Citrix

 

Register / Login Home    Forums    Presentation Server 4.0    Latest Posts    Latest News    PSP

 Citrix Site Navigation

 Citrix Home

 Citrix Forums

 Citrix Latest Posts

 Citrix Latest Citrix News

 Citrix Presentation Server 4.5

  Citrix Presentation Server 4.5 Guides

  Citrix PS 4.5 White Papers

  Citrix PS 4.5 Hotfixes

  Citrix PS 4.5 My Experiences

 Citrix Presentation Server 4

  Citrix Installing / Configuring

  Citrix Citrix Guides

  Citrix Citrix Tips

  Citrix Citrix White Papers

  Citrix Hotfixes

  Citrix My Personal Experiences

 Citrix Misc

  Citrix Citrix Web Interface

  Citrix Pre Presentation Server 4.0

  Citrix Citrix Security Bulletins
  Citrix Citrix Client
  Citrix Citrix cca
  Citrix Citrix Printing

  Citrix ICA File
  Citrix Citrix RSS Feeds

  Citrix Contact Us

  Citrix Signup Citrix Newsletter

 
 
 Citrix Site Partners

  Citrix Citrix
  Citrix PSP
  Citrix Xbox

  Citrix Flex Developers
  Citrix Travel In Europe
  Citrix Online Hotel Reservations
  Citrix News of software
  Citrix Resources
  Citrix Linkdiy
  Citrix Web Site Development
  Citrix Fix computer problem
  Citrix Fix slow computer
  Citrix Stop Snoring

  Citrix Perfumes


Welcome to Citrix Guide. I hope you find our citrix articles useful

 

 Troubleshooting Common Anonymous User Account Scenarios
 Citrix Guide Forums > Technical Library > Presentation Server 4.5 > Presentation Server 4.5 My Experiences
  #1 (permalink)  
Old 05-04-2007, 02:29 PM  Troubleshooting Common Anonymous User Account Scenarios

citrix citrix is offline

Administrator

  
Join Date: May 2006
Posts: 305

Submit Article To > Submit to Digg Submit to Reddit Submit to Furl Submit to Del.icio.us Submit to Jeqq Submit to Spurl

