powered by Ecki's Place

March 8, 2013

IE 10 + Access Gateway Enterprise Logon Screen Issue

People who already use IE 10 will have probably seen this phenomenon while connecting to an Access Gateway Enterprise site. The browser window remains empty after connecting to the AGEE URL. The logon prompt is only visible after switching to compatibility mode. A similar problem has been described on this site a few years ago, s. AAC und IE 8.0

The solution is similar but the files are different.

With Access Gateway Enterprise the file “/netscaler/ns_gui/vpn/index.html” has to be changed according to the following listing (red/bold line added):

<HTML><HEAD><TITLE>Citrix Access Gateway</TITLE>
<link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/">
<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<META content=noindex,nofollow,noarchive name=robots>
<LINK href="/vpn/images/caxtonstyle.css" type=text/css rel=STYLESHEET>
<script type="text/javascript" src="/vpn/resources.js"></script>
<script type="text/javascript" language="javascript">
var Resources = new ResourceManager("resources/{lang}", "logon");

If the fix is working (! close the browser and reopen it !), don’t forget to make this change persistent since the Access Gateway Enterprise “forgets” all the modifications during a reboot! The following Citrix KB article describes, how to make changes survive a reboot: How to Retain the Custom Settings made to the NetScaler Appliance after it is Restarted


October 17, 2010

Missing XML file for Offline-Plugin 6.0.1 for Merchandising Server

If you are already working with Merchandising Server, you will probably know this problem.

Citrix provides an update for his Offline –Plugin that eliminates 45 bugs. The update 6.0.1 is available as regular download since many weeks now but if you try to find the update on your Merchandising Server you won’t find it. Even a manual rescan of the available plugins doesn’t help 🙁

The reason is a missing XML file, which Merchandising Server needs to control the installation and configuration of the plugins. Apparently Citrix won’t make this XML file available to the public, see Citrix Blog: App Streaming-6.0.1 LCM Update

I have therefore taken the time to have a look at the following resources:

Citrix eDocs
Metadata Reference

and finally created my own XML file.

To save your time, I will provide you with the XML file needed here: XenAppStreamingMetaData.xml

On the Merchandising Server it is now possible to upload the actual Offline-Plugin together with the new XML file. After that step you can deploy the update through standard deliveries as usual.

Why Citrix doesn’t provide this file itself is a miracle to me. In fact this behavior doesn’t help to convince people to use Merchandising Server. I hope Citrix is rethinking the way they provide updates to Merchandising Server in the future…


July 11, 2010

32bit icon option missing from the XenApp farm properties

I recently stumbled uppon a really weired problem with 32bit icon support in XenApp. Under certain circumstances the AMC won’t show the option for 32bit icon support in the farm properties even if all prerequisites are perfectly met. We found out the reason for that behaviour only by accident.

The problem can be seen with all versions of Presentation Server 4.5 and XenApp 5.0 for w2k3 as well as for w2k8.

If the problem hits you, the farm properties won’t show the option for 32bit icon support, but there will only be a blank space 🙁

No 32bit icon support in the AMC

The reason for this odd behaviour can be found in the configuration of the farm-discovery. I sometimes use LOCALHOST as the hostname for discovery. This is helpful in situations where you have roaming profiles and IIS is not installed on the XenApp servers.

But if you configure discovery that way there will be no 32bit icon option in the AMC.

Configured with LOCALHOST

If you change the discovery option back to the local server

Konfiguriert mit "Local Server"

the missing option reappeares again.

32bit icon support available

You can toggle that behaviour as you like. Admittedly this is not a common problem but it is odd and if you happen to see it, you will be warned…


July 2, 2009

Laptop and XenServer with GNOME on USB disk

Wouldn’t it be nice to have your XenServer environment allways with you on a USB disk ?

Wouldn’t it be nice, if this USB disk would function with your own notebook ?

And that you don’t need a second machine to run XenCenter on it ?

That this is possible and how to achieve this, is documented in my last tutorial. In this tutorial we will install XenServer on a USB harddisk attached to a laptop, then install X server and GNOME on this disk and then run an RDP session to a VM running on the XenServer and providing us with XenCenter.

A “demo in a box” 🙂

The tutorial can be downloaded here: “XenServer_and_Gnome_on_your_USB_disk_EN.pdf”
For the moment, this tutorial is availabel only in German, but i will upload an english version soon, so stay tuned…
The english version is now available too…


March 24, 2009

AAC and IE 8.0

Some days ago, Microsoft officialy released IE 8.0. Since IE 8.0 will be available trough Windows Update soon, more and more users will hit existing AAC deployments with this browser. Unfortunately this is not working as expected. This is, how an AAC portal page looks like in IE 8.0 with default settings:


The layout is crushed, links are missing and OWA is nearly unusable 🙁

A small change in the file C:\Inetpub\wwwroot\CitrixSessionInit\NUI.aspx solves the display issue by forcing IE 8.0 into IE 7.0 compatibility mode.

It is sufficient to add the following line in the header of the NUI.aspx file:

<meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE7″ />

Your header might look like this after the change:

<html xmlns="">
<title>Citrix Access Gateway</title>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
<meta name="CODE_LANGUAGE" content="C#" />
<meta name="vs_defaultClientScript" content="JavaScript" />
<meta name="vs_targetSchema" content="" />
<link rel="SHORTCUT ICON" href="themes/default/images/favicon.ico" type="image/" />
<base id="baseElement" href="" runat="server" />
<link id="cssElement" rel="stylesheet" href="" runat="server" />
<!--[if IE]>
<style type="text/css">

Immediately your portal is rendered again as it should be 🙂


This is not a final solution for the problem, but until Citrix releases a fix for this issue it will do…


December 15, 2007

AAC tuning, part 3

Two Factor Authentication with RSA, SafeWord or any other third party RADIUS solution is a common way to authenticate in a secure manner to an AAC deployment. AAC however labels the input box for the OTP (One Time Password) fix with the text “SecurID-PASSCODE”, “SafeWord CODE:” oder generic with “RADIUS Password”.

