Something I found after installing Citrix Secure Gateway (CSG) 3.1 on a server running Web Interface (WI) 5.0.1. It removed permissions from the “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” folder and instructed it to inherrit from its parent.
Therefore, only the Administrators local group had full control.
This was causing problems for client updates and downloads via the CSG server.
An error in the Application Event Log was…
Event Type: Error
Event Source: Citrix Web Interface
Event Category: None
Event ID: 0
Date: 19/12/2008
Time: 8:33:45 AM
User: N/A
Computer: NOT-TELLING-01
Description:
Site path: c:\inetpub\wwwroot\Citrix\XenApp.
Due to an error, the file watcher could not be created at the path C:\Program Files\Citrix\Web Interface\5.0.1\Clients. [Log ID: e22724f9]
This could be correlated to a Security Log event that was suggesting that the Network Service account could not traverse the filesystem.
So after comparing it to a standard Web Interface 5.0.1 deployment without CSG 3.1 installed, I found that this folder had been given explicit permissions for the local Administrators, Authenticated Users and NETWORK SERVICE security principles.
So I guess I just needed to add them back in with the appropriate access.
- Administrators – Full Control
- Authenticated Users – Read & Execute
- NETWORK SERVICE – Read & Execute
Here is the XCACLS.vbs script I ran…
cscript.exe “%SystemRoot%\xcacls.vbs” “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” /P ADMINISTRATORS:F “NETWORK SERVICE”:X “Authenticated Users”:X
I’m still not 100% sure what caused this in the first place, and haven’t had a chance to prove it, but I’m dubious about the CSG 3.1 deployment, so just thought I’d post this article for anyone else that may run into the same problem.
FYI, I use the Network Service account as the CSG services account as per the following deployment script…
@Echo Off Echo Citrix XenApp Deployment Echo ------------------------ Echo. Echo Revision History: Echo. Echo v2.0 04/12/08 Jeremy@jhouseconsulting.com Echo Updated for Secure Gateway 3.1 Echo. Echo ....Installing Secure Gateway 3.1..... Echo. Echo. Set CSGVersion=3.1 Set WIVersion=5.0.1 Set loglocation=%systemDrive%\bldlogs if not exist %loglocation% md %loglocation% :: Installing CSG Set SetupProperties=/qb Set SetupProperties=%SetupProperties% CTX_INSTALL_TYPE=GATEWAY Set SetupProperties=%SetupProperties% CTX_SERVICE_ACCOUNT="Network Service" Set SetupProperties=%SetupProperties% /Lv* %loglocation%\CSG_GWY%CSGVersion%.log Set SetupProperties=%SetupProperties% REBOOT=ReallySuppress start "Installing" /wait msiexec /i "%~dp0%CSGVersion%\CSG_GWY.MSI" %SetupProperties% :: Fixing up Web Interface Client Deployment Issues... cscript.exe "%SystemRoot%\xcacls.vbs" "%ProgramFiles%\Citrix\Web Interface\%WIVersion%\Clients" /P ADMINISTRATORS:F "NETWORK SERVICE":X "Authenticated Users":X Exit /b 0
