powered by Ecki's Place

October 21, 2008

Smart Card Single Sign On with PNAgent

All available documentation regarding “Single Sign On” or “Credential pass-through” with Smart Card and Citrix clients is limited to the Program Neighborhood client only, as can be seen exemplarily at Brianmadden . I don’t use this client in customer projects for a couple of years now but use the PNAgent or the Web client instead.

With these clients, a pass-through of the Smart Card PIN didn’t work, because they do not read their settings from the APPSRV.INI, which would allow for the neccessary settings.

Since client version 10.0, an Active Directory Group Policy Template can be found in every client installation directory, named “icaclient.adm”. All clients, starting with 10.0 now read the policy settings first and make use of the APPSRV.INI only in case, no policy is defined. This new feature allows now for a “Single Sign On” with SmartCard and PNAgent.

Here is, what you need to do, to get it up and running:

1. On the Presentation Server /XenApp Server

  • Confirm proper operation by logging in to a full desktop on the Citrix server. Insert a Smart Card and it should begin reading it. Enable “Trust requests sent to the XML Service”. This is necessary if using smart card pass through logon.

2. On the Web Interface Server

  • SSL must be configured and active (a web server certificate has to be installed) and the “Directory Service Mapping” has to be activated. This option can be found in the IIS Manager below the properties of the “Web Sites” folder:
  • Web Sites propertiesDirectory Service Mapper

  • The Web Interface site itself must now be configured. Open the Citrix Access Suite Management Console on the Web Interface server and run discovery if necessary to find the Web Interface site you wish to work with.
    Under “Configure Authentication” select “Smart Card with Passthrough”.

3. Registry

  • Check HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\ICA-tcp the value for “UseDefaultGina” should be 0 (1 disables the CtxGina).

4. Active Directory Policy

  • Import the ADM template into a Policy
  • Go to the “User Configuration” of the policy, leave the Computer part set to “not configured”. The following settings have to be enabled:
  • Citrix Policy

  • <PolicyName>\User Configuration\Administrative Templates\Citrix Components\Presentation Server Client\User Authentication\Smart Card Authentication has to be “Enabled” and “Allow Smart Card Authentication” and “Use pass-through authentication for PIN” have to be activated.
  • Leave everything else to “Not Configured”, provided that you are testing just Smart Card and PIN pass-through.

Now “Single Sign On” with Smart Card and PNAgent should work 😀

Unfortunately these instructions only work for Windows XP and Server 2003. At the moment, no Citrix client, including 11.0, allows for PIN pass-through with Vista and 2008 Server 🙁

Here are some more interesting links:


July 29, 2008

Update – AAC tuning, part 4

I had to upgrade the document, because a customer wanted to set the color of the bar to a dark blue. The caption inside the bar could not be read anymore after this change, so we had to change the color of the caption to white. This way we got the contrast needed back. How to do that is added to the document now.

The howto is written in german. A translation into english is not available at the moment. Since the pdf utilizes a lot of pictures, you might be able to understand it anyway. As soon as i find the time, i will provide a translated version. Until then, you can download the german version here: AAC4_5_CustomizeLogonPoint_Rev1.1_DE.pdf


July 12, 2008

AAC tuning, part 4

To adjust the look of an AAC LogonPoint at the CI of a company is not as easy as it is with a Citrix Web Interface deployment. In the following PDF i will show you a way to get there anyway.

The howto is written in german. A translation into english is not available at the moment. Since the pdf utilizes a lot of pictures, you might be able to understand it anyway. As soon as i find the time, i will provide a translated version. Until then, you can download the german version here: AAC4_5_CustomizeLogonPoint_Rev1.1_DE.pdf

This is, what your LogonPoint could look like after reading this document:
Angepasster LogonPoint - LoginAngepasster LogonPoint - Portal

Additional documentation about customizing an AAC LogonPoint can be found here:

  • Basic Customization of the Advanced Access Control 4.x Logon Point
  • How to Customize the Default View for Web Interface 4.6 When it is Embedded in Access Gateway Advanced Edition
  • And here you can find a currently very interesting article about AAC and FireFox 3.0:

  • Access Interface Appears Incorrectly with Firefox 3.0
  • Regards

    June 18, 2008

    IE kiosk mode

    I recently had a customer that wanted Internet Explorer to be published as a locked down version without toolbars and userinterface. The goal was to publish a browser based application to allow for a smart card rollout and not allowing users to browse away from this site. The search for a solution was harder than expected.

