Understanding the webica.ini file in ICA Client Version 9

Written on Oct 03 2005 Filed under: Citrix, Technical Articles, Client Software 13,587 views, 17 comments

by Jeff Pitsch

Ever since the release of Presentation Server 4 and ICA Client 9, there has been a lot confusion over the webica.ini file. Sometimes it’s there and sometimes it isn’t!?! There’s also confusion over when you can actually modify settings in the Connection Center.  Sometimes they’re grayed out and other times they’re accessible. This article explains why this is.

Prior to version 9, the ICA client would ask the user to choose the level of file security when starting a session. This was in the form of a popup box that informed the user that a remote application was trying to access the local drives. What access should be allowed? Full, Read Only, or None. That box would also ask the user whether the system should remember the chosen option for the next time a session was started. If the user chose to have the system remember their selection, the ICA client software would write the changes to a configuration file called webica.ini and store it in the Windows root folder.

Administrators could suppress this dialog box on a client device simply by preconfiguring the webica.ini file on a client.

That was then, this is now. Starting with ICA clients version 9, the client doesn’t always prompt the user with the security options and the webica.ini file doesn’t always work. For better or worse, there’s now a bit of intelligence built into the client that now determines whether the client will not only ask, but allow changes made to the different security settings. The client (wfica32.exe to be exact) now determines whether it is “trusted” or “untrusted” (these are not Citrix terms). A client is “trusted” if it’s started from the Program Neighborhood or Program Neighborhood Agent. The client is “untrusted” if it’s started from the Web Interface or an ICA file. When a client is “trusted,” full access is given to the client drives and the options are grayed out in the Connection Center. There is currently no way to override this. If a client is “untrusted” then the user is asked how they would like the settings set and the options are available in the Connection Center.

What’s really interesting about this is that this trusted versus untrusted distinction is even made between the connections made via the Program Neighborhood Agent and the Web Interface, even though they are both based on the same back-end Web Interface technology. The reasoning behind this is that when using the Program Neighborhood Agent, a user must manually configure a backend Web Interface server and will only get applications from it. A browser-based Web Interface launch, however, could potentially occur from a malicious Internet site which is why it falls into the untrusted realm.

Citrix is currently working on adding more control over this new aspect of the client.

Comments

Richard Thompson wrote Thanks Jeff

on 10-05-2005 8:25 AM

Thanks for the information Jeff.

hans straat wrote excelent explanation

on 10-05-2005 8:28 AM

Hey Jeff,

Nice to explain this connection issue. Never saw the "trusted" "untrusted" part actually. But what if your PN client is in another domain is it then also "untrusted".

greetz
hans

Jeff Pitsch wrote RE: excelent explanation

on 10-05-2005 10:54 AM

If it's PN, it's still trusted. For instance, i'm out at a client right now and my laptop is in a completely different domain. No trusts, not the same forest, etc. completely and utterly seperate. when I connect to their farm, it is still considered trusted if I connect using PN.

Jeff Pitsch wrote RE: excelent explanation

on 10-05-2005 12:27 PM

Let me elaborate a bit more. the reason why it's trusted is becaue you have to manually setup a connection to the farm. it's the same reasoning why PNA is trusted but not going through WI. WI all you have to do is login, there is no configuration by the user.

hans straat wrote Re: RE: excelent explanation

on 10-06-2005 7:22 AM

Ok that makes sence with the "trusted" and "untrusted" part. My english is not that well sometimes :)

Guest wrote Pn Agent

on 10-06-2005 11:38 AM

I can see why they consider PNAgent a "Trusted" connection. The fact that they no longer support PNA From an external connection, and that you have to do some manual work to get it to work externally is why they are operating that way. Not sure I agree..Anyway thanks for pointing out.

Guest wrote Web ICA Client

on 11-16-2005 7:56 AM

Bit of a question here. When the end user is in a seperate domain (with no trust relationship whatsoever with the domain the Citrix server is in) and they select that they want to trust the Citrix session to see their local drive, only their physical drives (i.e. C and D) are available.
If I was to use the PNA client rather than Web - would they then be able to see their network drive mappings? Is there a way to do this with the Web client?

Michael Burke wrote RE: Web ICA Client

on 11-16-2005 8:45 AM

When the Citrix client asks about trusting the connection, it has nothing to do with domains - the Citrix server is attempting to access the client's drives and is asking is it is OK.

Citrix only maps physical client drives. You have the ability to map a client's network drives but it has to be done with some other method (script, manual, etc.).

David McBean wrote Re: RE: Web ICA Client

on 11-16-2005 8:57 AM

Which obviously isn't possible if they're completely off at another organisation.... bummer. Thanks for the advice anyway Michael....

Michael Burke wrote RE: Re: RE: Web ICA Client

on 11-16-2005 9:00 AM

Which obviously isn't possible if they're completely off at another organisation....
Sure it is... Just create a script to run inside the Citrix session to map the drives. Running "change client" from a command line in the session will show you all client shares (physical and network). If you can take that value and turn it around into a net use command, you should be able to map the client network drives.

Either that, or you could expose the Map Network Drive functionality in Windows Explorer, but personally I would take the scripting approach.

Guest wrote RE: excelent explanation

on 12-13-2005 3:09 PM

Jeff, thank you for the explanation.
We are experiencing this issue when our remote clients hit only one of our several Citrix servers.  They access applications via NFuse 1.7. When the user tries to launch a published app, he is getting an error, icast.exe....Access is denied. After deleting the webica.ini file and launch the app again, the security box pops up and we choose Full or Read access, the problem is solved. The user can access the app. We can reproduce this error if we choose No Access on the security pop up box.
 
Our question is why is it happening on just one server? Is there a setting we need to configure on this particular server? Please note all of the servers are identical in terms of OS, MFPS3.0, SPs, hardware, etc. Thanks in advance for your assistance.

Guest wrote RE: Thanks Jeff

on 09-06-2006 4:53 PM

Hi jeff;
 
Do you have an update on ica file security?
Thanks
 
Fernando
 
ORIGINAL: EkilErif

Thanks for the information Jeff.

Guest wrote RE: Thanks Jeff

on 09-20-2006 9:44 AM

Guest wrote RE: Re: RE: Web ICA Client

on 11-10-2006 6:33 AM

ORIGINAL: Michael Burke


Sure it is... Just create a script to run inside the Citrix session to map the drives.
How do you run a script inside a Citrix session????
 
Running "change client" from a command line in the session will show you all client shares (physical and network). If you can take that value and turn it around into a net use command, you should be able to map the client network drives.
Is the "Change Client" run in a batch file
Can you then map network drives (NET USE) using their local domain credentials back to their Local Network drives  ?? (in an un trusted domain)

Guest wrote [Deleted]

on 11-15-2006 2:26 AM

Guest wrote Is there an update for 10.1?

on 07-26-2007 1:08 AM

"Citrix is currently working on adding more control over this new aspect of the client"

Is there yet any more control in 10.1?

Guest wrote Is there an update for 10.1?

on 07-26-2007 1:08 AM

"Citrix is currently working on adding more control over this new aspect of the client"

Is there yet any more control in 10.1?

(Note: You must be logged in to post a comment.)