Troubleshooting the Shadow Taskbar

Troubleshooting Methodology

The Shadow taskbar by itself does not do anything; but it does have a couple of dependencies which are actually doing the work for it and need to be kept in mind when troubleshooting problems with it.

Dependency number 1: The IMA service.

The Shadow taskbar uses IMA service to do the following:

1. Authenticate the user.

2. Acquire information about what user rights the person that is using it has.

3. Acquire information about the session and server the user is trying to shadow.

Dependency number 2: The ICA client.

The ICA client is used by the Shadow taskbar in order to create an ICA connection to one of the servers in the farm so the user is able to shadow.

Dependency number 3: cshadow.exe

Cshadow.exe is the executable that is responsible for shadowing the session requested, cshadow.exe in nothing more than a command line utility that takes arguments to create a connection to existing sessions so you can see and interact with an existing session.

The Shadow taskbar and what happens from logon to shadowing a session:

1. The wshadow.exe (Shadow taskbar executable) is run on a Windows server with MetaFrame.

2. The user that ran wshadow.exe is prompted for credentials.

3. At this point wshadow.exe makes a call to IMA requesting user rights (These would be: “What users am I allowed to shadow?”).

4. The Shadow taskbar at this point displays this information to the user and the user is able to pick from the sessions which one he wants to shadow.

5. Once the user has picked the one he wants to shadow and clicks Shadow a couple of things will happen

a. The Shadow taskbar creates an ICA file with a initial program entry of “cshadow.exe ‘session ID’ ‘server name where the session resides’”
b. Now the Shadow taskbar calls upon the ICA client to open an ICA connection to the server where the Shadow taskbar is running using the ICA file created previously.
c. Once the new session is open, cshadow.exe runs with the parameters specified on the ICA file and shadow the session.

Here is an example of the ICA file that is created by the Shadow taskbar:

Now that we know all this information, we can take a look at the kind of problems that we can have with the Shadow taskbar.

Problem 1- The user does not see any session in the Shadow taskbar or sees more than they are supposed to.

Most likely this will be a problem with the IMA service, listener port on the servers, or the policy created for shadowing. To resolve this issue, try the following:

1. Recreate the listener port on the servers – You could have a corrupted registry key for the listener ports or the wrong permissions applied to it – recreating it would get rid of the corruption as well as bring the permissions back to default.

2. Recreate the Local Host Cache (LHC) on the servers – The IMA service might be trying to query server information about the server from the LHC and if there is any corruption in it the IMA service could fail to retrieve that information.

3. Recreate the policy for shadowing – this would take out any user mistakes or corruption on the policy object inside the data store which could fix the problem.

Problem 2 – User clicks on Shadow and nothing happens.

This will definitely be a problem with the ICA client on the server where the Shadow taskbar is running or the ICA file that was generated by the Shadow taskbar. Items to check:

1. Check the event viewer on the server – If you see 1004 or 1003 Terminal Services Licensing Errors, this is most likely a problem with the permissions on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing registry key. Regular users do not have rights to write to this key which will generate the 1004 and 1003 events as well as not allowing the user to connect to the server which will keep them from shadowing.

2. Make sure you are able to create a loop back connection to the server using the ICA client on the server and the same credentials used to open the Shadow taskbar.

3. Open the folder %HOMEFOLDER%\Local Settings\Temp\Shadow and try to double-click on the ICA file (The file name will be SERVERNAME,SESSION_ID.ICA) that the Shadow taskbar has generated there.

4. Open the ICA file on the directory mentioned above with Notepad and check the settings on the file. (It should look like the example shown above) If they are not correct than there might be a problem with the system that is supposed to deliver that specific information to the Shadow taskbar.

5. If you are logged on to the server using an ICA connection, you can also try to run the command “cshadow.exe Session_ID /SERVER:SERVERNAME” where Session_ID is the session ID of the session you are trying to shadow and SERVERNAME is the name of the server where the session is located. Note that the /SERVER option can be omitted if the session you want to shadow is located on the same server where you are logged on, making the command look like “cshadow.exe Session_ID”.

Problem 3 – User gets an error when trying to shadow the session after the session is open.

This problem is most likely either a permission problem with the listener port on the server where the session you want to shadow resides or a policy you might have created in order for the user to be able to shadow.

Creating a Shadowing Policy to configure regular users to be able to shadow other users.

The first and most important thing about the shadowing policies in the Presentation Server Console / Citrix Management Console (PSC/CMC) is that it will overwrite the setting set on the ICA listener port on the servers, so if you create a shadowing policy you DO NOT need to make any modifications on the permissions of the listener port.

1. Open the PSC/CMC.

2. Right-click the Policies node and select Create Policy.

3. Now type in a policy name (such as Shadow).

4. You will see a new policy object being created on the Contents window.

5. Double-click the new “Shadow” policy object.

6. Go down to User Workspace > Shadowing and you will see two objects there: Configuration and Permissions.

7. For Configuration:

a. Select the Configuration node and you will notice that the policy says Not Configure.
b. Change it to Enabled and make sure that Allow Shadowing is selected.
c. Here you will also be able to block the user from shadowing if the party being shadowed is not notified and keep the user that is shadowing from controlling the key board and the mouse. For now, we will keep these unchecked.
d. Your screen should now look like this:

8. For Permissions:

a. You will probably notice that this policy is set to Not Configured also. Change this and select Enabled.
b. Now click the Configure… button that was enabled when you enabled the policy.
c. Important: The users you should select here are the users that will be doing the shadowing. For example, the help desk users are be configure here so they can shadow and see what the end user is doing wrong.
d. Your screen should now look like this:

e. In this case, the Shadowers group is selected; also make sure that you set the permission box to Allow otherwise these will not be able to shadow anyone.
f. Click OK and now you should see the selected group or users in the policy object like this:

9. This part of the configuration has finished so you can click OK here, but we are not done yet because we said that the group that was configured can shadow but we did not say who.

10. Right-click the Shadow policy object and select Apply this policy to…

11. Select Users on the left side and enable Filter based on users.

12. Select the Domain Users group and click Add.

13. Click OK.

Now you have finished creating a policy which will enable the users in the Shadowers group to shadow all users which are members of the Domain Users group.