonFolders="0"> <Excludes> <Exclude Copy="0">Videos</Exclude> <Exclude Copy="0">Saved Games</Exclude> <Exclude Copy="0">Contacts</Exclude> <Exclude Copy="0">Tracing</Exclude> <Exclude Copy="0">Music</Exclude> <Exclude Copy="0">Downloads</Exclude> <Exclude Copy="0">$Recycle.Bin</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\Cache</Exclude> <Exclude Copy="0">AppData\Local\Downloaded Installations</Exclude> <Exclude Copy="0">AppData\Local\assembly</Exclude> <Exclude Copy="0">AppData\Local\CEF</Exclude> <Exclude Copy="0">AppData\Local\Deployment</Exclude> <Exclude Copy="0">AppData\Local\GroupPolicy</Exclude> <Exclude Copy="0">AppData\Local\Microsoft Help</Exclude> <Exclude Copy="0">AppData\Local\Sun</Exclude> <Exclude Copy="0">AppData\Local\VirtualStore</Exclude> <Exclude Copy="0">AppData\Local\CrashDumps</Exclude> <Exclude Copy="0">AppData\Local\Package Cache</Exclude> <Exclude Copy="0">AppData\Local\D3DSCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\TokenBroker\Cache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Notifications</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Internet Explorer\DOMStore</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\MSOIdentityCRL\Tracing</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Messenger</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Terminal Server Client</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\UEV</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\Application Shortcuts</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\Mail</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\WebCache.old</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\AppCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\Explorer</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\GameExplorer</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\DNTException</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\IECompatCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\iecompatuaCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\Notifications</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\PRICache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\PrivacIE</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\RoamingTiles</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\SchCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\WebCache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Windows\1031</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\BrowserMetrics</Exclude> <Exclude Copy="0">AppData\Roaming\GoogleChrome\UserData\Default\Code Cache\js</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\CertificateRevocation</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\CertificateTransparency</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\Crashpad</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\FileTypePolicies</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\InterventionPolicyDatabase</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\MEIPreload</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\PepperFlash</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\pnacl</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\Safe Browsing</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\ShaderCache</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\SSLErrorAssistant</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\Subresource Filter</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\SwReporter</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\Default\JumpListIcons</Exclude> <Exclude Copy="0">AppData\Roaming\Google\Chrome\UserData\Default\JumpListIconsOld</Exclude> <Exclude Copy="0">AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat</Exclude> <Exclude Copy="0">AppData\Roaming\Adobe\Acrobat\DC</Exclude> <Exclude Copy="0">AppData\Roaming\Adobe\SLData</Exclude> <Exclude Copy="0">AppData\Roaming\Sun\Java\Deployment\cache</Exclude> <Exclude Copy="0">AppData\Roaming\Sun\Java\Deployment\log</Exclude> <Exclude Copy="0">AppData\Roaming\Sun\Java\Deployment\tmp</Exclude> <Exclude Copy="0">AppData\Roaming\Citrix\PNAgent\AppCache</Exclude> <Exclude Copy="0">AppData\Roaming\Citrix\PNAgent\IconCache</Exclude> <Exclude Copy="0">AppData\Roaming\Citrix\PNAgent\ResourceCache</Exclude> <Exclude Copy="0">AppData\Roaming\ICAClient\Cache</Exclude> <Exclude Copy="0">AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys</Exclude> <Exclude Copy="0">AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\flashplayer\#SharedObjects</Exclude> <Exclude Copy="0">AppData\Roaming\ConnectWise\CrashDumps</Exclude> <Exclude Copy="0">AppData\Roaming\ConnectWise\cache</Exclude> <Exclude Copy="0">AppData\LocalLow</Exclude> </Excludes> <Includes> <Include Copy="3">AppData\LocalLow\Sun\Java\Deployment\security</Include> </Includes> </FrxProfileFolderRedirection>
k
In my opinion you are excluding way too much. However I can't say if that is the reason for the issue you have.
💯 1
This is the redirections.xml I have used for the last few years, as you can see the source of the redirections.xml is the same as yours, I have just modified mine: <?xml version="1.0" encoding="UTF-8"?> <!--Generated 2019-10-19 from https://raw.githubusercontent.com/aaronparker/FSLogix/master/Redirections/Redirections.csv--> <FrxProfileFolderRedirection ExcludeCommonFolders="0"> <Excludes> <Exclude Copy="0">Downloads</Exclude> <Exclude Copy="0">$Recycle.Bin</Exclude> <Exclude Copy="0">Tracing</Exclude> <Exclude Copy="0">AppData\Local\Apps</Exclude> <Exclude Copy="0">AppData\Local\Downloaded Installations</Exclude> <Exclude Copy="0">AppData\Local\Assembly</Exclude> <Exclude Copy="0">AppData\Local\Sun</Exclude> <Exclude Copy="0">AppData\Local\CrashDumps</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Terminal Server Client</Exclude> <Exclude Copy="0">AppData\Local\Google\Chrome\User Data\Default\Cache</Exclude> <Exclude Copy="0">AppData\Local\Google\Chrome\User Data\Default\Media Cache</Exclude> <Exclude Copy="0">AppData\Local\Google\Chrome\User Data\Default\JumpListIconsMostVisited</Exclude> <Exclude Copy="0">AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Edge\User Data\Default\Cache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Edge\User Data\Default\Media Cache</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsMostVisited</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed</Exclude> <Exclude Copy="0">AppData\Roaming\Sun\Java\Deployment\cache</Exclude> <Exclude Copy="0">AppData\Local\SquirrelTemp</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\Teams\Packages\SquirrelTemp</Exclude> <Exclude Copy="0">AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage</Exclude> <Exclude Copy="0">AppData\Roaming\Microsoft\Teams\Application Cache</Exclude> <Exclude Copy="0">AppData\Roaming\Microsoft\Teams\Cache</Exclude> <Exclude Copy="0">AppData\Roaming\Microsoft Teams\Logs</Exclude> <Exclude Copy="0">AppData\Roaming\Microsoft\Teams\Media-Stack</Exclude> </Excludes> <Includes /> </FrxProfileFolderRedirection>
d
The rule is with fslogix....redirect so less as possible...the best case is to exclude nothing....if u want a small whitelisted profile..use upm
💯 2
k
The trade-off with FSLogix and other container based solutions is the increased storage use compare to windows roaming profiles and the classic Citrix Profile Management. IMO that trade-off provides a better user experience and a more resilient user profile.
