“Citrix Receiver – Security Warning” explained and demystified

Written by Ingmar Verheij on June 26th, 2012. Posted in Citrix, Demystified

Citrix Receiver - Security WarningWhen you’ve worked with a Citrix XenApp or XenDesktop environment you must be familiar with the Security Warning dialog. It prevents a remote machine (your hosted application or desktop) from accessing resources on the client device, a security boundary you want to protect when from unmanaged systems.

But on managed systems you want to prevent this message, you don’t want your users to be confronted with a message you tell them to accept (otherwise it won’t work and they’re to blame).

In this article I’ll explain why this message is displayed and how you can prevent it.

Resources types

A users can be confronted with a security warning dialog for different resources, this depends on the client used:

Resource description Client version < 12.0 Client version > 12.0
Client drives X X
Microphone and webcams X X (only audio)
PDA devices X
USB and other devices X

 

Client versions

“Back in the old days”, or when you’re using Citrix Presentation Server 4.5 or older, a Citrix ICA Client is used with a version lower than 12.0.  The security warning dialog can be configured with the webica.ini file in the users profile.

The Citrix Receiver (version 12.0 and up) ignores the webica.ini file and is solely configured via the registry. A new feature with the name ‘Client Selective Trust’ was introduced to allow a more fine grained configuration that can be set via a group policy.

 

Before version 12.0

When you’re using a Citrix ICA client before version 12.0 the user will be asked what access level should be allowed. The users can choose between three access levels:

  • No Access
  • Read Access
  • Full Access

Depending of the version used the following message will be displayed

Client File Security 10.xClient File Security 11.xICA Client File Security

 
Preventing the message

This message can be prevented by placing a webica.ini file in the %SystemRoot% (version 10.0 or lower) or the %AppData%\ICAClient directory (version 10.1 or higher).

The file has the following content

Where the number represents an access level

Access   AudioInput  
-1 No security setting configured 803 No Access, never ask me again
403 No Access 804 Full Access, never ask me again
403 Read Access 806 Never prompt current application
405 Full Access 807 Never prompt any application
    808  

 

Version 12.0 and up (Citrix Receiver)

From Citrix Online Plugin 12.0 and up, including the current Citrix Receiver 3.x, users are presented the following dialog:

File Security - Citrix Online PluginCitrix Receiver - Security Warning

The content of the message depends on the resource that is accessed from the remote server.

 

GUID

For each target environment that is accessed a unique registry key is made in registry with the name HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}. It seems that the {GUID} is generated during runtime and (therefore) cannot be predicted. You can find what GUID belongs to what connection by reading the value HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}\RegionName\@.This value contains the name of the environment.

If you connect via a webinterface / cloudgateway this key contains the URL (like lab.pepperbyte.com). When you connected directly to a published application / server via an ICA file the content will be something like ica://172.31.50.132:1494.


Preventing the message

The message van be configured per resource type, where each resource type is a subkey of ICA Client\Client Selective Trust\{GUID}IcaAuthorizationDecision (no \ after the GUID!).

Resource type Subkey
Client drives FileSecurityPermission
Microphones and webcams MicrophoneAndWebcamSecurityPermission
PDA devices PdaSecurityPermission
USB and other devices ScannerAndDigitalCameraSecurityPermission

The access level can be set in the default (@) value where the number represents an access level

Value Description
0 No access
1 Read access
2 Full access
3 Prompt the user for access

The access level can be set per accessed environment (per GUID) or per region. By configuring the access level on the HKEY_LOCAL_MACHINE (HKLM) hive instead on the HKEY_CURRENT_USER (HKCU) hive the setting is inherited by all users.

oidUserRestrictedSitesRegionIf you can to configure the access permission per region you need to change the value of IsIsmDeferalEnabled to true and set the access level per resource type.

The regions that can be configured in HKLM match the regions that can be found (and configured) in Internet Explorer.

Zone Subkey
Internet oidInternetRegion
Local Intranet oidIntranetRegion
Trusted sites oidTrustedSitesRegion
Restricted sites oidRestrictedSitesRegion

Keep in mind that if you configure the settings on a x64 operating system the keys are stored in HKLM\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust.

Ingmar Verheij

At the time Ingmar wrote this article he worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He was working with technologies like Microsoft RDS, user environment management and (performance) monitoring. Ingmar is User Group leader of the Dutch Citrix User Group (DuCUG). RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Tags: , , , , , ,

Comments (11)

  • 1 February 2013 at 11:29 |

    Cheers Ingmar, did anyone find/make an ADM template for this yet?

  • 1 February 2013 at 11:29 |

    This will do the trick, simply import an adm template and configure the IE site that the servers are in accordingly

    http://support.citrix.com/article/CTX133565.

    good job Citrix..

  • Darren
    28 March 2013 at 04:24 |

    Hi Ingmar, I discovered the adm templates provided in the Citrix article do not contain all the required registry settings for client access control to work.
    http://forums.citrix.com/thread.jspa?messageID=1725617&#1725617

  • 30 July 2013 at 11:36 |

    nice work! thanks for sharing this!

    • Ingmar Verheij
      31 July 2013 at 18:49 |

      You’re welcome!

  • Julia Nash
    26 September 2013 at 10:36 |

    Hi

    We are using Citirix ICA Client 11.0.0.5357 for our users to connect from remote locations.

    I need to remove the Client File Security popup from when they logon.

    How would I go about this? I have read your document but the instructions for the version we are using seem to require the addidtion of the webica.ini file on the local profile of a user to which we would have no access.

    Is there a setting we can apply which will stop the prompt from appearing for all users that connect? If so would this need to be applied to all servers that are in the farm that are used for remote access or just the main citrix xenapp server?

    I would be very grateful if anyone could point me in the right direction.

    Thanks

    Julia

    • Ingmar Verheij
      26 September 2013 at 15:31 |

      Hi Julia,

      The dialog your seeing is the a security dialog which needs to be configure on a per-user basis.

      If you can’t control the content %AppData%\ICAClient\webica.ini file then the only of preventing this dialog is to configure a Citrix policy that disables all client acces (drives, printers and clipboard).

      Cheers,
      Ingmar

  • 11 December 2013 at 10:23 |

    Nice information and thanks for putting it together.

  • Vito
    10 October 2014 at 19:27 |

    Excellent article, very helpful. Is their a way to tell which region and keys controls what client device resources? I have number of users who receive the prompt when trying to access files on a USB drive, others receive the the prompt when trying to utilize voice call features over MS Lync.

  • Michael Altman
    6 April 2015 at 04:20 |

    See post

  • Sean
    12 April 2016 at 01:13 |

    I was able to get everything working all through group policy by
    1) adding the storefront https:// url and the applink https:// url to the list of trusted sites
    2) delete the HKCU….\Client Selelctive Trust key and all the subkeys

    That worked great, and it was all through group policy registry preferences.

Leave a comment

*

Donate

%d bloggers like this: