Oops! SP2 for Windows XP Breaks Citrix NFuse / Web Interface Clients - Brian Madden - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Blogs » Original Blogs on BrianMadden.com » Brian Madden » Oops! SP2 for Windows XP Breaks Citrix NFuse / Web Interface Clients
Brian Madden's Blog

Syndication

Recent Posts

Past Articles

Oops! SP2 for Windows XP Breaks Citrix NFuse / Web Interface Clients

Written on Feb 12 2004
Filed under: ,
17,272 views, 45 comments

by Brian Madden

As you probably know by now, one of the key enhancements of Service Pack 2 for Windows XP is the added security. Unfortunately, this added security causes a default installation of Internet Explorer to classify web files with the "ICA" extension as unsafe. This means that when using Service Pack 2, users are not able click on a linked ICA file from a Citrix NFuse or MetaFrame Web Interface web site.

Prior to Service Pack 2, Windows XP users could browse to Citrix NFuse / Web Interface servers and click on links to launch remote MetaFrame applications. Clicking a link causes the web server to pass an ICA file down to the Windows XP client device where the locally installed ICA Client software receives it and seamlessly launches the application.

Once Service Pack 2 is installed, clicking an ICA file link pops up a dialog box warning that some files may harm your computer. The user is asked whether they want to Open, Save, or Cancel. Worse still is that choosing the "Open" option doesn't seem to work. The only workaround involves saving the file to your computer and then running it manually from there.

The security warning box is presented to the user regardless of the configured security zone of the server.

In all fairness, this security complexity is not limited to Citrix ICA files. (The web is filling with stories of people who can no longer run VBS files with SP2.) Also, workarounds are possible. However, it could provide quite a bit of cleanup work for Citrix administrators, especially when users connect from outside workstations that will automatically receive SP2 via Windows Update.

We don't yet know if this behavior is by design or simply an oversight of the classification of ICA files. (Certainly Microsoft shouldn't consider ICA files as dangerous as VBS files?)

 
 



Comments

Guest wrote Microsoft is aware of this
on Sun, Dec 12 2004 1:17 PM Link To This Comment
This message was originally posted by Brian Madden on March 5, 2004
As a follow up, I received a phone call yesterday from a Microsoft employee who said that this issue is known within Microsoft, and that it's officially made it into the bug tracking database for SP2.
Guest wrote No Title
on Sun, Dec 12 2004 1:21 PM Link To This Comment
This message was originally posted by Andrew on March 24, 2004
But as of RC1, have made no (good) alterations - the security warning box doesnt appear now!
Guest wrote Windows XP SP2 - Do your Homework
on Sun, Dec 12 2004 1:21 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 13, 2004
Windows XP SP2 Technical Preview
Download the Network Install
Published: March 19, 2004
Windows XP Service Pack 2 (SP2) provides an enhanced security infrastructure that defends against viruses, worms and hackers, along with increased manageability and control for IT professionals and an improved experience for users.


To aid IT professionals in planning and testing for the deployment of Windows XP SP2, Microsoft is making available this preview, based on Release Candidate 1 of the SP2. Additionally, we have established 11 newsgroups for sharing information.

WARNING! This technical preview is unsupported and is intended for testing purposes only. Do not use in production environments.

There is no phone or incident support available for this download, but any questions may be posted in the newsgroups available at http://communities.microsoft.com/newsgroups/default.asp?icp=xpsp2&slcid=us

Guest wrote CITRIX
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 16, 2004
So is there any way to "work around" this issue with Citrix? I liked SP2 but cannot live without Citrix so I un-installed it. I would love to find a way to have both.
Guest wrote Work around
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 19, 2004
Save to desktop and open there?
Guest wrote CITRIX (Work Arouond)
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 20, 2004
Thanks. I thought of that but the file is deemed unsafe whether launched from Citrix or from a saved location.
Guest wrote CITRIX & XP SP 2
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 21, 2004
Install Mozilla firefox, login to NFUSE, and work normally :)
Guest wrote CITRIX
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 22, 2004
Y0U ARE THE MAN! It W0RKED I SEND MY ThaNKS IN A BiG WAY!

N0W if I Can 0NLY figure out this pen!
Guest wrote Citrix (followup)
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on April 25, 2004
It seems that any browser but IE will handle Citrix. So just use Netscape or any other browser but IE.
Guest wrote It looks like the ICA clients version 8 fix this problem
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by Brian Madden on April 27, 2004
These are the new clients that come with MetaFrame Presentation Server 3, and they're freely downloadable now.
Guest wrote The Metaframe Presentation Server doesn't solve it!
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on May 7, 2004
The Solution to save the ICA file to your desktop doesn't work, either, if that functionality has been disabled on the desktop or if you cannot right click and save on a workstation.

The workaround is to wait until it's fixed.

