Issue With W2K SP3 Citrix/Terminal Servers and MS04-011(835732)
From: Manskopf, Michael (Michael_Manskopf_at_CANACCORD.COM)
Date: Fri, 23 Apr 2004 15:44:57 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
We patched half of our W2K SP3 Terminal Servers last night with MS04-011,
MS04-012, and MS04-014. This morning all of the users logging into the
patched servers were not able to access their roaming profile and created
local profiles on the Terminal Servers instead.
Here's what we've determined so far.
We have users (clients) in a Windows 2000 SP3 forest connecting through
Citrix on Windows 2000 SP3 Terminal Servers, which are located in another
Windows 2000/2003 forest.
All of the users that are connecting through Citrix/Terminal servers that
have been patched with 835732 are unable to load their roaming profiles, so
local profiles are created instead on each Citrix/Terminal server.
The error in the Application Log is as follows:
Event Type: Information
Event Source: Userenv
Event Category: None
Event ID: 1000
Time: 12:36:41 PM
User: NT AUTHORITY\SYSTEM
Description: The logged on user's forest is different from the machine's
forest. Cross Forest Group Policy processing is disabled and loopback
processing has been enforced in this forest for this user account.
This appears to be a "Cross-Forest" issue that should only affect Windows
2000 SP4 and Windows 2003, but is affecting our Windows 2000 SP3
Citrix/Terminal Servers. The SP4 issue is mentioned in this KB article:
What appears to be happening is that an SP4 Cross-Forest security "feature"
is activating the Group Policy setting for "Allow Cross-Forest User Policy
and Roaming User Profiles" policy under \Computer
Configuration\Administrative Templates\System\Group Policy. We tried to
enable the policy to see if that would fix it, but it only made things worse
and affected the previously unaffected users as well. We think that since
our Citrix/Terminal Servers are Windows 2000 SP3, they seem to "see" the SP4
policy, but don't understand it. There must be some updated component in the
835732 patch that is allowing SP3 machines to "see" the SP4 policy.
As soon as we uninstalled the 835732 patch from one of these Citrix/Terminal
servers, users were able to access their roaming profiles normally again.
We're going to keep experimenting with this on one of our test servers. Will
keep you updated. If anyone else has any info, please let me know.
IT - Technology and Infrastructure Group
CANACCORD CAPITAL CORP.
#2200 - 609 Granville Street,
TEL: (604) 643-7605
CEL: (604) 841-1534
"Canaccord Capital Corporation <canaccord.com>" made the following
annotations on 04/23/2004 03:45:02 PM
This message may contain confidential or privileged material. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this message in error, please immediately reply to the sender and delete this information from your computer. Thank you.
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!