Hide XenApp Full Desktop/XenDesktop icons from WI 5.4 Services site

While working on a new XenApp 6.5 implementation, we decided to deploy “XenApp Full Desktops” (AKA Poor Man’s VDI)¬†with published apps, and XenDesktops all talking to a single XenApp Service Site (AKA PNAgent) -> behind multiple Services Site load balanced by the NetScaler that is ūüôā

When you use single XenApp Services site to manage both XenApp and XenDesktop environments, or you‚Äôre providing published desktop and applications from your XenApp farm and XenDesktops,¬†you’ve¬†probably noticed that your users will get the Full Desktop icon and/or XenDesktop in their start menu.

Picture below shows me connected to a XA 6.5 Full Desktop running Citrix Receiver 3.4 Enterprise (I know 30MBs per user session).  The issue here is why should I see the XenApp Desktop icon when I am already connected to it?



  • Windows 2008 R2
  • Citrix XenApp 6.5¬†Hotfix Rollup Pack 2 / XenDesktop 5.6 <- (I know, not XD 7 yet)
  • PVS 6.1.16
  • StoreFront 2.0 / Web Interface 5.4


Follow the instructions on CTX123969  which shows how to hide Published Applications, however keep in mind the goal here is not to hide published apps, but rather hide desktops from both XenApp and XenDesktop.

Replace the code with the following:

java.util.ArrayList filtered = new java.util.ArrayList();

 for (int i=0; i<resources.length; i++) {
 if (!(resources[i] instanceof com.citrix.wing.webpn.DesktopInfo)) {
resources = (ResourceInfo[]) filtered.toArray( new ResourceInfo[0] );

Disable StoreFront 1.2 Desktop auto launch feature

In the good old days of traditional Web Interface, everything you did in the GUI was reflected back in the WebInterface.conf file usually located under C:\inetpub\wwwroot\Citrix\NameOfYourSite\conf\.  After a while, there was no reason to open the GUI and making modifications to your WI became a very speedy process.  Specially when you had several WI sites.

A lot has changed with StoreFront, however you can still control many aspects of the interface by editing files inside the web installation directory since the GUI is now missing.

What I am really wondering now, is how this will play a role with the Citrix NetScaler Web Interface feature, where it allows you to import the 5.4 WebInterface.conf file directly into the NetScaler and run WI on it. ¬†Time will tell I guess…

With StoreFront, when both desktops and applications are available from a site, Receiver for Web displays separate desktop and application views by default. Users see the desktop view first when they log on to the site. Regardless of whether applications are also available from a site, if only a single desktop is available for a user, Receiver for Web attempts to automatically start that desktop when the user logs on.

To change these default settings, edit the site configuration file.
  1. On the StoreFront server, use a text editor to open the web.config file for the Receiver for Web site, which is typically located in the C:\inetpub\wwwroot\Citrix\storenameWeb\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <uiViews showDesktopsView="true" showAppsView="true" defaultView="desktops" />
  3. Change the value of the showDesktopsView and showAppsView attributes to false to prevent desktops and applications, respectively, being displayed to users, even if they are available from the site. When both the desktop and application views are enabled, set the value of the defaultView attribute to apps to display the application view first when users log on to the site.
  4. Locate the following element in the file.
    <userInterface ... autoLaunchDesktop="true">
  5. Change the value of the autoLaunchDesktop attribute to false to prevent Receiver for Web from automatically starting and accessing a desktop when a user logs on to the site and only a single desktop is available for that user.

For additional customizations of StoreFront configuration file, see this Citrix article

Speeding up the new StoreFront 1.2 (CloudGateway Express)

StoreFront 1.2 was just released on 07.31.12. ¬†After reading it’s benefits, I figure I set it up for a POC and see how it behaves with a new XenApp 6.5¬†environment. ¬†You can read on the benefits¬†here. ¬†The one thing I noticed, it is extra slow.

The first change comes from the Citrix Forums which dictates to disable NetBIOS over TCP/IP. To disable NetBIOS over TCP/IP, open the Advanced Properties dialog for TCP/IP on each network interface as shown in the screenshot.


Apparently, the need for NetBIOS communication is a prime contributor to the slow enumeration events. Once I made this change the enumerations were lightning fast, but the initial logon page was still slow to load.

In the old days, the sloooow logon page loading was caused by the .NET Framework not  staying resident in memory; however, with Web Interface 5.4 and IIS 7, the Idle Time Out value on the Web Interface App Pool is set correctly to 0 by default, which keeps the .NET Framework loaded. So I went looking for another solution.

