FW: Win2K security roll out package and citrix xp

From: Robert Dennis (rdennis@ALPHAPROTECH.COM)
Date: 04/11/02


Date:         Wed, 10 Apr 2002 19:56:38 -0400
From: Robert Dennis <rdennis@ALPHAPROTECH.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I found this same this same problem with Citrix XP, running NFuse v1.5.

Environment

--Citrix Metaframe XP Server Farm accessed via Published Applications
--Citrix NFuse web server serving the access to the Published Applications
through IIS 5.0 on Windows 2000
--After installing the Security Rollup Package, users were able to login
through Citrix NFuse login screen, but when the list of apps were to appear,
a message stating "There was an error generating the app list: An error
occurred while encoding a .GIF file. Pleae make sure that the path exists
and the appropriate user account has sufficient permission to write and
delete files"

It turns out that the Security Rollup package turns off write access to
wwwroot (and all subfolders) for all users except certain privileged groups.
Regular users do not have access to write to your web directories (a good
thing) however, this setting is recursive, and, as in this case, directories
that are used as temp directories are not accessible to the user.

To resolve this issue, I audited file access on the IIS server and found a
Citrix directory, under the root web, that the Citrix user needs full write
and delete privileges to render the web pages that Citrix NFuse works with.

I do not know if this is similar, but I did find this through a test
environment, and probably shows, yet again, why ALL patches and updates need
be run through a test environment before going live.

Regards,

Robert Dennis
Network Admin
Alpha Pro Tech
ph 905 479-0654 x233
fax 905 479-9732

-----Original Message-----
From: Philip Walley [mailto:philip.walley@CONSULTRIX.NET]
Sent: Tuesday, April 09, 2002 10:27 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Win2K security roll out package and citrix xp

FYI...

I recently cam across a situation with the security roll out package. It
seems that installing this update on a Citrix XP server will cause
authentication to fail for all users except admin. While I do not know
the specifics of what occurs, users will be told that "the login
credentials supplied are incorrect, please make sure caps lock is not
on. Etc."

I contacted Citrix to learn that they are aware of this authentication
issue and was supplied a hotfix by them. I did have to install the
hotfix ( in install mode) a couple of times before it actually worked on
the servers.

Philip D. Walley
Network Consultant
Consultrix Technologies
Phone: 601-956-8909 ext. 305
Fax: 601-956-8409



Relevant Pages

  • RE: Is Citrix safe?
    ... NFuse is only managing ICA client browse traffice and not the ICA stream. ... certs from Web server to web browser and SSL-Relay from Nfuse to XML ... Subject: Is Citrix safe? ...
    (Security-Basics)
  • Re: SP4 Experience
    ... As with any environment, many people will install SP4 on a Citrix server ...
    (microsoft.public.win2000.advanced_server)
  • Re: Cant Mount Mailbox Store or Publick Folder Store
    ... My citrix is working now using ICA Client but after I tried to restart my Mail Server. ... "Mukesh" wrote: ... Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. ...
    (microsoft.public.exchange.admin)
  • Re: How does Citrix run it faster? was Re: Microfocus COBOL 3.2.43 (16bit)
    ... over 25 sites) runs on Citrix served up from servers here in Austin. ... have moved a lot of stuff to zLinux, and in the process would up writing ... When Word loads for the ... doing anything else but managing the screen, while the server is pretty much ...
    (comp.lang.cobol)
  • Long and quite bizzare network problem
    ... I manage a 70 pc lan running win2k server,win2k Citrix ... packet sniffer to look at. ... The metaframe server is expecting that one box to ACK back,but it does ...
    (microsoft.public.win2000.networking)