    The solution most frequently found with Google was the built in “kiosk mode” of Internet Explorer. This mode can be activated by appending the parameter -k to the IE shortcut. For more details see In this mode the IE starts in full screen mode, but without the ability to access the navigation panes, toolbars and menus as it would be possible when switching to full screen view by pressing F11. To end such a session, the user is forced to use the Alt. + F4 hotkey and all navigation in IE has to be done through hotkeys too. Not the solution we wanted for standard users 🙁

    The next approach were Microsoft Group policies, but they too had too many constraints and issues. One issue here was, that there is no way, to hide the standard toolbars through group policies. It would have been therefore inevitable to manipulate the HKCU branch of the users registry at logon. This is a subject, where the otherwise “overloaded” IE policies are not detailed enough 🙁

    The solution came through a VBS object. Internet Explorer can be addresses and controlled through VBS. This gave me the possibility to adjust the user interface of the IE and to hide all toolbars, navigation panes and menues, without disabling basic functionality. The following code starts IE with a predefined URL and makes it much more difficult for users to break out of the predefined environment 🙂

    DIM IE
    Set IE = CreateObject("InternetExplorer.Application")
    IE.Navigate ""

    The entry IE.Navigate stands for the target URL. Take care that the whole URL is surrounded by double quotes. Optional parameters are for the windows size (IE.Width/IE.Height) and the windows position on the users desktop (IE.Top/IE.Left).

    IE kiosk mode

    This script works perfect under Windows XP and 2003 Server. With Vista and 2008 Server administrative privileges are required!


    May 15, 2008

    CAG hotfix 4.5.7 Rev. A available

    A few days ago, Citrix released the hot fix AG2000_v457 Rev. A. This release fixes a security issue found in all 4.5 releases of the Access Gateway. Fixes for Access Gateway 4.5.5, 4.5.6 and 4.5.7 are available for download.

    Especially if you use the SSL VPN feature of the Access Gateway, it is recommended to install this fix as soon as possible.

    The download and readme for CAG 4.5.7 Rev. A can be found here: CTX117123, Hot fix AG2000_v457 Rev. A


    May 7, 2008

    AAC hotfix AAC450W003 and CAG hotfix 4.5.7 available

    A few days ago, Citrix released the hotfixes AAC450W003 and hotfix AG2000_v457. Beside a couple of bug fixes, there are some really interesting things in these releases:

    Hotfix AAC450W003 invalidates some parts of my last posting in “AAC tuning, part 3”. A couple of months ago, i asked Citrix to allow customers to change the caption of the RADIUS input box on the logon page. In my last article i showed a way to change the caption easily for RSA and SafeWord deployments and pointed out a way to change the text with a little script in case of another RADIUS solution. However this solution had some unwanted side effects and so i’m glad that Citrix came up with a solution for all deployments. The procedure described in the first section of “AAC tuning, part 3” stays valid but is now applicable for all RADIUS deployments too, given you installed hotfix AAC450W003 correctly.

    Vista is now supported with AAC 4.5, but it is still beta. This means, that you are now able to check Vista clients through EPA-scans, provided by Citrix. My first tests have been successfull. CAUTION: If you use EPA-scans from EPAFactory/Accario you have to wait for an update from Accario to support AAC 4.5 HF03. This should be available around the 20th of Mai.

    The list of supported AV scanner and personal firewalls has become a little longer. McAfee 8.5i, Symantec AVE 10.0, Symantec Endpoint Protection 11.0 and Trend Micro 8.0 are now officially supported at last.

    The download and readme for AAC can be found here: CTX117123, AAC45W003

    The download and readme for CAG 4.5.7 can be found here: CTX117123, Hotfix AG2000_v457


    December 15, 2007

    AAC tuning, part 3

    Two Factor Authentication with RSA, SafeWord or any other third party RADIUS solution is a common way to authenticate in a secure manner to an AAC deployment. AAC however labels the input box for the OTP (One Time Password) fix with the text “SecurID-PASSCODE”, “SafeWord CODE:” oder generic with “RADIUS Password”.

    Endusers however know their OTP solution most of the time with other names, the name of the RADIUS solution provider for example. This can lead to confusion during the login process.

    This problem is easily solved for RSA SecureID and SafeWord. A solution for RADIUS is described further down. As in part 1 and 2, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

    On a standard AAC server this is presumably:


    There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

    This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure the lables for the OTP field, so that it displays a text your users expect. All it needs, is to change the following line below the <appSettings> section:

    <add key=”SecondaryAuthenticationPromptOverride” value=”Password:” />
    <add key=”SecondaryAuthenticationToolTipOverride” value=”Enter Password” />

    Where “Password:” stands for the text to be displayed as lable and “Enter Password” stands for the text, displayed as tool tip.

