powered by Ecki's Place

July 12, 2008

AAC tuning, part 4

To adjust the look of an AAC LogonPoint at the CI of a company is not as easy as it is with a Citrix Web Interface deployment. In the following PDF i will show you a way to get there anyway.

The howto is written in german. A translation into english is not available at the moment. Since the pdf utilizes a lot of pictures, you might be able to understand it anyway. As soon as i find the time, i will provide a translated version. Until then, you can download the german version here: AAC4_5_CustomizeLogonPoint_Rev1.1_DE.pdf

This is, what your LogonPoint could look like after reading this document:
Angepasster LogonPoint - LoginAngepasster LogonPoint - Portal

Additional documentation about customizing an AAC LogonPoint can be found here:

  • Basic Customization of the Advanced Access Control 4.x Logon Point
  • How to Customize the Default View for Web Interface 4.6 When it is Embedded in Access Gateway Advanced Edition
  • And here you can find a currently very interesting article about AAC and FireFox 3.0:

  • Access Interface Appears Incorrectly with Firefox 3.0
  • Regards

    June 18, 2008

    IE kiosk mode

    I recently had a customer that wanted Internet Explorer to be published as a locked down version without toolbars and userinterface. The goal was to publish a browser based application to allow for a smart card rollout and not allowing users to browse away from this site. The search for a solution was harder than expected.

    The solution most frequently found with Google was the built in “kiosk mode” of Internet Explorer. This mode can be activated by appending the parameter -k to the IE shortcut. For more details see In this mode the IE starts in full screen mode, but without the ability to access the navigation panes, toolbars and menus as it would be possible when switching to full screen view by pressing F11. To end such a session, the user is forced to use the Alt. + F4 hotkey and all navigation in IE has to be done through hotkeys too. Not the solution we wanted for standard users 🙁

    The next approach were Microsoft Group policies, but they too had too many constraints and issues. One issue here was, that there is no way, to hide the standard toolbars through group policies. It would have been therefore inevitable to manipulate the HKCU branch of the users registry at logon. This is a subject, where the otherwise “overloaded” IE policies are not detailed enough 🙁

    The solution came through a VBS object. Internet Explorer can be addresses and controlled through VBS. This gave me the possibility to adjust the user interface of the IE and to hide all toolbars, navigation panes and menues, without disabling basic functionality. The following code starts IE with a predefined URL and makes it much more difficult for users to break out of the predefined environment 🙂

    DIM IE
    Set IE = CreateObject("InternetExplorer.Application")
    IE.Navigate ""

    The entry IE.Navigate stands for the target URL. Take care that the whole URL is surrounded by double quotes. Optional parameters are for the windows size (IE.Width/IE.Height) and the windows position on the users desktop (IE.Top/IE.Left).

    IE kiosk mode

    This script works perfect under Windows XP and 2003 Server. With Vista and 2008 Server administrative privileges are required!


    December 15, 2007

    AAC tuning, part 3

    Two Factor Authentication with RSA, SafeWord or any other third party RADIUS solution is a common way to authenticate in a secure manner to an AAC deployment. AAC however labels the input box for the OTP (One Time Password) fix with the text “SecurID-PASSCODE”, “SafeWord CODE:” oder generic with “RADIUS Password”.

    Endusers however know their OTP solution most of the time with other names, the name of the RADIUS solution provider for example. This can lead to confusion during the login process.

    This problem is easily solved for RSA SecureID and SafeWord. A solution for RADIUS is described further down. As in part 1 and 2, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

    On a standard AAC server this is presumably:


    There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

    This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure the lables for the OTP field, so that it displays a text your users expect. All it needs, is to change the following line below the <appSettings> section:

    <add key=”SecondaryAuthenticationPromptOverride” value=”Password:” />
    <add key=”SecondaryAuthenticationToolTipOverride” value=”Enter Password” />

    Where “Password:” stands for the text to be displayed as lable and “Enter Password” stands for the text, displayed as tool tip.

    The section should look like this afterwards:

    <add key="DebugConsoleTrace" value="False" />
    <add key="AdvancedGatewayClientDownloadUrl" value="" />
    <add key="AdvancedGatewayClientActivationDelay" value="10" />
    <add key="MaxConnectionsToAuthenticationService" value="20" />
    <add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
    <add key="DeployedBy" value="LACONFIG" />
    <add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
    <add key="SecondaryAuthenticationPromptOverride" value="SafeWord PIN + Zahlencode:" />
    <add key="SecondaryAuthenticationToolTipOverride" value="PIN und Zahlencode eingeben" />
    <!- -

    After saving the changes, a user calling this manipulated LogonPoint should now see the new lable.

    This method unfortunately works only for RSA SecureID and SafeWord. The text displayed, when using a third party RADIUS solution is hard coded and not that easy to manipulate. There is a pending feature request at Citrix, but it isn’t clear, when a solution will be publicly available.

    At last I found a very good work-around in the Citrix AAC Forum, published by Joel Donaldson. A simple manipulation of the BasePage.aspx file of the respective LogonPoint solves the problem in an elegant way.

    With an english LogonPoint it is sufficient, to add the following paragraph before the </body> tag:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS Password:","Kobil Einmalpasswort:");

    The result will look like this:
    Loginprompt nach der Manipulation

    If you want to support german LogonPoints also, you need another code block that respects the german notation:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS-Kennwort:","Kobil Einmalpasswort:");

    Other languages can be added easily this way.

    If someone is asking itself why this works, this short explanation may help. The script code is looking for the string “RADIUS Password:” in the delivered web page and replaces it with the second parameter of the function “document.body.innerHTML.replace”, in our example “Kobil OTP:”.

    Attention, this works only, if JavaScript is enabled in the browser. If JavaScript is disabled, the original text “RADIUS Password:” is displayed. This modification shouldn’t have any other side effects.

    < < AAC tuning, part 2

    !!! Please read the first comment to this post !!!


    May 2, 2007

    Secure Access Client Command Line Parameters

    It is a little known fact, that the Secure Access Client (4.2 and later, including net6vpn.exe) offers some interesting command line parameters. I will therefore present them here. The most intersting part is the ability to automate installation of the client via software deployment or simple batch script.

    Note: These parameters are case-sensitive.

    The following parameters are available:

    • -C Configure the Virtual Private Networking (VPN) client–bring up the GUI configuration screen
      Example: “CitrixSAClient.exe –C”
    • -H Connect to a specific server address and port (Syntax: -H SERVER_IP:PORT)
      Example: “CitrixSAClient.exe –H”
    • -p Connect with a proxy IP address and port (Syntax: -p PROXY_IP:PORT)
      Example: “CitrixSAClient.exe –p”
    • -i Install the client. This is used in combination with other parameters for silent installations
      Example: “CitrixSAClient.exe –i”
    • -D Sets the URL for the desktop icon for Advanced Access Control mode (Syntax: -D AG_AAC_URL)
      Example: “CitrixSAClient.exe -D”
    • -Q Quiet mode parameter–this can only be used during an install (-i) or uninstall (-U). It must appear before all other parameters
      Example: “CitrixSAClient.exe –Q”
    • -U Uninstall the VPN client and drivers
      Example: “CitrixSAClient.exe –U”
    • -v Shows the version of the client you are launching
      Example: “CitrixSAClient.exe –v”

    Below is a syntax example for a silent installation with Advanced Access Control integration:
    CitrixSAClient.exe –Q –D https://AG_AAC_URL –i

    A silent installation for Access Gateway Standard would look like that:
    CitrixSAClient.exe –Q –H [AG_SYSTEM_FQDN]:[AG_SYSTEM_PORT] –i

    From CTX108757.