I found the answer at Alexander Ervik Johnsen’s website. (Later I discovered it is also a Citrix KB article.) I made the following changes on both the Microsoft.NET\Framework and Microsoft.NET\Framework64 directories:

  1. Check in IIS for the ASP.net version that is in use with the Web Interface application pool, which should be version 2.0.50727
  2. Edit the ASPNET.CONFIG file(C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.config)
  3. Add the following GeneratePublisherEvidence line to the runtime section of the ASPNET.CONFIG file as shown
    <generatePublisherEvidence enabled=‚ÄĚfalse‚ÄĚ/>
  4. Run IISRESET for force a reread of the ASPNET.CONFIG file

Once I made those changes to the ASPNET.CONFIG file, my Web Interface login page loaded in about 3 seconds. I was quite surprised at the difference only those two changes made to the response time of the Web Interface servers.

After making the changes above the darn thing is actually ready for a POC.


Limit users to XD/XA resources in Web Interface 5.4

Let’s take a look at how we can limit access to multiple Farms via Citrix Web Interface 5.4

In the example below… I will be configuring a Web Interface Services Site (PNAgent) in preparation to allow mobile users access to XenApp/XenDesktop via mobile devices such as the iPad, iPhone and Android (yuck). For details on how to configure a Service Site go to the following link.

As you probably know, there are several ways of limiting access via the NetScaler AGEE, however the new CAG Standard edition (5.0.x) has a limitation when utilizing basic logon points.


  • Create your AD groups such as CitrixXenAppUsers and CitrixXenDeskUsers
  • Create a new Web Interface Service Site (PNAgent) such as PrivateCloudPNA
  • Configure your new site with access to your Farms, in this case XenApp6.5 and a XenDesktop 5.6
  • Configure your site to utilize your CAG, with Gateway access
  • Configure your Access Gateway basic logon point to forward to your new site “PrivateCloudPNA
  • Ensure you can launch published Apps and Desktops
  • Edit your WI site by opening the WebInterface.conf file located under C:\inetpub\wwwroot\Citrix\NameOfYourSite\conf\
  • Search for Farm1Groups and remove the “#”
  • Set Farm1Groups=nameofyourdomain\CitrixXenAppUsers
  • Since we have a XenDesktop farm in this example, we also need to set access to it by entering¬†Farm2Groups=nameofyourdomain\CitrixXenDeskUsers
Now lets get fancy… go to the Citrix Mobile Receiver URL Generator and create a link that you can email the mobile users. ¬†This will automatically configure the Citrix Receiver (after installing it of course) to your newly created site.

Web Interface 5.4 and XenApp 6.5 pass-through authentication

There is stuff about this all over the web.  After collecting a lot of data from various sources I figure I put it all together in a simple to follow set of instructions.


You configure pass-through authentication in Web Interface, but while it works through the login page, you find that you are promoted to enter credentials via the XenApp 6.5 server’s Windows 2008 R2 login screen when launching a published application.

I was able to test this with all Citrix Receivers (3.0, 3.1, 3.2)

  • Lets start with the WI settings and make sure you set you have one of your Authentication Methods to Pass-Through. ¬†In my case, I also selected Explicit to allow users to authenticate as another account if needed.

  • Next simply install the Citrix Receiver 3.x and reboot
  • Once the system is back up, make sure the Citrix SSO service is running.

The hard part is done, unless your AD person is named Omar.

Now lets get that Citrix Client ADM imported so we can create a GPO to allow this.  In the example below I did this based on a computer policy.

  • From a computer that is installed with the Receiver client, open the Group Policy Object Editor. Click on¬†Start¬†>¬†Run¬†and enter¬†gpedit.msc.
  • In the Group Policy Object Editor, right-click¬†Administrative Templates.
  • Click¬†Add/Remove Templates.
  • Browse to the C:\Program Files\Citrix\ICA Client\Configuration folder and add the icaclient.adm file.

  • Expand¬†Computer Configuration¬†>¬†Administrative Templates¬†>¬†Citrix¬†Components¬†>¬†Presentation Server Client¬†>¬†User Authentication.
  • On the right pane, select¬†Local User name and password.
  • Right-click and¬†enable¬†the policy for pass-through authentication. This policy is applied to all users logging on to this workstation.
  • To apply GPO settings on a per-user basis, configure the settings under User Configuration. Expand¬†User Configuration¬†>¬†Administrative Templates¬†>¬†Citrix Components.

  • Run¬†GPupdate¬†on the workstation to apply the policy immediately. ¬†Since this is a Comp policy you may have to reboot.
  • Log off and log on again.
  • Check the Task Manager on the workstation to verify that the ssonsvr.exe process is running.