Introduction
This article summarizes the file, registry, and IIS metabase permissions required for normal operation of Web Interface 2.x for Windows.
NTFS File Permissions
The following changes are made by the Web Interface installer during installation, where WebDir is the document root of your Web server and ProgramFiles is the location of the Web Interface program files. Note that the CTX_WEB_ADMIN account is created during Web Interface installation only on Windows 2000 servers; Windows 2003 servers use the built-in “Network Service” account instead of CTX_WEB_ADMIN.
WebDir\Citrix\MetaFrameXP\NFuseIcons
This is the folder used to store application icon image files. The web server receives the icon data from the MetaFrame XML service, writes GIF images to disk, and then serves the images over HTTP to the user. If Web Interface is configured for only explicit authentication, the IWAM_MachineName account is responsible for writing the files to disk and the IUSR_MachineName account reads the files during delivery. If Web Interface is configured for Desktop Credentials Pass-Through or Smart Card authentication, IIS impersonates the user account for reading and writing the icons.
Authenticated Users: Full Control
SYSTEM: Full Control
Guest: No access
WebDir\Citrix\MetaFrameXP\WIAdmin
This folder contains scripts that allow you to configure Web Interface using a Web-based graphical tool. Only Web server administrators should be permitted to access these pages. The WIAdmin folder corresponds to a COM+ application that, on Windows 2000 servers, runs as CTX_WEB_ADMIN and on Windows 2003 servers runs as Network Service.
Administrators: Full Control
WebDir\Citrix\PNAgentAdmin
This folder contains scripts that allow you to configure Program Neighborhood Agent using a Web-based graphical tool. Only Web server administrators should be permitted to access these pages. The PNAgentAdmin folder corresponds to a COM+ application that, on Windows 2000 servers, runs as CTX_WEB_ADMIN and on Windows 2003 servers runs as Network Service.
Administrators: Full Control
WebDir\Citrix\PNAgent
This folder contains scripts and XML configuration files used by Program Neighborhood Agent clients. Because the XML configuration files can be edited using the PNAgentAdmin tool, Administrators and the CTX_WEB_ADMIN account need at least Modify permission on this folder.
Administrators: Full Control
CTX_WEB_ADMIN: Modify
Everyone: Read
ProgramFiles\Citrix\NFuse\conf
This folder contains NFuse.conf, the primary configuration file for Web Interface. Because the NFuse.conf file can be edited using the WIAdmin tool, Administrators and the CTX_WEB_ADMIN account need at least Modify permissions on this folder.
Administrators: Full Control
CTX_WEB_ADMIN: Modify
Everyone: Read
The Web Interface installer does not change the NTFS permissions on the following folders, but keep the following points in mind:
WebDir\Citrix\MetaFrameXP\site
This is the folder where the Web Interface user scripts are physically stored. The minimum required NTFS permissions for the site folder differs according to what type of authentication is chosen for Web Interface.
When using explicit authentication, the IUSR_MachineName account, or whatever account is used to deliver anonymous Web pages, needs Read permission.
When using Desktop Credential Pass-through or Smart Card authentication, all domain users need Read permission.
Under no circumstances is write access required for any user regardless of authentication method.
WebDir\Citrix\ICAWEB
This folder contains ICA Client binaries, including the Java Client packages. If authentication is required for this directory, users may have difficulty installing or upgrading their clients or may not be able to use the Java Client. Recommended minimum permissions for this folder and all subfolders are:
Everyone: Read
%SystemRoot%\system32\msjava.dll
The Microsoft Java Virtual Machine is required by Web Interface for delivering server-side logic.
The SYSTEM account needs read/execute permission.
The local IWAM_MachineName account needs read/execute permission.
The CTX_WEB_ADMIN account needs read/execute permission for WIAdmin and PNAgentAdmin.
ProgramFiles\Citrix\NFuse
This folder contains Java archives and property files required by Web Interface. The SYSTEM account needs read access.
If you are using explicit authentication, the local IWAM_MachineName account needs read access
If you are using Desktop Credential Pass-through or Smart Card authentication, all end user accounts need read access.