Guest wrote an answer from Citrix ...
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by m@ in london on May 7, 2004
look at the following Microsoft document:
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/WinXPSP2_Documentation.doc
check from page 103, it gives some details about the new Windows XP SP2 feature: Internet Explorer MIME Handling Enforcement

you can turn it off by setting the following registry value to 0 ( off)
HKEY_LOCAL_MACHINE(or Current User)\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Guest wrote Citrix ICA session from a Windows XP.SP2(RC1) client system
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by Patrick Laroche on May 14, 2004
Out of my own
STEP_1: Set registry value for iexplorer.exe to '0' (off) in 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING'
STEP_2: Go to Control Panel' > 'Internet Options' > 'Security' > 'Trusted Sites' and add the fully qualified internet name of your NFuse gateway, for example 'https://citrix.mydomain.com'.
STEP_3: Re-install the Citrix ICA web client.
This patch works both with MSIE and Mozilla.
Guest wrote You can also use the java client and it works
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on May 25, 2004
You can also change your portal settings from native client to java and it works just fine.
Guest wrote If there is a box "Can't find ica file"
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on May 25, 2004
If you get the error box "can't fand ica file" try to uncheck the box "don't save encrypted pages to disk" under "extras" from ie.
Guest wrote Web ICA Client Works
on Sun, Dec 12 2004 1:22 PM Link To This Comment
This message was originally posted by an anonymous visitor on June 9, 2004
I have tried the new version of 8.0 and it works great. No problems, no tweaking, easy install. Server side I am running Metaframe XPe Feature Release 3, Nfuse 2.0. All my users are starting to use the new client.
Guest wrote Confirm Web ICA client version 8.0 works.
on Sun, Dec 12 2004 1:29 PM Link To This Comment
This message was originally posted by an anonymous visitor on June 23, 2004
I have been experiencing this problem since installing SP2 RC1. On reading this page I have just downloaded version 8.0 of the client. My connection to an outside site has worked first time.
Guest wrote Remove Citrix and go to Tarantella's TSE
on Sun, Dec 12 2004 1:31 PM Link To This Comment
This message was originally posted by an anonymous visitor on August 13, 2004
Windows product that like TSE that enhances Windows WTS build and does not try to replace it like Citrix is a much better fit. This will stop the issues of compatibility when additional patches comes out...
Guest wrote Remove Citrix?
on Sun, Dec 12 2004 1:49 PM Link To This Comment
This message was originally posted by Coupland on September 8, 2004
Well, I think Citrix is a little overpriced but to say Citrix tries to replace WTS is pure silliness. WTS IS Citrix technology purchased by Microsoft. If anything Microsoft hoped to replace Citrix and later decided against it based on the sheer revenue generated by the software vender. Want to run Citrix? Well you'll need Windows server and Terminal server licenses. lol
Guest wrote Registry changes help
on Sun, Dec 12 2004 1:50 PM Link To This Comment
This message was originally posted by Lax on September 17, 2004
With registry changes and installation of new web client it works fine with MS IE.
Guest wrote Help!
on Sun, Dec 12 2004 1:50 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 6, 2004
I installed both Mozilla foxfire & citrix 8.0
but my citrix is still not working
Guest wrote registry changes worked
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by manu on October 14, 2004
step 1 recommended by patrick worked - thanks!! of course i did not understand what i did so i have no clue what impact it will have on my machine
Guest wrote NFuse works when logged in as Administator, but not when logged in as Limited User
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by R Frey on November 16, 2004
As a Limited User I can login to the Applications Menu, but then when I select the application the "Connecting to (Application)" appears and "Connection Established, Negotiating Capabilities..." message appears and the bar quickly fills from left to almost all the way to the right, but then hands and then disappears without success. When logged in as Administrator this same Window appears and the bar is blue, but as Limited User the bar is grey. Obviously I need to give the Limited User some access, but where and how?? I would really not like to give the user Administrative access.
Guest wrote ditto to NFuse works when logged in as Administrator ....
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by an anonymous visitor on November 17, 2004
I found that Power User also works but not User. My system is running XP SP2 with all critical patches installed and the ica 8 web client. I'd really rather not have the user account running with anything higher than User rights on the box.
Guest wrote Why does Citrix ignore Administrator problem almost everybody running XP has?
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by Scott D on November 18, 2004
I also have users running WinXP and some of them run into the problem of needing elevated rights for the Web client to connect. If you go to Citrix's support page they do not even acknowledge it as a problem, but if you read their forums many users are complaining about it with no resolution. The only workaround I have found that seems to work is to give Users write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID key.
Does this "workaround" work for anybody else?
Guest wrote Does this workaround work for anyone else
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by an anonymous visitor on November 22, 2004
Yes it does, and its got me out of a hole, many thanks Scott
Guest wrote NFUSE still not working after changing above setings?
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by an anonymous visitor on November 30, 2004
I cant get nfuse to work after changing above settings. I keep getting the message server is not available
Guest wrote Does this workaround work for anyone else
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by an anonymous visitor on December 7, 2004
It also worked for me on a Windows 2000 SP3 machine. Many thanks. Regards Jon
Pär Johansson wrote Re: If there is a box
on Tue, Dec 28 2004 5:30 AM Link To This Comment
Or delete temporary internet files.
Guest wrote Re: NFuse works when logged in as Administator, but not when logged in as Limited User
on Tue, Dec 28 2004 2:42 PM Link To This Comment
Try installing client version 8.1 or higher
Guest wrote Re: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Mon, Feb 7 2005 3:09 PM Link To This Comment
You were right, it worked great!! Just assign write permissions to the above registry key and it will work (Installing the latest Metaframe version will not solve the problem)
Thank you very much,
IB
Guest wrote Re: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Thu, Feb 24 2005 4:22 PM Link To This Comment
Yes, just discovered same solution after a lot of debugging with FileMon and RegMon...

