Citrix: Mandatory Profiles and Microsoft Online Services Sign In client (User Certificates)

I’ve been working on project where we’re building a XenApp/XenDesktop environment based on Windows 7/Windows 2008R2 with RES Workspace Manager and Automation Manager. One of the design decisions was to use mandatory profiles, which worked pretty great until we had to test the Microsoft Online Services Sign In client. This uses User Certificates which are stored in the user profile.. wait.. Mandatory profiles, stored in the user profile.. That’s not the best combination so I did a search on the (excellent!) RES Software knowledge base and found the following article:

Cause 1
Solution 1.1 HOWTO: Preserve all Security and Certificates settings.
User Preferences can be used to preserve all Security and Certificates in user profiles.Create a new User Setting and add the following:- Type: Folder tree
– Folder: %USERPROFILE%\Application Data\Microsoft\SystemCertificates- Type: Folder tree
– Folder: %USERPROFILE%\Application Data\Microsoft\Protect- Type: Folder tree
– Folder: %USERPROFILE%\Application Data\Microsoft\Credentials- Type: Registry tree
– HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System ProviderConfigure the appropiate Access Control and click OK to save this User Setting.Please note that this example is based on Windows XP/ Windows 2003. For Vista and Windows 2008 “Application Data” should be replaced with “AppData\Roaming”Review Whitepaper: “Streamlining User Settings in a Windows Environment” for more information about User Preferences. This Whitepaper can be found at:http://services.res.eu/Downloads/Stream.aspx?RequestGuid=813a5fb4-bc2e-44d9-b037-c5e39dc24129
Solution 1.2 – HOWTO: Preserve Java certificates with UserSettings
17% probability.
User Preferences can be used to preserve all Java Certificates that are used to sign Java applets:Create a new User Setting and add the following:- Type: File
– File: %LOCALAPPDATA%\Sun\Java\Deployment\security\trusted.certs-or– Type: File
– File: %LOCALAPPDATA%Low\Sun\Java\Deployment\security\trusted.certsThe file will be created on one of both locations. Please verify on which location the file will be created and choose the appropriate location.Configure the appropiate Access Control and click OK to save this User Setting.

But this wouldn’t work because the client would check to profile type and when the profile state was mandatory it wouldn’t accept the user certificates so we just went digging around and found the two following scripts:

logon.vbs

logoff.vbs

Main goal of this script is to set the profile state of the current logged on profile to 256 which ‘spoofes’ the profile letting Windows think it’s a roaming profiles and therefore be able to store the certificates. With knowing this it was easy to create tasks to set the profile state to 256 at logon and back to the original value of the mandatory profile state at logoff getting the Microsoft Online Services Sign In client to work.

For this blogpost I have to thank my colleague Misja Geuskens and Duco Rob from SBCSolutions.

The following two tabs change content below.

Kees Baggerman

Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.

One comment

  1. Kees, ik heb zojuist een user certificate gehad in de vorm ‘.pxf/.p12’ waarvoor het nodig was om appdata\roaming\microsoft\crypto\rsa\*.* mee te nemen, in Citrix user profile management moest ik de file middels *.* opgeven want de folder RSA waarin het bestand zit was niet voldoende.

    Overigens is ‘Credentials’ een folder onder appdata\roaming en geen registry tree.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.