Endusers however know their OTP solution most of the time with other names, the name of the RADIUS solution provider for example. This can lead to confusion during the login process.

This problem is easily solved for RSA SecureID and SafeWord. A solution for RADIUS is described further down. As in part 1 and 2, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

On a standard AAC server this is presumably:


There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure the lables for the OTP field, so that it displays a text your users expect. All it needs, is to change the following line below the <appSettings> section:

<add key=”SecondaryAuthenticationPromptOverride” value=”Password:” />
<add key=”SecondaryAuthenticationToolTipOverride” value=”Enter Password” />

Where “Password:” stands for the text to be displayed as lable and “Enter Password” stands for the text, displayed as tool tip.

The section should look like this afterwards:

<add key="DebugConsoleTrace" value="False" />
<add key="AdvancedGatewayClientDownloadUrl" value="" />
<add key="AdvancedGatewayClientActivationDelay" value="10" />
<add key="MaxConnectionsToAuthenticationService" value="20" />
<add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
<add key="DeployedBy" value="LACONFIG" />
<add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
<add key="SecondaryAuthenticationPromptOverride" value="SafeWord PIN + Zahlencode:" />
<add key="SecondaryAuthenticationToolTipOverride" value="PIN und Zahlencode eingeben" />
<!- -

After saving the changes, a user calling this manipulated LogonPoint should now see the new lable.

This method unfortunately works only for RSA SecureID and SafeWord. The text displayed, when using a third party RADIUS solution is hard coded and not that easy to manipulate. There is a pending feature request at Citrix, but it isn’t clear, when a solution will be publicly available.

At last I found a very good work-around in the Citrix AAC Forum, published by Joel Donaldson. A simple manipulation of the BasePage.aspx file of the respective LogonPoint solves the problem in an elegant way.

With an english LogonPoint it is sufficient, to add the following paragraph before the </body> tag:

<script type="text/javascript" language="JavaScript">
document.body.innerHTML=document.body.innerHTML.replace("RADIUS Password:","Kobil Einmalpasswort:");

The result will look like this:
Loginprompt nach der Manipulation

If you want to support german LogonPoints also, you need another code block that respects the german notation:

<script type="text/javascript" language="JavaScript">
document.body.innerHTML=document.body.innerHTML.replace("RADIUS-Kennwort:","Kobil Einmalpasswort:");

Other languages can be added easily this way.

If someone is asking itself why this works, this short explanation may help. The script code is looking for the string “RADIUS Password:” in the delivered web page and replaces it with the second parameter of the function “document.body.innerHTML.replace”, in our example “Kobil OTP:”.

Attention, this works only, if JavaScript is enabled in the browser. If JavaScript is disabled, the original text “RADIUS Password:” is displayed. This modification shouldn’t have any other side effects.

< < AAC tuning, part 2

!!! Please read the first comment to this post !!!


December 9, 2007

Update: PNAgent Filter for Web Interface 4.6

Not long ago, i had to implement the PNAgent Filter for Web Interface 4.6. It turned out, that the code itself of the modification didn’t need any changes from WI 4.5 to WI 4.6. To allow for an easy implementation, i nevertheless created an updated archive of the modification and updated the files for WI 4.6. Therefore all it needs is to replace one file, without the hassle to copy and paste code blocks to the right locations.

Download FilterApps4.6

This modification gives an administrator the power to hide Published Applications from the user. The only thing he has to do is adding a “#” sign in front of the application description. Very handy, if you use PNAgent to populate the Desktop and Start Menu and do not want the published Desktop to appear in the context menu of the PNAgent in the taskbar.

See also: PNAgent Filter for Web Interface 4.5


November 22, 2007

How to change the ICA client language

Users can choose the user interface language of the ICA Client for Win32 10.x and above through a dialog box the ICA Client provides during installation.

If users want to change the Language after the installation this can be done from the command line. Simply open a command prompt, browse to the ICA Client directory and run

Wfica32.exe /UserUILocale


Then add the required language and move it to the top of the list.

MUI settings

After a restart the ICA Client should appear with the new language selected.


September 17, 2007

Access Gateway hotfix 4.5.5 Rev. B

After the summer holidays and several very busy weeks, i have found the time again to carry on with these pages 🙂

Citrix released Revision B of the Access Gateway HotFix 4.5.5 today, which eliminates a couple of bugs. After the update to version 4.5.5 some CAG Standard installations experienced a freeze every 10 to 20 minutes or even worse 2 to 3 crashes/reboots a day. The “reason” for this behavior was the configuration of more than one STA on the CAG Standard. After the update to Rev. B this bug should be eliminated.

Additional fixes for the SAC roll out and the EPA download are included. Furthermore the SAC should close now more reliably in AAC deployments. The full list of fixes and the download can be found here.


July 21, 2007

Web Interface 4.6 for Windows available

Yesterday Citrix released the new Web Interface 4.6 for Windows. This version is mandatory for several new features and enhancements introduced with the Rollup Pack 01 for Presentation Server 4.5.

Before installing Web Interface 4.6 you have to update your AMC (Access Management Console for Presentation Server 4.5) first. The new console snap-ins must be present before the new features can be installed successfully. The new AMC can be downloded here.

The download of Web Interface 4.6 and aditional informations can be found here.