Access

CTX-Blog

powered by Ecki's Place

October 17, 2010

Missing XML file for Offline-Plugin 6.0.1 for Merchandising Server

If you are already working with Merchandising Server, you will probably know this problem.

Citrix provides an update for his Offline –Plugin that eliminates 45 bugs. The update 6.0.1 is available as regular download since many weeks now but if you try to find the update on your Merchandising Server you won’t find it. Even a manual rescan of the available plugins doesn’t help 🙁

The reason is a missing XML file, which Merchandising Server needs to control the installation and configuration of the plugins. Apparently Citrix won’t make this XML file available to the public, see Citrix Blog: App Streaming-6.0.1 LCM Update

I have therefore taken the time to have a look at the following resources:

Citrix-TV
Citrix eDocs
Metadata Reference

and finally created my own XML file.

To save your time, I will provide you with the XML file needed here: XenAppStreamingMetaData.xml

On the Merchandising Server it is now possible to upload the actual Offline-Plugin together with the new XML file. After that step you can deploy the update through standard deliveries as usual.

Why Citrix doesn’t provide this file itself is a miracle to me. In fact this behavior doesn’t help to convince people to use Merchandising Server. I hope Citrix is rethinking the way they provide updates to Merchandising Server in the future…

Regards
Ecki

July 11, 2010

32bit icon option missing from the XenApp farm properties

I recently stumbled uppon a really weired problem with 32bit icon support in XenApp. Under certain circumstances the AMC won’t show the option for 32bit icon support in the farm properties even if all prerequisites are perfectly met. We found out the reason for that behaviour only by accident.

The problem can be seen with all versions of Presentation Server 4.5 and XenApp 5.0 for w2k3 as well as for w2k8.

If the problem hits you, the farm properties won’t show the option for 32bit icon support, but there will only be a blank space 🙁

No 32bit icon support in the AMC

The reason for this odd behaviour can be found in the configuration of the farm-discovery. I sometimes use LOCALHOST as the hostname for discovery. This is helpful in situations where you have roaming profiles and IIS is not installed on the XenApp servers.

But if you configure discovery that way there will be no 32bit icon option in the AMC.

Configured with LOCALHOST

If you change the discovery option back to the local server

Konfiguriert mit "Local Server"

the missing option reappeares again.

32bit icon support available

You can toggle that behaviour as you like. Admittedly this is not a common problem but it is odd and if you happen to see it, you will be warned…

Regards
Ecki

October 21, 2008

Smart Card Single Sign On with PNAgent

All available documentation regarding “Single Sign On” or “Credential pass-through” with Smart Card and Citrix clients is limited to the Program Neighborhood client only, as can be seen exemplarily at Brianmadden . I don’t use this client in customer projects for a couple of years now but use the PNAgent or the Web client instead.

With these clients, a pass-through of the Smart Card PIN didn’t work, because they do not read their settings from the APPSRV.INI, which would allow for the neccessary settings.

Since client version 10.0, an Active Directory Group Policy Template can be found in every client installation directory, named “icaclient.adm”. All clients, starting with 10.0 now read the policy settings first and make use of the APPSRV.INI only in case, no policy is defined. This new feature allows now for a “Single Sign On” with SmartCard and PNAgent.

Here is, what you need to do, to get it up and running:

1. On the Presentation Server /XenApp Server

  • Confirm proper operation by logging in to a full desktop on the Citrix server. Insert a Smart Card and it should begin reading it. Enable “Trust requests sent to the XML Service”. This is necessary if using smart card pass through logon.

2. On the Web Interface Server

  • SSL must be configured and active (a web server certificate has to be installed) and the “Directory Service Mapping” has to be activated. This option can be found in the IIS Manager below the properties of the “Web Sites” folder:
  • Web Sites propertiesDirectory Service Mapper

  • The Web Interface site itself must now be configured. Open the Citrix Access Suite Management Console on the Web Interface server and run discovery if necessary to find the Web Interface site you wish to work with.
    Under “Configure Authentication” select “Smart Card with Passthrough”.