10528 102.82765603 wfica32.exe:7016 OpenKey HKLM\Software\Microsoft\MSLicensing\HardwareID ACCDENIED Access: 0x2001F
Guest wrote Re: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Thu, Feb 24 2005 4:59 PM Link To This Comment
FYI: Looks like regini or subinacl will change registry permissions in a script.
Guest wrote A fix?
on Thu, Apr 14 2005 8:23 AM Link To This Comment
Within IE, select Tools - Internet Options - Advanced, scroll down to Security and untick the Do not save encrypted files to disk, but make sure the Empty Temorary Interternet files is ticked. Give it a go - Brian McL
Guest wrote Re: A fix?
on Thu, Apr 14 2005 8:36 AM Link To This Comment
Oops, it should read Empty Temporary Internet file is unticked and limit temp file storage accordingly. I am assuming here you have install Citrix Web Client 8.x.
Guest wrote Re: Web ICA Client Works
on Sun, Jun 5 2005 7:56 AM Link To This Comment
Upgraded citrix server 3.0 then some of our home clients started getting this error

"internal error during proxy evaluation" when they click luanching applications.
Guest wrote WORKED FOR ME!!!
on Fri, Jul 8 2005 11:50 AM Link To This Comment
I used the fix on a Windows XP system with ICA Client 9 and now my users can acutally use Citrix which had been installed and unused for the last 4 months.
Guest wrote Works with 8 but not with 9.
on Fri, Jul 15 2005 6:31 PM Link To This Comment
I have this problem when using the Citrix 9 client.

I found that I could install the Citrix 8 webclient to a different directory and change the file association for .ica files to use wfcrun32.exe from the webclient directory.

This allows me to continue to use the 9 client without giving up the ability to create connections through Nfuse.
Guest wrote SP2 for Windows XP Breaks Citrix NFuse / Web Interface Clients
on Thu, Jul 28 2005 11:24 AM Link To This Comment
Have you guys tried to point Terminal Services Licensing parameter in registry to point to Domain Controller?

hklm-->system-->current ctrl set-->services-->TermService-->Parameters.
set the server DC server name as REG_SZ in DefaultLicenseServer

Guest wrote RE: an answer from Citrix ...
on Thu, Jan 19 2006 11:49 AM Link To This Comment
ORIGINAL: Guest

This message was originally posted by m@ in london on May 7, 2004
look at the following Microsoft document:
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/WinXPSP2_Documentation.doc
check from page 103, it gives some details about the new Windows XP SP2 feature: Internet Explorer MIME Handling Enforcement

you can turn it off by setting the following registry value to 0 ( off)
HKEY_LOCAL_MACHINE(or Current User)\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

 
I have tried this and everything else I've found on the Internet.  The ICA client file is not found on one computer I have, but works flawlessy on three others.  W2000 and 2 XP SP2 machines work fine.  One XP SP2 machine I get "ICA file not found".  I click Tools/Internet Options/Delete Files and I get right in.  I have to do this each time.  I have searched this high and low and so far this site has been the most helpful, but I still haven't solved the problem.
 
TIA
 
Jeff
Guest wrote RE: Re: Web ICA Client Works
on Tue, Feb 21 2006 10:49 AM Link To This Comment
Have had same issue two things solved it.  http://learn.quinnipiac.edu/citrix/faqsix.asp  and make sure IE is set to the default
Guest wrote RE: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Sat, Mar 4 2006 1:23 AM Link To This Comment
 Worked for me , fixed 90 broken PC's with this.Thanks a TON
Guest wrote RE: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Thu, Jul 20 2006 2:42 PM Link To This Comment
this worked for us as well.  thanks!
F. D. Hand wrote RE: Why does Citrix ignore Administrator problem almost everybody running XP has?
on Mon, Jul 24 2006 10:08 AM Link To This Comment
This just fixed an issue for 2000 pc's & laptops.  THX!
 
(Why hasn't Citrix addressed this?...The first post in this thread is from 2004!)
Guest wrote RE: You can also use the java client and it works
on Wed, Sep 20 2006 9:58 AM Link To This Comment

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.

Copyright © 1997-2013 TechTarget | Disclosures | Privacy Policy | Contact Info

BrianMadden.com | SearchVirtualDesktop.com | SearchEnterpriseDesktop.com | SearchServerVirtualization.com | SearchVMware.com