Oops! SP2 for Windows XP Breaks Citrix NFuse / Web Interface Clients

One of the key enhancements of Service Pack 2 for Windows XP is the added security. Unfortunately, this added security causes a default installation of Internet Explorer to classify web files with the "ICA" extension as unsafe.

As you probably know by now, one of the key enhancements of Service Pack 2 for Windows XP is the added security. Unfortunately, this added security causes a default installation of Internet Explorer to classify web files with the "ICA" extension as unsafe. This means that when using Service Pack 2, users are not able click on a linked ICA file from a Citrix NFuse or MetaFrame Web Interface web site.

Prior to Service Pack 2, Windows XP users could browse to Citrix NFuse / Web Interface servers and click on links to launch remote MetaFrame applications. Clicking a link causes the web server to pass an ICA file down to the Windows XP client device where the locally installed ICA Client software receives it and seamlessly launches the application.

Once Service Pack 2 is installed, clicking an ICA file link pops up a dialog box warning that some files may harm your computer. The user is asked whether they want to Open, Save, or Cancel. Worse still is that choosing the "Open" option doesn't seem to work. The only workaround involves saving the file to your computer and then running it manually from there.

The security warning box is presented to the user regardless of the configured security zone of the server.

In all fairness, this security complexity is not limited to Citrix ICA files. (The web is filling with stories of people who can no longer run VBS files with SP2.) Also, workarounds are possible. However, it could provide quite a bit of cleanup work for Citrix administrators, especially when users connect from outside workstations that will automatically receive SP2 via Windows Update.

We don't yet know if this behavior is by design or simply an oversight of the classification of ICA files. (Certainly Microsoft shouldn't consider ICA files as dangerous as VBS files?)

Join the conversation

45 comments

Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by Brian Madden on March 5, 2004
As a follow up, I received a phone call yesterday from a Microsoft employee who said that this issue is known within Microsoft, and that it's officially made it into the bug tracking database for SP2.
Cancel
This message was originally posted by Andrew on March 24, 2004
But as of RC1, have made no (good) alterations - the security warning box doesnt appear now!
Cancel
This message was originally posted by an anonymous visitor on April 13, 2004
Windows XP SP2 Technical Preview
Download the Network Install
Published: March 19, 2004
Windows XP Service Pack 2 (SP2) provides an enhanced security infrastructure that defends against viruses, worms and hackers, along with increased manageability and control for IT professionals and an improved experience for users.


To aid IT professionals in planning and testing for the deployment of Windows XP SP2, Microsoft is making available this preview, based on Release Candidate 1 of the SP2. Additionally, we have established 11 newsgroups for sharing information.

WARNING! This technical preview is unsupported and is intended for testing purposes only. Do not use in production environments.

There is no phone or incident support available for this download, but any questions may be posted in the newsgroups available at http://communities.microsoft.com/newsgroups/default.asp?icp=xpsp2&slcid=us

Cancel
This message was originally posted by an anonymous visitor on April 16, 2004
So is there any way to "work around" this issue with Citrix? I liked SP2 but cannot live without Citrix so I un-installed it. I would love to find a way to have both.
Cancel
This message was originally posted by an anonymous visitor on April 20, 2004
Thanks. I thought of that but the file is deemed unsafe whether launched from Citrix or from a saved location.
Cancel
This message was originally posted by an anonymous visitor on April 19, 2004
Save to desktop and open there?
Cancel
This message was originally posted by an anonymous visitor on April 25, 2004
It seems that any browser but IE will handle Citrix. So just use Netscape or any other browser but IE.
Cancel
This message was originally posted by an anonymous visitor on April 22, 2004
Y0U ARE THE MAN! It W0RKED I SEND MY ThaNKS IN A BiG WAY!

