Category Archives: XenApp 6

Citrix XenApp and Web Interface – from authentication to application launching (yes, yet another one)

One of the most frequent questions that colleagues and customers ask me is ‘Hey… but… wait a minute, who does authenticate the user? Is that the Web Interface or something else? ’

Yes, it’s true, there is plenty of documentation out there that explains how the XenApp logon process works, but I always struggled to find a document concise and clear enough that explains in details (but not too many) how the authentication process works and what are the services and components involved.

One great document available on line is the ‘The Excruciating Detail of the XenApp Logon Process’ published on, that’s a very detailed document, but sometimes it’s a bit ‘difficult’ to read for people who need a quick answer or for non-so-technical people.

In this article I wanted to summarize the logon and application launching process by focusing on four main phases:

Phase 1: User Authentication

Phase 2: Resource Enumeration

Phase 3: Resource Resolution

Phase 4: Resource Launching

This document is not meant to be ‘an official guide’ about how it works (there are plenty of Citrix documents that do that), it is just meant to help whoever needs to have a quick and detailed overview of such process. There may be errors in it, so feel free to add any comments or correct me if I’m wrong.

The majority of the information contained here comes from this great Citrix video: Web Interface Logon and Application Launch Process for XenApp


Phase 1: User Authentication

User Authentication

1. User launches web browser and types in the WI URL

2. Then he connects to web interface

3. Web interface returns a logon page

4. User types his credentials

5. The credentials are forwarded to the XML service (in the http or HTTPS format)

6. Then to the IMA service

7. The IMA service then forwards the credentials to the ‘Local Security Authority Service (Lsass.exe), which in turn encrypts these credentials and passes them to the domain controller

8. The Domain Controller returns the user’s SID and a list of groups’ SIDs back to the Lsass service, and then back to IMA


Phase 2: Resource Enumeration

Resource Enumeration

9. IMA uses these SIDs to look into the Local Host Cache on the server for a list of application and the ‘worker group preference’ policy for this authenticated user

10. Then the list of applications, along with the ‘worker group preference’ policies are returned by the IMA service to the Web Interface (through the XML service)

11. Web interfaces then uses its java objects to create a web page that contains the application list for the user ; the user’s ‘worker group preference’ policy is cached in the web interface’s memory

12. The web page is then presented to the user’s browser, thus completing the ‘Resource Enumeration ’ phase


Phase 3: Resource Resolution

Resource Resolution

13. Then the user selects a particular application from the applications list

14. The selected application’s data is passed back to the web interface, which in turns passes these information to the XML and IMA services along with the ‘worker group preference’ policy

15. These information are then forwarded to the zone data collector’s IMA service, which then :

a. tries to find the least loaded server according to the ‘worker group preference’ policy

b. when it finds a server sends a query to the ‘Citrix Services Manager’ of that server to verify whether or not such server has the requested application installed

c. if the answer is yes, it forwards that server’ host ID to the XML broker

16. The XML broker then translate this host ID into its IP address by searching the server’s ‘local host cache’, the IP address is then provided to the Web Interface, thus completing the Application Resolution phase


Phase 4: Resource Launching

Resource Launching

17. The web interface will then take this IP address and creates an ICA file, which is then returned to the users’ web browser

18. Then the Citrix plugin, located on the client, uses the information included in the ICA file to launch an ICA connection on the least loaded server

19. The server then launches the application, which is then presented to the user through the ICA channel


More information can be found here:  (Web Interface Logon and Application Launch Process for XenApp) (High Availability for Citrix XenDesktop and Citrix XenApp – Planning Guide) (The Excruciating Detail of the XenApp Logon Process)

Getting rid of the ‘Internet Explorer Enhanced Security Configuration is enabled’ page when publishing IE through XenApp

Environment: Citrix XenApp 6.5, Windows Server 2008 R2, Internet Explorer 8.

Scenario: you published IE as a XenApp application, you turned IESEC off through GPOs (or through the Server Manager) and you configured a default home page for all users through a GPOs.