3. Registry

  • Check HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\ICA-tcp the value for “UseDefaultGina” should be 0 (1 disables the CtxGina).

4. Active Directory Policy

  • Import the ADM template into a Policy
  • Go to the “User Configuration” of the policy, leave the Computer part set to “not configured”. The following settings have to be enabled:
  • Citrix Policy

  • <PolicyName>\User Configuration\Administrative Templates\Citrix Components\Presentation Server Client\User Authentication\Smart Card Authentication has to be “Enabled” and “Allow Smart Card Authentication” and “Use pass-through authentication for PIN” have to be activated.
  • Leave everything else to “Not Configured”, provided that you are testing just Smart Card and PIN pass-through.

Now “Single Sign On” with Smart Card and PNAgent should work 😀

Unfortunately these instructions only work for Windows XP and Server 2003. At the moment, no Citrix client, including 11.0, allows for PIN pass-through with Vista and 2008 Server 🙁

Here are some more interesting links:

Regards
Ecki

June 18, 2008

IE kiosk mode

I recently had a customer that wanted Internet Explorer to be published as a locked down version without toolbars and userinterface. The goal was to publish a browser based application to allow for a smart card rollout and not allowing users to browse away from this site. The search for a solution was harder than expected.

The solution most frequently found with Google was the built in “kiosk mode” of Internet Explorer. This mode can be activated by appending the parameter -k to the IE shortcut. For more details see http://support.microsoft.com/kb/154780. In this mode the IE starts in full screen mode, but without the ability to access the navigation panes, toolbars and menus as it would be possible when switching to full screen view by pressing F11. To end such a session, the user is forced to use the Alt. + F4 hotkey and all navigation in IE has to be done through hotkeys too. Not the solution we wanted for standard users 🙁

The next approach were Microsoft Group policies, but they too had too many constraints and issues. One issue here was, that there is no way, to hide the standard toolbars through group policies. It would have been therefore inevitable to manipulate the HKCU branch of the users registry at logon. This is a subject, where the otherwise “overloaded” IE policies are not detailed enough 🙁

The solution came through a VBS object. Internet Explorer can be addresses and controlled through VBS. This gave me the possibility to adjust the user interface of the IE and to hide all toolbars, navigation panes and menues, without disabling basic functionality. The following code starts IE with a predefined URL and makes it much more difficult for users to break out of the predefined environment 🙂

DIM IE
Set IE = CreateObject("InternetExplorer.Application")
IE.Navigate "http://this.is.the.url.to.be.shown"
IE.Visible=True
IE.Toolbar=no
IE.Menubar=no
IE.Statusbar=no
IE.Width=750
IE.Height=600
IE.Resizable=yes
'IE.Top=5
'IE.Left=5

The entry IE.Navigate stands for the target URL. Take care that the whole URL is surrounded by double quotes. Optional parameters are for the windows size (IE.Width/IE.Height) and the windows position on the users desktop (IE.Top/IE.Left).

IE kiosk mode

This script works perfect under Windows XP and 2003 Server. With Vista and 2008 Server administrative privileges are required!

Regards
Ecki

November 22, 2007

How to change the ICA client language

Users can choose the user interface language of the ICA Client for Win32 10.x and above through a dialog box the ICA Client provides during installation.

If users want to change the Language after the installation this can be done from the command line. Simply open a command prompt, browse to the ICA Client directory and run

Wfica32.exe /UserUILocale

cmd.exe

Then add the required language and move it to the top of the list.

MUI settings

After a restart the ICA Client should appear with the new language selected.

Regards
Ecki

July 21, 2007

Web Interface 4.6 for Windows available

Yesterday Citrix released the new Web Interface 4.6 for Windows. This version is mandatory for several new features and enhancements introduced with the Rollup Pack 01 for Presentation Server 4.5.

