Citrix states in their article: CTX106393

CTX106393 - How to Recreate the Ctx_SmaUser Account

This document was published at: http://support.citrix.com/article/CTX106393

Document ID: CTX106393, Created on: May 4, 2005, Updated: Jan 19, 2006

Products: Citrix Presentation Server 4.0 for Microsoft Windows 2000, Citrix Presentation Server 4.0 for Microsoft Windows 2003, Citrix Presentation Server 4.0 x64 Edition

Summary

The Citrix SMA Service and the Citrix Print Manager service are configured to be started by a local user created during the install of Citrix Presentation Server 4.0 called Ctx_SmaUser. If this user account is deleted, printer auto creation may fail. SMA alerts will not be sent and/or client printing will not function properly. The Citrix SMA Service and/or the Citrix Print Manager service cannot be started.

Cause

The Ctx_SmaUser account has been deleted, corrupted, or denied permissions required to start these services.

Procedure

The following are the steps required to create the Ctx_SmaUser account. Unless otherwise indicated, the steps below apply to both Windows 2000 Server and Windows Server 2003.

1. Create a local user account called Ctx_SmaUser in Local Users and Groups.

a. Assign a password to the account that is consistent with your organization’s policies regarding Service or System passwords.

b. Make use that the check boxes for “User cannot change password” and for “Password never expires” are turned on.

c. Assign the account to the Power Users machine local group.

d. (Optional) In the Sessions tab of the Properties of the Ctx_SmaUser account, set the Idle Session Limit to 10 minutes.

2. Configure the permissions of the ICA Listener port.

a. Got to Administrative Tools > Terminal Services Configuration > ICA-tcp > Properties > Permissions

b. Add the Ctx_SmaUser account to the Access Control List (ACL) for the listener. By default, Windows will allow Guest permissions to the account in the ACL, but these permissions are not enough.

c. Click on the Advanced button and select the Ctx_SmaUser account from the list.

d. Click on the Edit button. In the Advanced ACL, uncheck the Logon permission check box and check both the Query Information and the Virtual Channels check boxes. Click OK to proceed.

e. Click OK to apply. (Note: This is required for the Citrix Print Management Service to work properly.)

3. Assign rights to the Ctx_SmaUser account in Local Security Policy. Go to Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment.

a. (For Windows 2003) Make sure that the Power Users local machine group is in the “Allow log on locally” right.

b. (For Windows 2003) Add the Ctx_SmaUser account to the “Impersonate a client after authentication” right.

c. (Both Windows 2003 and Windows 2000) Add the Ctx_SmaUser account to the “Load and unload device drivers” right.

d. (Both) Add the account to the “Log on as a batch job” right.

e. (Both) Add the account to the “Log on as a service” right.

f. (For Windows 2000) Verify the Local Policy > Security Options "Strengthen default permissions of global system objects" effective permission is enabled.

g. (For Windows 2003) Verify the Local Policy > Security Options "Strengthen default permissions of internal system objects" effective permission is enabled.

h. (Windows 2000) Verify that the Power Users machine local group has been given the right to “Log on locally.”

The following steps are for configuring Component Services for Windows 2000 Server. Skip to Step 5 to configure Component Services for Windows Server 2003 (Note).

4. Configure permissions for Component Services. In the Start Menu, go to Programs > Administrative Tools > Component Services.

a. Expand the following nodes in the left-hand pane: Component Services\Computers\My Computer.

b. Right-click My Computer and select Properties.

c. Go to the Default Security tab and click on the Edit Default button in the Launch Permissions section.

d. Click on the Add button to add the Ctx_SmaUser to the ACL. Make sure that the permission is set to “Allow DefaultLaunchPermission.”

e. Click OK and proceed to Step 6.

5. From the Start menu, run dcomcnfg or go to Administrative Tools > Component Services.

a. Expand the following nodes in the left-hand pane: Component Services\Computers\My Computer.

b. Right-click My Computer and select Properties.

c. Go to the COM Security tab to the Launch & Activation Permissions box and click on the Edit Default button.

i. Add the Ctx_SmaUser account to the ACL.

ii. By default, the allow Local Launch permission will be select. Make sure to add allow Local Activation permission as well.

iii. Click OK on both the ACL and in the My Computer Properties dialog box.

d. Expand the My Computer node in the left-hand pane of Component Services to reveal and to select the DCOM Config folder.

e. After the DCOM Config folder has been selected, the right-hand pane will reveal a number of DCOM objects.

f. From the DCOM objects, select the Citrix IMA Service object, right-click and select Properties.

g. Go to the Security tab.

i. In the Access Permissions section, click on the Edit button.

ii. Add the Ctx_SmaUser to the ACL and ensure that both the Allow Local Access and the Allow Remote Access permissions have been assigned to the account.

iii. Click OK on both the ACL and in the Security tab to continue.

h. From the list of DCOM objects, select the Citrix SMA Service DCOM object, right-click, and select Properties.

i. Go to the Security tab.

ii. Click on the Edit button in the Launch & Activation section. Add the Ctx_SmaUser account to the ACL and make sure that both the Local Launch and the Local Activation permissions are assigned.

iii. Click on the Edit button in the Access Permission section. Add the Ctx_SmaUser account to the ACL and make sure that both the Local Access and the Remote Activation permissions are assigned.

iv. Click on the Edit button in the Change Configuration Permission section. Make sure that both the Local Access and the Remote Activation permissions are assigned to the Power Users machine local group. You could add the Ctx_SmaUser account to this list, but that would be redundant.

v. Click on the OK buttons in the ACL and in the Security tab to continue.

6. Open the Computer Management console and navigate to the Services snap-in or run services.msc from Start > Run.

a. Double-click on the Citrix Print Management service and select the Log On tab.

b. Verify that the “This account” radio button is selected and that logon account is set to .\Ctx_SmaUser.

c. In the Password and in the Confirm Password fields, enter the password selected for the newly-created Ctx_SmaUser account. Click on the OK button to continue.

d. Repeat the same steps for the Citrix SMA Service.

More Information

In Windows Server 2003, both services can be started or restarted right away.

In Windows 2000 Server, a reboot of the server is required to allow the Component settings to be written to the Registry. Restarting the Citrix SMA Service before a reboot will result in the following error appearing numerous times in the System Events log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10003
Date: 5/23/2005
Time: 11:51:09 PM
User: {hostname}\Ctx_SmaUser
Computer: {hostname}
Description:
Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is:
{GUID of the Component}

The user is Ctx_SmaUser/{hostname}, SID={the SID of the new Ctx_SmaUser account}.

It is also possible to create the Ctx_SmaUser account and then make the account a full Citrix Administrator using the Management Console in order to allow for appropriate access and needed permissions.

Note: The “Launch & Activation” section is a new functionality with Service Pack 1 for Windows 2003.

Before Service Pack 1 there was only one “Launch” permission, which would include activation permission. After upgrading this is separated into:

• Local Launch

• Local Activation

• Remote Launch

• Remote Activation

For more information see Microsoft article DCOM Security Enhancements.