    The section should look like this afterwards:

    <add key="DebugConsoleTrace" value="False" />
    <add key="AdvancedGatewayClientDownloadUrl" value="" />
    <add key="AdvancedGatewayClientActivationDelay" value="10" />
    <add key="MaxConnectionsToAuthenticationService" value="20" />
    <add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
    <add key="DeployedBy" value="LACONFIG" />
    <add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
    <add key="SecondaryAuthenticationPromptOverride" value="SafeWord PIN + Zahlencode:" />
    <add key="SecondaryAuthenticationToolTipOverride" value="PIN und Zahlencode eingeben" />
    <!- -

    After saving the changes, a user calling this manipulated LogonPoint should now see the new lable.

    This method unfortunately works only for RSA SecureID and SafeWord. The text displayed, when using a third party RADIUS solution is hard coded and not that easy to manipulate. There is a pending feature request at Citrix, but it isn’t clear, when a solution will be publicly available.

    At last I found a very good work-around in the Citrix AAC Forum, published by Joel Donaldson. A simple manipulation of the BasePage.aspx file of the respective LogonPoint solves the problem in an elegant way.

    With an english LogonPoint it is sufficient, to add the following paragraph before the </body> tag:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS Password:","Kobil Einmalpasswort:");

    The result will look like this:
    Loginprompt nach der Manipulation

    If you want to support german LogonPoints also, you need another code block that respects the german notation:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS-Kennwort:","Kobil Einmalpasswort:");

    Other languages can be added easily this way.

    If someone is asking itself why this works, this short explanation may help. The script code is looking for the string “RADIUS Password:” in the delivered web page and replaces it with the second parameter of the function “document.body.innerHTML.replace”, in our example “Kobil OTP:”.

    Attention, this works only, if JavaScript is enabled in the browser. If JavaScript is disabled, the original text “RADIUS Password:” is displayed. This modification shouldn’t have any other side effects.

    < < AAC tuning, part 2

    !!! Please read the first comment to this post !!!


    December 9, 2007

    Update: PNAgent Filter for Web Interface 4.6

    Not long ago, i had to implement the PNAgent Filter for Web Interface 4.6. It turned out, that the code itself of the modification didn’t need any changes from WI 4.5 to WI 4.6. To allow for an easy implementation, i nevertheless created an updated archive of the modification and updated the files for WI 4.6. Therefore all it needs is to replace one file, without the hassle to copy and paste code blocks to the right locations.

    Download FilterApps4.6

    This modification gives an administrator the power to hide Published Applications from the user. The only thing he has to do is adding a “#” sign in front of the application description. Very handy, if you use PNAgent to populate the Desktop and Start Menu and do not want the published Desktop to appear in the context menu of the PNAgent in the taskbar.

    See also: PNAgent Filter for Web Interface 4.5


    November 22, 2007

    How to change the ICA client language

    Users can choose the user interface language of the ICA Client for Win32 10.x and above through a dialog box the ICA Client provides during installation.

    If users want to change the Language after the installation this can be done from the command line. Simply open a command prompt, browse to the ICA Client directory and run

    Wfica32.exe /UserUILocale


    Then add the required language and move it to the top of the list.

    MUI settings

    After a restart the ICA Client should appear with the new language selected.


    November 15, 2007

    Access Gateway hotfix 4.5.6

    Citrix released HotFix 4.5.6 of the Access Gateway Standard, which eliminates another couple of bugs. Before the update to version 4.5.6 the number of connections from the Secure Access Client and Citrix Presentation Server Clients could be different in the Real-Time Monitor or on the Statistics tab in the Administration Tool. Another fix adresses this issue: When users are logged on to the Advanced Access Control option through the Access Gateway, when users logoff, the session is not disconnected. Users must manually disconnect by right-clicking the Secure Access Client and selecting Disconnect.

    If the Access Gateway appliance is upgraded to version 4.5.6, and Access Gateway Advanced Edition with hotfix AAC450W001 is installed on a server in the internal network, users are prompted to install the ActiveX control each time a connection is created. Currently, the file web.config has the following at the end of the file:

    <add key="SACCodebase" value=",5,0,122" />

    The version number needs to be changed to the correct version and build number for 4.5.6, which is 4,5,6,111.

    The full list of fixes and the download can be found here.