Before installing Web Interface 4.6 you have to update your AMC (Access Management Console for Presentation Server 4.5) first. The new console snap-ins must be present before the new features can be installed successfully. The new AMC can be downloded here.

The download of Web Interface 4.6 and aditional informations can be found here.

Regards
Ecki

First Hotfix Rollup Pack for Presentation Server 4.5 available

On July 19th Citrix released the first Hotfix Rollup Pack for Citrix Presentation Server 4.5. This update comprises a couple of new features and options. Beside others, the main improvements are IMHO the following issues:

  • Microsoft Windows Vista/Office 2007 Compatibility Updates
  • Enhanced (16-, 32-, and 48-bit) Icon Support
  • Microsoft Office Live Preview Support

To get the fulll benefit of these compatibilityupdates, you must also deploy Version 10.100 or later of the Presentation ServerClient.

The download and aditional informations can be found here.

Regards
Ecki

July 17, 2007

LANMANServer and LANMANWorkstation Tuning

I recently stumbled across this realy good article about terminal server tuning. This article introduces and explains all the relevant LANMANServer and LANMANWorkstation parameters and registry keys.

Following that, the article discusses the potential optimizing actions and their risks and provides even an ADM template that allows to tune your environment through GPOs.

The complete article can be found here.

Regards
Ecki

July 5, 2007

Restricting access to RDP sessions on a Citrix server

I recently stumbled across this realy good article about restricting access to the RDP/ICA protocol on a Citrix or terminal server through WMI. You don’t have to be a programmer to understand the code, since it is realy easy to use and implement. With just one line of code it is possible to add/remove a user or group from the ICA/RDP protocol, thus allowing for better security for your servers.

If you have to setup or manage several terminal servers, this article can ease your life.

The article can be found here.

Regards
Ecki

June 15, 2007

Truths and Myths of Presentation Server and WAN Optimization

Discussions about optimizing WAN links are on the rise, as a result of an increasing tendency to consolidate server and data centers. Most of the big players in networking business like Cisco, F5, Packeteer, Riverbed and since a couple of months Citrix with his WANScaler (former Orbital Data), just to name a few, are very active in this field. The focus however is usually in accelerating file and print services (SMB/CIFS), as well as frequently used protocols like HTTP, FTP and MAPI (Outlook/Exchange).

Not only since the acquisition of Orbital Data by Citrix in Oktober 2006 more and more people are asking if and how ICA can be optimized. Be it that high latency on satellite links, or GPRS/UMTS slows down screen refreshes to an unacceptable rate, or that one big print job bars a whole site from working, people ask for help more and more. Citrix with their WANScaler raised the expectations in many companies and won’t get tired of deliver their message “we overcome latency” and “latency doesn’t matter anymore”.

As a Riverbed partner in Switzerland i know the technologies and dependencies pretty good and also know about the problems in WAN environments. Therefore i couldn’t believe all those announcements and always tried to scale down the expectations of my customers. My own tests with WANScaler and Riverbed appliances showed no noticeable improvement in this area. I will post a comparison between these two products on this blog shortly. Citrix was only able to provide me with a WANScaler with the unofficial (Citrix)release 3.1.8, which is more or less a rebranded Orbital Date release. I couldn’t get my hands on the actual version 4.1 which is supposed to be the first “real” Citrix version of WANScaler, regardless how much i asked and begged. As soon as i have a chance to test the new release i will post the results here. But now back to the main topic…

Now Citrix consulting finaly released a paper, in which they analyze and describe the possibilities and especially the limits when trying to optimize ICA. I can really recommend this paper for everyone who is awaiting the visit of any kind of “WAN optimizer” for preparation. All other Citrix administrators are encouraged to read this paper too, because this topic will become important sooner or later – and then you will be prepared.

Truths and Myths of Presentation Server and WAN Optimization

Regards
Ecki