Problem description: at their first logon, your users get the ‘res://iesetup.dll/HardAdmin.htm’ start page which says something like ‘Internet Explorer Enhanced Security Configuration is enabled’. You don’t understand why this happens as you are sure you correctly set the default home page and disabled IESEC. Anyway, when users log on a second time they see their correct home page. This problem might be very annoying when every user has a local profile which is deleted and then needs to be recreated each time.

Problem cause: this problem happens if you disable IESEC after installing XenApp and enabling Remote Desktop Services, in fact, when you do so, the NTUSER.DAT file located in the Default User folder retains some settings that bring you to the ‘res://iesetup.dll/HardAdmin.htm’ on your first logon.

Problem resolution: to avoid this problem disable IESEC before installing XenApp. If it’s too late and you have already installed XenApp without disabling IESEC first, you can replace the NTUSER.DAT file located in the Default User folder with a correct one; to do so follow step #4 described in this Microsoft article:

Acrobat Reader 9 script pop-up removal

Environment:  Windows Server 2003 Service Pack 2, Citrix XenApp 5 Roll Up Pack 7, Citrix User Profile Management 3.2, VMware ESX 4.0.

Problem description: every time an application tries to open, through a script, a pdf file with Acrobat Reader (from version 9 on), a pop-up alert notifies the user of the action. This pop-up can be annoying when multiple pdf files need to be open during a session. The pop-up can be acknowledged and avoided for future uses, but usually users tend to ignore its content and click on “ok”.

Problem cause: the pop-up alert is a security feature introduced by Adobe since Acrobat Reader version 9.

Problem solution: when the “do not show this message again” check box is checked, a new registry key is created into the registry. To discover the key created by the process I used a free tool called “RegFromApp.exe”. The key is:

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader

To solve the problem I created an ADM template which I’ve imported and enabled through the GPO management console. The template is the following (please note that it modifies also another registry key: …\9.0\AdobeViewer]”EULA”= dword:00000001, which is useful to avoid the adobe contract to appear each time a new user opens acrobat reader):

;template creato da Sebastiano Ingallo
;per disabilitare il pop-up di alert
;di acrobat reader e la
;visualizzazione del contratto al primo avvio
        POLICY !!DisAlert
            KEYNAME "Software\Adobe\Acrobat Reader\9.0\
           EXPLAIN !!DisAlertExplain
                VALUENAME "iWarnScriptPrintAll"
                    VALUEON NUMERIC 1
                    VALUEOFF NUMERIC 0
        END POLICY
       POLICY !!DonotdisplayEULA
            KEYNAME "Software\Adobe\Acrobat Reader\9.0\AdobeViewer"
           EXPLAIN !!DonotdisplayEULAexplain
                VALUENAME "EULA"
                    VALUEON NUMERIC 1
                    VALUEOFF NUMERIC 0
        END POLICY
Reader="Adobe Reader 9.0"
DisAlert="Disabilita Alert Stampa"
DisAlertExplain="Se abilitato non visualizza l'alert
durante la stampa inziata da uno script"
DonotdisplayEULA="Non visualizzare contratto"
DonotdisplayEULAexplain="Se abilitato non fa
visualizzare il contratto al primo avvio"


PS: comments are written in Italian.




XenApp 6 – Disconnecting ICA session attempts to restart the server

System: XenApp 6 on Windows 2008 R2

Event description:

“The attempt by user domain\user to restart/shutdown computer XXXXXXXXXXX failed”

Event id: 1073 Source USER32

This event is generated when a user logs off from an ICA or RDP session. There is no actual attempt to restart or shutdown by a user or apps. The event is generated immediately after the log off.


