Virtual Apps : Published Application GUI Is Not Visible On the Client Side Even Though the Application is Launched on the VDA
Article ID: CTX269653
Updated On:
Description
On 2012 R2 Servers when published application is launched the application instance shows up on the VDA’s task manager but the application UI is not seen on the client side. The issue was not seen on 2016 servers.
All 2012 R2 VDA’s were manually created so the issue is not related to a specific image.
Using Process explorer it was identified that Citrix Hooks were not loading.
Looking at working Procmon traces from 2016 VDA and non-working Procmon traces from 2012 R2 VDA we found that in non-working traces there were lot of access denied’s for SystemCertificates for userinit.exe and other citrix binaries like cmstart.exe, wfshell.exe which are crucial for app launch. We did not see this behaviour in working procmon.
On further Procmon analysis, it was found that AuthenticodeEnabled policy was set to 1 (Enabled) on Non-working VDA but was disabled on working VDA.
Non-Working Procmon
2:19:29.7291260 PM winlogon.exe 588 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled SUCCESS Type: REG_DWORD, Length: 4, Data: 1
Working Procmon
3:04:53.0353112 PM wfshell.exe 4504 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled SUCCESS Type: REG_DWORD, Length: 4, Data: 0
This Authenticode policy translates to System settings: Use certificate rules on Windows executables for Software Restriction GPO.
With this GPO enabled, every executable has to be trusted before it executes. Searching in Salesforce and online, found similar issues with this policy enabled, where Certs failed the CRL check as it happens over OCSP which causes issues with app launch.
The issue is not seen in RDP as it is a Microsoft product and the related executables may be using the set of certificates which could be part of machine certificates. However, ICA needs different set of certificates, for which it required to contact OCSP (Online Certificate Status Protocol) server.
Environment
Resolution
Other Recommendations
As documented in the below Microsoft article if you enable certificate rules, software restriction policies check a certificate revocation list (CRL) to verify that the software's certificate and signature are valid. This checking process may negatively affect performance when signed programs start. To disable this feature, you can edit the software restriction policies in the appropriate GPO. In the Trusted Publishers Properties dialog box, clear the Publisher and Timestamp check boxes.
1. If internet access is enabled on the VDA’s and still the issue is happening then you can edit the software restriction policies in the appropriate GPO. In the Trusted Publishers Properties dialog box, clear the Publisher and Timestamp check boxes.
OR
2. 2. Try following the below steps on the VDA.
Problem Cause
Citrix executables were not being trusted by the OS with System settings: Use certificate rules on Windows executables for Software Restriction enabled. Hence, the Citrix modules were not loaded resulting into Application UI not being visible.
Additional Information
