Temporary Workaround for XenApp published App Internet Explorer FTA Issue on Server 2016

UPDATE 29.11.2017: THIS WORKAROUND IS NOW OBSOLETE. PROBLEM SOLVED WITH KB4051033: https://support.microsoft.com/en-us/help/4051033/windows-10-update-kb4051033

 

DISCLAIMER: this is an unofficial workaround and not supported by Microsoft or Citrix. This is intended for technical staff and if you don’t understand whats it about, please don’t use it.

for TL;DR or the Scripts scroll to the end.

UPDATE 17.10.2018: Citrix has an official Article about this issue: https://support.citrix.com/article/CTX228597 – and they told me that a Windows Update will fix the problem. No patch from Citrix needed.

UPDATE 18.09.2017: Carl Webster contacted me today and offered his skills to optimize my script. thanks a lot for that! following features are available in his version:

  • allows to specify an output folder (and checking if it exists)
  • validation of OU
  • renaming an existing .sql file by adding the actual timestamp
  • check to see if the script is running with elevated permissions

and this is how the tuned script looks in action:

you still need the other binaries of my script, which you will find at the end of this article, but you simply can use this .ps1 instead of mine. the output needs to be in C:\Scripts – else my import process will not work (unless you adjust the .bat file manually).

you can download Carl Websters version here (SHA1: 1B62844DE567C843D47DB3B4A693DAEB846331E7) – thanks again!

THE PROBLEM:

https://discussions.citrix.com/topic/385357-users-are-prompted-to-specify-internet-browser-when-you-click-on-a-link-in-outlook-2016/

https://discussions.citrix.com/topic/325435-citrix-metaframe-server-fta-showing-up-as-ie-file-association-and-possibly-incorrect-values-in-reg/

due changes in server 2016, the default browser is not launched correctly when using XenApp published app and users are facing a popup with following message:

How do you want to open this?

Keep using this app

  • Internet Explorer
  • Citrix Metaframe Server FTA

the user can select “Always use this app”, but the popup will appear again for the next link he tries to open. maybe you are thinking, that removing the “Citrix Metaframe Server FTA” will fix the issue, because the system will have only one entry – but no. the message just changes and the user has to select Internet Explorer every time when he clicks on a link. now THAT is annoying.

But yes, you can remove the Citrix Metaframe Server FTA entry by deleting it in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
and
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegisteredApplications

sometimes the VDA will register itself again and therefore you should remove it with a GPO – but iike i said, this will not fix the main issue.

Now here is the geek stuff – the technical details (for the solution, just scroll down):

i opened a case with Citrix and tried a lot of things in my lab. i found out, that this issue only happens with XenApp and not with Microsoft RemoteApps. a longer procmon session revealed, that Microsoft launches rdpinit.exe, which seems to handle the issue correctly – but i didnt find out what exactly is missing for a XenApp user. the interesting thing about this problem is: if a user logs on to a machine once with RDP or a full desktop, it works afterwards with published apps too. in non-persistent environments (PVS, MCS), this only works until the XenApp server is rebooted.

Citrix contacted Microsoft about this issue and after some weeks they came back to me with this findings:

“RemoteApp and XenApp are sort of special case of logon as they don’t run thru a full desktop logon experience. The problem is, for XenApp the record for the user account is NOT created in the User table in the state repository machine database (%ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd).
When there is no user record available in the User table, looking up what associated apps are avail for the user in response of clicking a URL fails, which leads to the issue.”

they dont provide a fix for this problem yet and they told me that its going to take some time to develop one. so i thought – lets have a look at this file and its contents – maybe i can somehow fix it manually, until Citrix comes up with a solution.

using a hex editor, i found out that this file is an sqlite database:

now, that is interesting (because we can edit it and i didnt expect Microsoft using SQLite, because they have their own databases). i had a deeper a look at it with SQLite Browser. to open the database, i had to use psexec -e -i -s (because only SYSTEM has read/write on this database).

and there we have indeed a User table (like Microsoft stated in their findings) and this table does not contain a lot of data (which is good for us).

there is just an entry for each user, where _Revision is set to 1 and the BLOB containing the SID in binary format. this is identical to the objectSid attribute, that we can find in ADUC attribute editor.


for a PoC i just added a user manually to this database using SQLite Browser and the SID from ADUC – and my tests after that with published apps were successful. no more annoying popup! i tested this manual workaround on a customer environment and it worked too. but i have hundreds of users there and of course i can not add all these manually to this database. lets script something to automate this!

