powered by Ecki's Place

March 8, 2013

IE 10 + Access Gateway Enterprise Logon Screen Issue

People who already use IE 10 will have probably seen this phenomenon while connecting to an Access Gateway Enterprise site. The browser window remains empty after connecting to the AGEE URL. The logon prompt is only visible after switching to compatibility mode. A similar problem has been described on this site a few years ago, s. AAC und IE 8.0

The solution is similar but the files are different.

With Access Gateway Enterprise the file “/netscaler/ns_gui/vpn/index.html” has to be changed according to the following listing (red/bold line added):

<HTML><HEAD><TITLE>Citrix Access Gateway</TITLE>
<link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/">
<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<META content=noindex,nofollow,noarchive name=robots>
<LINK href="/vpn/images/caxtonstyle.css" type=text/css rel=STYLESHEET>
<script type="text/javascript" src="/vpn/resources.js"></script>
<script type="text/javascript" language="javascript">
var Resources = new ResourceManager("resources/{lang}", "logon");

If the fix is working (! close the browser and reopen it !), don’t forget to make this change persistent since the Access Gateway Enterprise “forgets” all the modifications during a reboot! The following Citrix KB article describes, how to make changes survive a reboot: How to Retain the Custom Settings made to the NetScaler Appliance after it is Restarted


March 24, 2009

AAC and IE 8.0

Some days ago, Microsoft officialy released IE 8.0. Since IE 8.0 will be available trough Windows Update soon, more and more users will hit existing AAC deployments with this browser. Unfortunately this is not working as expected. This is, how an AAC portal page looks like in IE 8.0 with default settings:


The layout is crushed, links are missing and OWA is nearly unusable 🙁

A small change in the file C:\Inetpub\wwwroot\CitrixSessionInit\NUI.aspx solves the display issue by forcing IE 8.0 into IE 7.0 compatibility mode.

It is sufficient to add the following line in the header of the NUI.aspx file:

<meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE7″ />

Your header might look like this after the change:

<html xmlns="">
<title>Citrix Access Gateway</title>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
<meta name="CODE_LANGUAGE" content="C#" />
<meta name="vs_defaultClientScript" content="JavaScript" />
<meta name="vs_targetSchema" content="" />
<link rel="SHORTCUT ICON" href="themes/default/images/favicon.ico" type="image/" />
<base id="baseElement" href="" runat="server" />
<link id="cssElement" rel="stylesheet" href="" runat="server" />
<!--[if IE]>
<style type="text/css">

Immediately your portal is rendered again as it should be 🙂


This is not a final solution for the problem, but until Citrix releases a fix for this issue it will do…


June 18, 2008

IE kiosk mode

I recently had a customer that wanted Internet Explorer to be published as a locked down version without toolbars and userinterface. The goal was to publish a browser based application to allow for a smart card rollout and not allowing users to browse away from this site. The search for a solution was harder than expected.

The solution most frequently found with Google was the built in “kiosk mode” of Internet Explorer. This mode can be activated by appending the parameter -k to the IE shortcut. For more details see In this mode the IE starts in full screen mode, but without the ability to access the navigation panes, toolbars and menus as it would be possible when switching to full screen view by pressing F11. To end such a session, the user is forced to use the Alt. + F4 hotkey and all navigation in IE has to be done through hotkeys too. Not the solution we wanted for standard users 🙁

The next approach were Microsoft Group policies, but they too had too many constraints and issues. One issue here was, that there is no way, to hide the standard toolbars through group policies. It would have been therefore inevitable to manipulate the HKCU branch of the users registry at logon. This is a subject, where the otherwise “overloaded” IE policies are not detailed enough 🙁

The solution came through a VBS object. Internet Explorer can be addresses and controlled through VBS. This gave me the possibility to adjust the user interface of the IE and to hide all toolbars, navigation panes and menues, without disabling basic functionality. The following code starts IE with a predefined URL and makes it much more difficult for users to break out of the predefined environment 🙂

Set IE = CreateObject("InternetExplorer.Application")
IE.Navigate ""

The entry IE.Navigate stands for the target URL. Take care that the whole URL is surrounded by double quotes. Optional parameters are for the windows size (IE.Width/IE.Height) and the windows position on the users desktop (IE.Top/IE.Left).

IE kiosk mode

This script works perfect under Windows XP and 2003 Server. With Vista and 2008 Server administrative privileges are required!


July 17, 2007

LANMANServer and LANMANWorkstation Tuning

I recently stumbled across this realy good article about terminal server tuning. This article introduces and explains all the relevant LANMANServer and LANMANWorkstation parameters and registry keys.

Following that, the article discusses the potential optimizing actions and their risks and provides even an ADM template that allows to tune your environment through GPOs.

The complete article can be found here.


July 5, 2007

Restricting access to RDP sessions on a Citrix server

I recently stumbled across this realy good article about restricting access to the RDP/ICA protocol on a Citrix or terminal server through WMI. You don’t have to be a programmer to understand the code, since it is realy easy to use and implement. With just one line of code it is possible to add/remove a user or group from the ICA/RDP protocol, thus allowing for better security for your servers.

If you have to setup or manage several terminal servers, this article can ease your life.

The article can be found here.


March 28, 2007

Remove Outlook Express from the start menu

If you have ever published a terminal server desktop, you have seen this happening almost for sure. Even if there is no Outlook Express icon in the All Users or Default Users folder, the icon appears in the start menu after a user logs on for the first time.

Why is this happening? And much more interesting, how can you avoid this?

To delete the icon from every users profile is not a viable option. So it’s best to look for the root cause of this problem. As often, the solution can be found in the registry.

Below the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\

you can find a REG_SZ entry with the name “StubPath“. If you delete this entry, the terminal server will never again create this icon at user logon. Existing icons however will not be deleted.

A post in the DCUG describes a similar procedure but simply renames the entry to “HideStubPath“. The effect is the same, but it is much easier to revert back.