  • Open the RemoteApp Manager (Under Administrative tools – Remote Desktop Services) as admin user. 
  • Close the RemoteApp Manager Console.
  • Clear the system log from event viewer.
  • Now you should not see the event anymore.
This temporary workaround has been found by Colm Naish:

XenApp 6 How To: force the ICA listener on one NIC in multihomed installations

Sometimes, if you have your XenApp 6 servers in a multihomed environment, you may need to force the ICA listener to listen on only one NIC. For example it might happen that your web interface returns an ICA.launch which includes the wrong IP address.

The following steps shows how to perform the required configuration:

  • Then you have to set the binding order of your network card, putting the one you want to be associaated with the ICA listener at the bottom of the list, to do so:
      1. Open “Control Panel”
      2. Open “Network and Sharing Center”
      3. Click on “Manage Network Connection”
      4. Press “Alt” on your Keyboard
      5. Click on “Advanced” and then on “Advanced Settings”
      6. Put the connection you want to use at the bottom (XenApp 6 binds in descending order)
  • Open “ICA Listener Configuration”

  • Click on “Edit” –> “Network Adapter” and select the adapter you want
  • Click “OK” and close the console.
  • Restart the IMA service

  • Open a command prompt and run “qfarm”, you will see that your server is not listed along the others (here is explained why: )
  • Open the ICA listener console and put all NIC to listen again
  • Restart the IMA service again
  • Run “qfarm” again, now you’ll see that your server is listed twice and the first row contains the IP of the NIC you chose to use for the ICA listener


HOW TO: stream 3.2.1 on XenApp 6

This short “how to” explains how to create a streamed profile of the 3.2.1 suite and stream it to server.

Profiling applications in Citrix’s jargon means creating a sort of box containing an application with all its files and registry entries. The application is then streamed, see delivered, to a server or a client and then executed into a kind of sandbox, almost isolated from the rest of the OS. This means that, for example, on one Windows server I can run multiple version of Microsoft Office at the same time, keeping them separated and avoiding any kind of conflict between them.

Well, after this little explanation… let’s go ahead and do the intriguing part!


I’d say that you have to be familiar with application streaming but, actually, the process is straightforward and very easy to follow. There are only two details that need to be considered and they regard the first-run wizard and the default file format, we’ll look at this later in the article.

Of course the first thing to do is to make sure that we have the appropriate environment to make a working profile. The following is a checklist of the essential components we need:

  • A Windows Server (2008 R2 in my case)  configured exactly in the same way as your farm servers, this means same service packs, same patches, same language pack and same software installed (except for the offline plugin, that has not to be installed on the profiling server). The server may or may not be a member of the Citrix farm.
  • The server must not be used to deliver applications, it will only be used as a Streaming Profiler, it should remain as clean as possible. Remember that if a software application is present on the streaming profiler and not on the farm server it will probably create you problems when streaming the application to your server.
  • Citrix Streaming Profiler must be installed on the server, it can be found on the XenApp 6 DVD or directly downloaded from
  • A copy of is required it can be downloaded here:
  • The OpenOffice installation files must be installed. Run the OpenOffice installer, extract the installer files into a directory of your choice and stop the installation process. The files we need to carry out the installation are those now located in the directory you choose, the original installer can be deleted.

Before creating the profile, we need to take care of two aspects:

  1. Default file format: by default OpenOffice saves files in its format, if you want to change the default behavior and make the application save files in the Microsoft format you have to make some adaptations and they are well described here.
  2. First-run wizard: if you don’t want your users to be annoyed by the first-run registration wizard you need to go to this page: openoffice wiki and download the oxt file for the version of OpenOffice you downloaded.Save it in a directory on the profiler server. On the same directory of the oxt file create a batch file (anything.bat) containing the following text:

cd \
“c:\program files (x86)\ 3\program\unopkg” add –shared c:\DisableFirstStartWzd_ooo321.oxt

Profile creation

  • On the server go to Start > All Programs > Citrix > Streaming Profiler > Streaming Profiler


  • Click New Profile
  • Click next
  • Give a name and click next
  • Leave User Updates check box clear and click next
  • If you need to link additional profiles choose them now, otherwise click next
  • Make sure that on the list of Target Operating Systems you see the system on which you will stream the package, if you are profiling on Server 2008 R2 x64 you’ll be able to stream the package on 2008 R2 x64 servers and maybe on windows 7 x64 clients