The half-automated Workaround:

the best solution would obviously be a service that gets triggered on a user is logging in and updates this database accordingly. but coding a windows service is not that easy and Citrix will come up with such a solution anyway.

my idea was therefore to automate this manual workaround for multiple users. because i use Citrix Provisioning in almost every environment, i want to pre-populate this database on my master target and then promote it for the users on multiple servers. there is only one downside: new users will still have the problem (unless you run the scripts again on the master target), but im doing this just to win some time until an official fix comes out.

i wanted also a solution, which does not need any installation of software and used therefore only powershell, sqlite3.exe and psexec64.exe (from sysinternals).

How to use:

  • download the zip with the scripts and place it to C:\Scripts (this is hardcoded, because psexec needs a static path).

  • you can check the actual StateRepository database with 01_list_users_in_staterepository.bat

this is the database from a fresh installed XenApp server in my lab. you can lookup the users by converting these SID’s from binary to string (i might supply a tool for that later) – but this is not really important or interesting.

  • open 02_create_import_file_with_users.ps1 in PowerShell ISE (right click, edit). IMPORTANT: edit the first line and supply the distinguishedName from the OU where you have your XenApp users.

you must edit the selected line to match your environment!

  • now click the green arrow. this will create a users_to_import.sql file

now you can open this file with any text editor and check if you exported the correct users (the common name is in the end of each line).

please verify this before proceeding. i could have made up a script that does all in one step, but i wanted to check what i exported and probably you want so too.

  • the last step is to import this users into the StateRepository database with the 03_import_users_into_staterepository.bat script

if you see no error (exited with error code 0) – all the users were imported in the StateRepository database successfully. you can run 01_list_users_in_staterepository.bat again to verify, that the database contains more entries now.

and you can also verify if these are the SID’s from the sql file – but believe me, they are the same 🙂

if you see the error: Error: near line 1: UNIQUE constraint failed: User.UserSid – then one of the users was already in the database. i dont do a check for this, because the field is defined as UNIQUE and my script can not add users twice anyway.

now thats it. you can promote your master target to the users and they will not see this annoying popup anymore!

TL;DR and Scripts

Download the Scripts here (SHA1: 868D6B0B003015C2C8CCEA8F287231D0070A7274). you need to run the Scrips with administrator privileges.

Quick How To:

  1. Create a Maintenance Version from your Master Image (or do the steps on a persistent XenApp Server)
  2. Extract the files from Scripts.zip to C:\Scripts (do not change the Path, its hardcoded)
  3. Adjust and run 02_create_import_file_with_users.ps1 in PowerShell ISE and run it to generate the .sql file
  4. Run 03_import_users_into_staterepository.bat and promote the Version to Test (or Production if you dont mind)
  5. Do not delete users_to_import.sql – i will provide a script to reverse this changes, which you can use when Citrix releases an official fix.

and again: this is not an official fix and not supported by anyone. it can not really break something, but also it does not offer real error checking. its a fast and half-automated workaround, until Citrix releases an official solution.

if my script helps and you like to offer me a beer in return – i do accept donations 🙂

BTC: 1G7HETp7j5dq422mTg1VNB1yph9m3eKgX1
LTC: LdmnKE7SnKAzKPrs6MrrPFXskuP1qRVBcD
ETH: 0x89c83770e89ae08e856EE239e477BC758FCf3Bf8
XMR: 47y7gzD2DmjSBhKyaxQ2C7RUpLgwzr2hYGu2Ui6NcAi2feChfVR99nhBvJPQxPqhEpRfuy9pAr5ypghETPWQ3MQGCdYSK3u
PayPal: https://www.paypal.me/Kolbicz

Thank you!

1 Trackback / Pingback

  1. EUC Weekly Digest – September 23, 2017 – Carl Stalhood

Leave a Reply