The CTX_WEB_ADMIN account needs read access for WIAdmin and PNAgentAdmin.
IIS Metabase Permissions
The Web Interface installer makes modifications to the IIS metabase that create virtual directories, mark some directories as ASP applications, and facilitate the various forms of authentication. The following list summarizes the changes for each virtual directory:
/Citrix/MetaFrameXP/site
This folder should never be accessed directly through HTTP.
IIS permissions deny Read, Write and Directory browsing.
IIS execute permissions: None.
/Citrix/MetaFrameXP/default
This is a virtual directory whose physical path is /Citrix/MetaFrameXP/site. It is accessed by users during explicit or anonymous authentication.
Only Anonymous access is allowed with Read permission (but enabling Integrated Windows authentication fixes a problem where logon fails after using WIAdmin in the same browser window).
Marked as an ASP application. IIS execute permissions: Scripts only; Application protection: Medium (pooled).
/Citrix/MetaFrameXP/certificate
This is a virtual directory whose physical path is /Citrix/MetaFrameXP/site. It is accessed by users during Smart Card authentication.
Only Integrated Windows authentication is allowed with Read permission.
Marked as an ASP application. Execute permissions: Scripts only; Application protection: Medium (pooled).
Under Secure communications, require secure channel (SSL), require client certificates, and enable client certificate mapping.
/Citrix/MetaFrameXP/integrated
This is a virtual directory whose physical path is /Citrix/MetaFrameXP/site. It is accessed by users during Desktop Credential Pass-Through authentication.
Only Integrated Windows authentication is allowed with Read permission.
Marked as an ASP application. Execute permissions: Scripts only; Application protection: Medium (pooled).
Under Secure communications, SSL is not required and client certificates are ignored.
/Citrix/MetaFrameXP/WIAdmin
Marked as an ASP application. Execute permissions: Scripts only; Application protection: High (isolated).
Corresponds to a COM+ application that runs as CTX_WEB_ADMIN.
Administrators group and CTX_WEB_ADMIN account must have NTFS Modify permissions on the %ProgramFiles%\Citrix\NFuse\conf directory.
If the password for CTX_WEB_ADMIN is changed, the WIAdmin site fails until its corresponding COM+ application is reconfigured with the new password.
/Citrix/MetaFrameXP/PNAgentAdmin
Marked as an ASP application. Execute permissions: Scripts only; Application protection: High (isolated).
Corresponds to a COM+ application that runs as CTX_WEB_ADMIN.
Administrators group and CTX_WEB_ADMIN account must have NTFS Modify permissions on the wwwroot/Citrix/PNAgent directory.
If the password for CTX_WEB_ADMIN is changed, the PNAgentAdmin site fails until its corresponding COM+ application is reconfigured with the new password.
/Citrix/PNAgent/smartcard_enum.asp and smartcard_launch.asp
Only Integrated Windows authentication is allowed with Read permission.
Under Secure communications, Require secure channel (SSL), Require client certificates, and Enable client certificate mapping.
/Citrix/PNAgent/template.ica and guest_template.ica
IIS file permissions deny Read access.
The Web Interface installer does not change the IIS metabase permissions on the following folder, but keep the following points in mind:
/Citrix/ICAWEB
Client binaries in this folder may be requested by a user’s Java Virtual Machine, which may not have access to any authentication cookies. Therefore, enable Anonymous authentication for this directory and all subdirectories.
Set the IIS execute permissions for this folder to Scripts Only or None to prevent ICA Client binaries from being executed by the Web server when they should simply be delivered to the user. When set to allow Scripts and executables, users receive a CGI time-out error when they attempt to download an ICA Client.
Registry Permissions
Web Interface relies on classes that are written in Java and registered on the Web server. IIS must be able to find the registered classes and host them using the Microsoft Java Virtual Machine.
The SYSTEM, IWAM, and CTX_WEB_ADMIN accounts need read permission on all keys that begin HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.citrix.nfuse.*.
The SYSTEM, IWAM, and CTX_WEB_ADMIN accounts need read permission on the following key to determine the Java class path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM.