N0W if I Can 0NLY figure out this pen!
Cancel
This message was originally posted by an anonymous visitor on April 21, 2004
Install Mozilla firefox, login to NFUSE, and work normally :)
Cancel
This message was originally posted by Brian Madden on April 27, 2004
These are the new clients that come with MetaFrame Presentation Server 3, and they're freely downloadable now.
Cancel
This message was originally posted by m@ in london on May 7, 2004
look at the following Microsoft document:
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/WinXPSP2_Documentation.doc
check from page 103, it gives some details about the new Windows XP SP2 feature: Internet Explorer MIME Handling Enforcement

you can turn it off by setting the following registry value to 0 ( off)
HKEY_LOCAL_MACHINE(or Current User)\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Cancel
This message was originally posted by an anonymous visitor on May 7, 2004
The Solution to save the ICA file to your desktop doesn't work, either, if that functionality has been disabled on the desktop or if you cannot right click and save on a workstation.

The workaround is to wait until it's fixed.

Cancel
This message was originally posted by Patrick Laroche on May 14, 2004
Out of my own
STEP_1: Set registry value for iexplorer.exe to '0' (off) in 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING'
STEP_2: Go to Control Panel' > 'Internet Options' > 'Security' > 'Trusted Sites' and add the fully qualified internet name of your NFuse gateway, for example 'https://citrix.mydomain.com'.
STEP_3: Re-install the Citrix ICA web client.
This patch works both with MSIE and Mozilla.
Cancel
This message was originally posted by an anonymous visitor on May 25, 2004
You can also change your portal settings from native client to java and it works just fine.
Cancel
This message was originally posted by an anonymous visitor on May 25, 2004
If you get the error box "can't fand ica file" try to uncheck the box "don't save encrypted pages to disk" under "extras" from ie.
Cancel
This message was originally posted by an anonymous visitor on June 9, 2004
I have tried the new version of 8.0 and it works great. No problems, no tweaking, easy install. Server side I am running Metaframe XPe Feature Release 3, Nfuse 2.0. All my users are starting to use the new client.
Cancel
This message was originally posted by an anonymous visitor on June 23, 2004
I have been experiencing this problem since installing SP2 RC1. On reading this page I have just downloaded version 8.0 of the client. My connection to an outside site has worked first time.
Cancel
This message was originally posted by an anonymous visitor on August 13, 2004
Windows product that like TSE that enhances Windows WTS build and does not try to replace it like Citrix is a much better fit. This will stop the issues of compatibility when additional patches comes out...
Cancel
This message was originally posted by Coupland on September 8, 2004
Well, I think Citrix is a little overpriced but to say Citrix tries to replace WTS is pure silliness. WTS IS Citrix technology purchased by Microsoft. If anything Microsoft hoped to replace Citrix and later decided against it based on the sheer revenue generated by the software vender. Want to run Citrix? Well you'll need Windows server and Terminal server licenses. lol
Cancel
This message was originally posted by Lax on September 17, 2004
With registry changes and installation of new web client it works fine with MS IE.
Cancel
This message was originally posted by an anonymous visitor on October 6, 2004
I installed both Mozilla foxfire & citrix 8.0
but my citrix is still not working
Cancel
This message was originally posted by manu on October 14, 2004
step 1 recommended by patrick worked - thanks!! of course i did not understand what i did so i have no clue what impact it will have on my machine
Cancel
This message was originally posted by an anonymous visitor on November 17, 2004
I found that Power User also works but not User. My system is running XP SP2 with all critical patches installed and the ica 8 web client. I'd really rather not have the user account running with anything higher than User rights on the box.
Cancel
This message was originally posted by R Frey on November 16, 2004
As a Limited User I can login to the Applications Menu, but then when I select the application the "Connecting to (Application)" appears and "Connection Established, Negotiating Capabilities..." message appears and the bar quickly fills from left to almost all the way to the right, but then hands and then disappears without success. When logged in as Administrator this same Window appears and the bar is blue, but as Limited User the bar is grey. Obviously I need to give the Limited User some access, but where and how?? I would really not like to give the user Administrative access.
Cancel
This message was originally posted by Scott D on November 18, 2004
I also have users running WinXP and some of them run into the problem of needing elevated rights for the Web client to connect. If you go to Citrix's support page they do not even acknowledge it as a problem, but if you read their forums many users are complaining about it with no resolution. The only workaround I have found that seems to work is to give Users write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID key.
Does this "workaround" work for anybody else?
Cancel
This message was originally posted by an anonymous visitor on November 22, 2004
Yes it does, and its got me out of a hole, many thanks Scott
Cancel
This message was originally posted by an anonymous visitor on November 30, 2004
I cant get nfuse to work after changing above settings. I keep getting the message server is not available
Cancel
This message was originally posted by an anonymous visitor on December 7, 2004
It also worked for me on a Windows 2000 SP3 machine. Many thanks. Regards Jon
Cancel
Or delete temporary internet files.
Cancel
Try installing client version 8.1 or higher
Cancel
You were right, it worked great!! Just assign write permissions to the above registry key and it will work (Installing the latest Metaframe version will not solve the problem)
Thank you very much,
IB
Cancel
Yes, just discovered same solution after a lot of debugging with FileMon and RegMon...