  • Click next
  • Choose Advanced Install
  • Select “Run Install Program or command line script”


  • Click browse and find the setup file for OpenOffice in the folder you extracted
  • Click next and launch installer
  • Enter company and user name and click next
  • Choose custom and click next
  • On-line Update, Windows Explorer Extensions and Quickstarter are not useful in a XenApp installation, uncheck them:


  • Click next and clear the box to create a Start Link on Desktop
  • Click Install and finish the installation
  • Click Finish to return to the profiler
  • Click Next
  • Select Perform Additional Installations and click Next
  • Select “Run Install Program or command line script”
  • Enter the name and path of the batch file you created in the first text box and click next
  • Click Launch Installer
  • You should see the oxt installation:


  • Click next and select Finish Installations
  • You should now see a list of the main applications that you allowed at installation
  • Try to run any of them to see if they work properly
  • Click next, next, next and Finish
  • When the process is completed and if you haven’t any modifications to make, you can save the profile on a file share

Application publishing

You can now publish the applications you just profiled.

  • Open the Citrix Delivery Services Console and start to publish an application as you would do for a normal installed application
  • Give it a name and the description you like
  • When you have to choose the type of application to publish choose “Accessed from a server” and “Streamed to server”:


  • Go ahead and click browse to find your profile on the share you previously saved it, then from the list of applications choose the one you want to publish (e.g. Writer, Calc, etc…)
  • Go ahead and choose the servers on which to stream the application and the users that will have access to it
  • Make sure that each XenApp server you are using to run the application has the offline plugin correctly installed (it runs as a service and you can find it in the services management console)

You can now access and run the application!

Configure XenApp 6 to return FQDN instead of IP in the ICA file

XenApp’s default behavior is to provide clients with an ICA file (launch.ica) containing the IP address of the XenApp server chosen to provide the application or content required.

The default behavior can be modified in order to provide clients the server’s FQDN instead of its IP. Obviously, the clients must be able to resolve the address.

The following steps shows how to do that:

  1. Enable DNS address resolution on the XenApp 6 Server
  2. Edit the WebInterface.conf configuration file
  3. Wait for the default interval or run gpupdate
  4. Recreate the local host cache if necessary


1 – Enable DNS address resolution on the XenApp 6 Server

DNS Address Resolution must be enabled on the XenApp farm in order to return the fqdn through the xml service:

  • Open the Citrix Delivery Services Console
  • Edit an existing computer policy or create a new one

  • On the Server Settings section enable “DNS Address Resolution”

2 – Edit the WebInterface.conf configuration file

Edit the WebInterface.conf file located under: \Inetpub\wwwroot\Citrix\MetaFrame\conf\WebInterface.conf:

  • Find: AddressResolutionType
  • Replace “ipv4-port” with “DNS-port”

3 – Wait for the default interval or run gpupdate

Wait for the default interval  for the policies to take effect or run gpupdate /force on your XenApp servers

4 – Recreate the local host cache if necessary

If the ICA file still returns the IP address, recreate, on the XenApp servers, the local host cache with the following commands (the server must be able to contact the Data Store):

  • net stop imaservice (stops the IMA service, necessary to recreate the LHC, alternatively use the services console)
  • dsmaint recreatelhc
  • net start imaservice (restarts the IMA service, alternatively use the services console)


For more information visit:

XenApp 6 error with user names over 19 characters

XenApp 6 on Windows Server 2008 R2

If you log on (launch an application) to a server with a user name that exceeds 19 characters in length the logon pocess fails and causes the Winlogon.exe process on the server to exit unexpectedly.

Faulting application name: winlogon.exe
Faulting module name: MSVCR80.dll

The issue can be solved by installing the following Citrix hotfix: XA600W2K8R2X64001 downloadable here: