Connecting the world…

7

Citrix WebInterface 5.3 on IIS7

While configuring a Citrix NetScaler 9.2 in conjunction with WebInterface 5.3 I received the following error message when executing a published application.

An error occurred while trying to access the requested resource.

I thought to myself….no problemo, since I blogged about this problem before (source). This solution didn’t help. After changing the RequireLaunchReference value I still receive the error while opening an application. The only difference is that the event viewer message isn’t generated anymore.

After searching the internet I found another Citrix knowledge base article, called “Application Launch Failure in Web Interface 5.0 through 5.3”. This article provided me with the solution.

It looks like IIS 7 differs quite a lot from earlier versions. Citrix’s background on the problem:

It is currently suggested not to run .NET 1.1 or .NET 4.0 on a windows 2008 Web Interface server that is using Web interface 5.0 through 5.3. The .Net Framework 2.0 common language runtimes will be used in conjunction with the 3.0 and 3.5.

Don’t ask me what it is, because I don’t know. Switches, routers, firewall and other networking components don’t use Microsoft .NET…..

eSafe Proxy with NTLM v2.0

Today I am playing with eSafe 8 operating in eSafe Proxy with NTLM authentication mode. Configuring eSafe Proxy with NTLM authentication is very straightforward and not difficult. The authentication settings are configuring using the eSafe Appliance Manager web interface, like shown below.

eSafe_proxy

I did some testing with multiple browsers and single sign-on with NTLM authentication is working perfectly. The system administrator was also testing, but he was complaining that he couldn’t authenticate. A pop-up box is received and when you enter the appropriate credentials, they aren’t accepted by eSafe. I found out that the customer is using Windows 7 and I was testing with Windows XP and Windows Server 2003.

Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:

  1. 1. Open the Group Policy Editor with gpedit.msc;
  2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
  3. 3. Go to the setting: Network security: LAN Manager authentication level
  4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
  5. 5. Apply the policy with gpupdate /force

ntlmv2

The picture shows the policy setting within Windows. This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.