a
I agree that it should be smaller. will work on that later. But regarding the SSO. sso in browsers work. but office apps prompt for both username and password
j
+1 for hybrid join, my time in consulting led to no wins without hybrid domain join. I’m with @Kasper Johansen
⤴️ 1
🍻 1
r
Off the top of my head it sounds like the RoamIdentity part?
c
Try roaming Appdata\Local\Microsoft\IdentityCache we had issues with O365 apps constantly asking for signin and when we roamed that folder the issue went away - “This folder (“Appdata\Local\Microsoft\IdentityCache\”) is known as the "Universal Cache" used by ADAL. Because the customer is using Windows Server 2016, they are not using the WAM library, and so Office fallsback to using ADAL. Therefore ADAL in Office is looking for a refresh token in this cache folder, and is not able to find it, so a sign-in prompt is required
👍 1
m
you don’t need hybrid join if you can enable cert based auth with entra
I just got it working
k
I have not done the certificated based setup, but I'll venture a guess and say that hybrid-join is easier and less complex
m
only if you don’t have FAS
a
@c4rm0 I think this is handled by fslogix. And the customer is using 2019
but the WAM/ADAL stuff might be a lead. I know there has been set some registry keys regarding this earlier. Trying to find and remove some of them
Anyone have tips to what settings i can have a look at?
r
When I have seen the message for the Login box for office. My mind went to the RoamIndentity issue where it was 0, and changing it to 1. Also @c4rm0 was stating that he had to do both to get it to work 100%. Test it.
Also give this a read to add to your knowledge . But as others has stated a couple times. HAADJ is the key. Nothing will break and no downsides to it. However if you don’t want to or can’t for whatever reason. You going to have to read and find out what works for you in your setup. Read these links and try what @c4rm0 stated too along with the roamIndentity key. https://nmw.zendesk.com/hc/en-us/articles/13206286676375-FSLogix-Identity-Roaming-for-Credentials-and-Tokens https://techcommunity.microsoft.com/t5/azure-virtual-desktop/outlook-requires-password-every-new-session-fslogix/m-p/2392628
a
looks like roamidentity solved the problem for word etc, but oulook still prompts for login (not activation anymore)
r
And you put in @c4rm0 fix?
I was talking to @c4rm0 about this on what he posted to better understand the extra key needed. He explained this to me "The Roamidenity set in Fslogix as well as using the MS sclcacheoveride GPO setting for the license token roaming and I still got promoted for sign-in constantly (no hybrid or azure aj join) and he use disjointed accounts Citrix logon Vs 0365 logon). The identitycache roaming fixed his issue with the constant sign-in prompts"
c
Yeah our issue was weird we was using Windows server 2016 with latest semi annual channel version of O365 Apps and we had constant account sign in error's and all O365 apps prompted for signin even with the Roamidentity set in fslogix (shared computer activation on O365 install was set) i also tried the sclcacheoveride gpo setting and that didnt work either. I came across this article https://support.citrix.com/article/CTX489573/office-365-account-error-sorry-we-cant-get-to-your-account-right-now so roamed the Identitycache folder and it fixed all my account sign in errors and users no longer got prompted for constant sign ins to O365 apps. I had microsoft go over the MSOID traces and they told me that folder needs to be roamed as we was using ADAL (Server 2016) and it uses that folder for a refresh token
tbh as others have said you are better off doing hybrid az ad join or az ad join as the whole O365 modern auth with WAM/ADAL is a complete joke. I dont think even Microsoft know how it works !!! The latest recommendations https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure tell you to exclude the below folders but i can remember using a script to include those folders to make it work and even in my profile management solution Ivanti UWM the WSG template for O365 modern auth it actually includes those folders as a profile include 
%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
%localappdata%\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy
%localappdata%\Packages\<any app package>\AC\TokenBroker
%localappdata%\Microsoft\TokenBroker
a
im using fslogix, so none of these folders are excluded
c
Well according to that MS article for non persistent they should be excluded
m
you need to tell Outlook to do autodiscover if you want it auto open with the logged in user
that’s an outlook gpo. If your logged in user UPN doesn’t match the email, and the email isn’t in the AD user object, Outlook might have trouble working out who you are
m
@André Rovik If Outlook is the only application acting up now, try setting the following two reg keys and see if they help. reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity" /v DisableADALatopWAMOverride /t REG_DWORD /d 1 /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity" /v DisableAADWAM /t REG_DWORD /d 1 /f Prior to us going with Hybrid-join we needed these two set, for outlook to stop prompting for username and password every now and then. Found them in this thread at Citrix.com https://discussions.citrix.com/topic/403721-office-365-pro-plus-shared-activation-password-screen-not-able-to-select/page/8/
a
Might look ok now. I'm a little confused as this is not consistent and act different depending on new/old fslogix profile, reboot and so on. Will try those if its a problem again. but i want to stay on the most modern authentication mode if possible (WAM)
d
hybird join wouldnt work for me. only way I have office working is by blocking hybrid join
3 Views
Open in Slack
PreviousNext
Powered by