Handy tips on a Friday

Today I was busy helping a Thin client deployment remotely and I thought that the settings we did there might be handy for more people. So as usual I share this on my blog.


The environment this was happening in is a Citrix environment setup with;
  • Citrix XenApp 7.5
  • Microsoft Hyper-V 2012R2
  • Microsoft Windows 2008R2 to be used with XenApp
  • Microsoft Windows 7 for endpoints
  • RES Workspace Manager 2014 Gold
  • ThinKiosk – Community license
  • Microsoft System Center 2012
The questions today were about a Thin client deployment with Microsoft Windows 7, the clients are non-domain joined and are living in a workgroup of some sort.

Issue that needed to be solved

So I got contacted because the following “issues” presented itself while testing a deployment;
  • The Citrix receiver would show a license warning the first time you connect through a web browser. Checking the check mark makes it go away but that’s not something you would like to ask your users to do each day;
  • The web page that opens (Storefront) was reporting to be un-trusted;
  • The published desktop didn’t start automatically after authentication;
  • After you logged on there was a pop-up from Internet Explorer that asked you to enable or disable the add-on;
  • After you logged on to the desktop you get a security warning from the Citrix receiver about files, camera, usb etc.
So five questions and five things you will run into each time you work with a Thin client that is non-domain joined. Let’s show you how each of them can be tackled.

License warning Citrix

The license warning can be handled from the Citrix StoreFront servers.
To solve this you need to browse to the web.config file of the store.
For this customer that was C:InetpubwwwrootCitrixDesktopWeb.
Locate the following entry : 
Change the “true” to “false” and save the file.
Now if you have more than one Storefront server you need to make sure they propagate, sure you know how to do that from the console.
After this is done and you propagated you’ll notice the license question is gone.

Untrusted certificate

A pretty common issue is that you browse from a non-domain joined client to a internal web page and get a warning. The thin client doesn’t have the root certificate loaded and therefore can’t check if the full path is trusted.
So what you need to do is import the root certificate in the Trusted root certificate store on the thin client. Sure you want to do this automated so follow the following steps;
Add the downloaded root certificate (certnew.cer) to the C:WindowsSetup folder while deploying the thin client with SCCM or any other means.
Run the following command: certmgr.exe -add -c “C:WindowsSetupcertnew.cer” -s -r LocalMachine root 
This will add the root certificate to the trusted store and when you browse to the Citrix internal site again you won’t see the certificate security error.

Auto start published desktop

Again one of the issues we face often and therefore not the hardest one, but perhaps it’s your first time you see it so here’s the why.
The desktop that you publish won’t start automatically after the user is authenticated if the site is not a trusted site.
For automated deployments you can use a script.
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomainsCitrixinternalwebsite.local]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomainsCitrixinternalwebsite.localsomethingelse]
If you add this script to the deployment of the thin client and you change the site address to your internal Citrix site it’s trusted and the desktop will start automatically after the user is authenticated.

Enable Citrix Add-on

So we finally got authenticated and now there is a pop-up hovering asking if we want to enable or disable the Citrix add-on. Sure we want it enabled but again we don’t want the user to click there every day.
To start with this one you need to open Internet Explorer and go to the “Managed Add ons” menu.
There, if you installed the receiver, you find the Citrix Add-on. If you double click on it you get a screen with information, one of the lines reads class.
Copy that class information and paste it somewhere in a notepad, you’ll need it later on.
Add the following registry key to your deployment and paste the class you found behind Settings.
normally this is a current user setting but through deployment there is no current user yet so we used local machine for it.

Security pop-up

The last one for today is the security pop-up you get when you log on to the desktop, the receiver will ask if it may access the local disk and so on.
There is a registry file that is available from Citrix that you can use, here’s the link.
In the reg file, you get that one after you unzip the adm zip file, you see that per Internet zone settings can be defined.
By default the settings are set to 3, which is ask, if you want to enable it you need to set it to 0.
The following values are available;
  • 0 = No Access
  • 1 = Read Only Access
  • 2 = Full Access
  • 3 = Prompt User for Access
So again when you do an automated deployment add the reg file to that and you won’t see a pop-up anymore.
So this wraps up the Friday tips, have a good weekend all of you and see you next week.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.