Hello All,I have Installed XenApp 5.0 advanced edition on 4 x Window Server 2008 servers. When i am trying to access any published applications from my Client through Program Neighbourhood on Window Server 2008 I receive the following error "Cannot connect to the citrix XenApp server.The Server (Unknown) is not trusted for ICA connections. Connections to the (All Regions) Region are not allowed by lockdown setting". The strange thing is that it is not happening with all our users. We do not have the icaclient.adm imported so i can't see that this will be the problem. Any help would be appreciated?Regards
Thanks for the response. I actually forgot about the post and managed to solve it a while back. Your solution is 100% correct. My problem boiled down to the All regions registry key from the 'all users' profile not copying correctly when creating a new profile.
i have exactly the same issue. how do you copy the working key to all users though? i've tried via a logon script but registry editing is disabled???
Try:
- CTX112653
--Emil
I just import a registry file in the logon script. Maybe something in your GPO 's ?
Emil, i've tried all that.
breikers, can you tell me step by step what you did?
thanks
When i encountered this problem a while back I did try CTX112653 but it did not work for me.
All i did was go to HKEY_USERS\.DEFAULT\Software\Citrix\ICA Client\Engine\Lockdown Profiles. Export it to a .reg file
Edit the .reg file and change all HKEY_USERS\.DEFAULT to HKEY_CURRENT_USER.
Then if i ever encountered a user who received that error I just ran the reg file as that user and it solved the problem.
stephenw, but how do you run it as another user? by default registry editing is disabled in the GPO so I can't see how I can apply the working settings into all other users registry hives.
I did it exactly as Stephenw did. As each user logs on, the domain logon script imports the registry key into the current user profile. We use kixtart as the logon processor:
$RegFilePath = @LDRIVE$RegfileName = "icaclient.reg"$Regfile = $RegFilePath + $RegfileName$Command = "%comspec% /c regedit /s " + $Regfile
If EXIST ($Regfile) shell $CommandEndif
Exit
By default HKEY_CURRENT_USER registry hive is owned by the user who is logged in which is what the reg file changes. We have the .reg file (which is a generic file) sitting on a share where all our users have access to. We luckily have not encountered many users that have this problem and have not needed to deploy it corporation wide using a logon script or GPO. We were doing it on a per user basis. The user does not need to open regedit , just run the .reg file. If your registry is completely lock-down then you might need to use a tool like 'unhookexec.inf' to open up the registry to be able fix the problem. Once you log off and log back in the GPO will apply again. But speak to your Active Directory/GPO admin before doing that. Luckily i am both where i work.
the registry is locked down. i tried creating a batch file as a logon script that used regedit /s but when a user ran an application they got the error message about registry editing being disabled.
we only publish applications not desktops.
this is doing my head in!
how can i use the 'unhookexec.inf' tool?
i have permissions to change the GPO if that's easier??
I think it is a policy setting. Check user config, administrative templates, system. Setting : prevent access to registry edition tools
ok, i've exported the working settings to a registry key, created a domain logon script batch file that silently adds the registry key that is stored on each application server. i've also allowed silent registry editing as part of the GPO.
it now works!
thanks to all of you who have replied, especially as this thread was closed ages ago, this had been bugging me for days!!