10528 102.82765603 wfica32.exe:7016 OpenKey HKLM\Software\Microsoft\MSLicensing\HardwareID ACCDENIED Access: 0x2001F
Cancel
FYI: Looks like regini or subinacl will change registry permissions in a script.
Cancel
Within IE, select Tools - Internet Options - Advanced, scroll down to Security and untick the Do not save encrypted files to disk, but make sure the Empty Temorary Interternet files is ticked. Give it a go - Brian McL
Cancel
Oops, it should read Empty Temporary Internet file is unticked and limit temp file storage accordingly. I am assuming here you have install Citrix Web Client 8.x.
Cancel
Upgraded citrix server 3.0 then some of our home clients started getting this error

"internal error during proxy evaluation" when they click luanching applications.
Cancel
I used the fix on a Windows XP system with ICA Client 9 and now my users can acutally use Citrix which had been installed and unused for the last 4 months.
Cancel
I have this problem when using the Citrix 9 client.

I found that I could install the Citrix 8 webclient to a different directory and change the file association for .ica files to use wfcrun32.exe from the webclient directory.

This allows me to continue to use the 9 client without giving up the ability to create connections through Nfuse.
Cancel
Have you guys tried to point Terminal Services Licensing parameter in registry to point to Domain Controller?

hklm-->system-->current ctrl set-->services-->TermService-->Parameters.
set the server DC server name as REG_SZ in DefaultLicenseServer

Cancel
ORIGINAL: Guest

This message was originally posted by m@ in london on May 7, 2004
look at the following Microsoft document:
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/WinXPSP2_Documentation.doc
check from page 103, it gives some details about the new Windows XP SP2 feature: Internet Explorer MIME Handling Enforcement

you can turn it off by setting the following registry value to 0 ( off)
HKEY_LOCAL_MACHINE(or Current User)\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

 
I have tried this and everything else I've found on the Internet.  The ICA client file is not found on one computer I have, but works flawlessy on three others.  W2000 and 2 XP SP2 machines work fine.  One XP SP2 machine I get "ICA file not found".  I click Tools/Internet Options/Delete Files and I get right in.  I have to do this each time.  I have searched this high and low and so far this site has been the most helpful, but I still haven't solved the problem.
 
TIA
 
Jeff
Cancel
Have had same issue two things solved it.  http://learn.quinnipiac.edu/citrix/faqsix.asp  and make sure IE is set to the default
Cancel
 Worked for me , fixed 90 broken PC's with this.Thanks a TON
Cancel
this worked for us as well.  thanks!
Cancel
This just fixed an issue for 2000 pc's & laptops.  THX!
 
(Why hasn't Citrix addressed this?...The first post in this thread is from 2004!)
Cancel
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close