Troubleshooting Common Anonymous User Account Scenarios
This document attempts to explain and answer common questions and scenarios associated with Citrix Anonymous user accounts.
Overview
Below is an excerpt from MetaFrame 1.8, MetaFrame Tools, MetaFrame Books Online, Find Tab, Anonymous, Section called Anonymous Users.
During MetaFrame installation, Setup creates a special user group called Anonymous. By default, this Citrix-created Windows user group contains 15 user accounts with account user names in the format Anonx, where x is a number in the form 000, 001,... up to 015. Anonymous users have guest permissions by default. If an application published on the MetaFrame server can be accessed by guest-level users, the application can be configured (using Published Application Manager) to allow access by anonymous users. When a user starts an anonymous application, the MetaFrame server does not require an explicit user name and password to log the user on to the server, but selects a user from a pool of anonymous users who are not currently logged on.
Anonymous user accounts are granted minimal ICA session permissions. Anonymous user ICA connection permissions include the following properties that differ from standard ICA session permissions for the default user:
• Ten minute idle (no user activity) time-out
Note: The Anonymous user idle time can be changed by modifying the idle time setting within the property of the user account. Additional information on this topic can be found in the below section titled Creating Additional Anonymous User Accounts
• Logged off on broken connection or time-out
• No password is required
• User cannot change password
Anonymous user accounts do not have a persistent identity; no user information is retained when an anonymous user session ends. Any desktop settings, user-specific files, or other resources created or configured by the ICA Client user are discarded at the end of the ICA session.
Note: Anonymous users are not supported on a MetaFrame server configured as a domain controller. Never assign an explicit user to the Anonymous group or the Anonymous group or user to an explicit group. The 15 anonymous user accounts created during MetaFrame installation usually do not require any further maintenance but their properties can be modified using User Manager for Domains or Computer Management. Disable, do not delete, anonymous users if they are not to be enabled. This allows the quick recovery of Anonymous accounts in the case of a change in policy.
Known Issues
CTX111419 – Hotfix Rollup Pack PSE400W2K3R03 - For Citrix Presentation Server 4.0, Citrix Access Essentials 1.0 and 1.5 for Windows Server 2003
  • 1. Anonymous users cannot unlock password protected screen savers invoked by Windows Group Policy settings. This happens because passwords for anonymous users are generated randomly. This fix prevents screen savers from being invoked in anonymous sessions.
    [From PSE400W2K3R03][#140195]
    2. Anonymous users cannot unlock workstations locked by (other) anonymous users. This happens because passwords for anonymous users are generated randomly. This fix prevents anonymous users from locking workstations.
    [From PSE400W2K3R03][#141787]
Creating Additional Anonymous User Accounts
When additional user licenses are installed, anonymous users are not automatically created. Adding anonymous users is simply a matter of creating new users and assigning them to the Anonymous group. For security reasons, do not add these user accounts to any other groups. The easiest way to create additional anonymous users is to copy an existing anonymous user account.
Creating Anonymous Users under Windows 2003 Server and MetaFrame XP
There are two workarounds:
• Create as many anonymous users as required manually. Add these accounts to Remote Desktop Users, Guest, and Anonymous. Remove them from the users group. Leave the password blank. The name of the anonymous user is not important but it must be in Anonxxx format. Restart the server. All new anonymous accounts are available for use.
• The 15th anonymous user logs on (that is the number of users MetaFrame creates when it is installed) and the 16th user is created but cannot logon immediately. After restarting the server, the 16th account is available for use but the same happens with the 17th user (the account is created but it is only usable after restarting the server).
Important: The enhanced security features, by design, in Windows 2003 cause this issue. All built-in anonymous user accounts are disabled by default. Windows 2003, by default, doesn’t allow the creation of an account with a blank password without a policy change.
With MetaFrame 1.8/XP for Windows 2000
Anonymous user accounts are automatically created when connections to anonymous published applications exceed the existing number of anonymous user accounts. The anonymous user account is not removed when the anonymous session ends. The number of simultaneous anonymous users is restricted to the number in the registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l \Citrix\ Value: MaxAnonymousUsers or to the default of 99. Increase this value if more simultaneous anonymous connections are required.
Example: If all 15 anonymous accounts are being used and a 16th user launches an anonymous session, another account is dynamically created. This behavior continues until the maximum number set in the registry key above is reached. If the maximum threshold is reached, the next attempt at an anonymous connection is prompted with the Windows NT logon screen asking for a valid user ID and password.
Note: The Anonymous user idle time can be changed by modifying the idle time setting within the property of the user account. In addition, to ensure new automatically generated Anonymous accounts have the appropriate "idle time" setting, modify the registry value, AnonymousUserIdleTime under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l \Citrix. Otherwise, the newly generated accounts will be set for an idle time of 10 minutes.
With MetaFrame 1.8 for Terminal Server 4.0
1. Run User Manager for Domains: on the MetaFrame desktop, click Start, point to Programs, point to Administrative Tools, and click User Manager for Domains.
2. From the User menu, click Select Domain.
3. Enter the computer name of the MetaFrame server in Domain and click OK.
4. Select an existing anonymous user.
5. From the User menu, click Copy.
6. Enter a unique name in Username and click Add.
  • Note: Though not a requirement, it is best to use names of the form Anonxxx, following the pattern of the existing anonymous users. You can use any name as long as the user is part of the Anonymous group.
    7. Repeat to add multiple users.
    8. When you are done adding anonymous users, click Close.
    9. Exit User Manager for Domains.
    Note: The new user accounts are not available until the MetaFrame server is rebooted.
    To modify anonymous user settings, follow the steps below:
    1. Run User Manager for Domains.
    2. From the User menu, click Select Domain.
    3. Type the computer name of the MetaFrame server in Domain and click OK.
    4. Select the anonymous users.
    5. From the User menu, click Properties.
    6. Change the properties as desired.
7. Click OK in the User Properties dialog box.
8. Exit User Manager for Domains.
Anonymous User Accounts and their Password
This section describes a configurable registry setting. Apply Service Pack 5C or later to WinFrame 1.8, or Service Pack 1 or later to MetaFrame 1.8 for Windows NT 4.0, Terminal Server Edition, that allows you to toggle the random generation of Anonymous user passwords. In WinFrame 1.7 and MetaFrame 1.0, this behavior is the default without having to add the below registry key.
Before WinFrame/MetaFrame 1.8, anonymous users had blank passwords. A user on a Win32 Client could log on to an anonymous published application and then type the following on his local machine to map a network share:
net use * \\server\share /user:anonxxx
This assumes the remote network share has a domain or locally created anonymous account with the same number and a blank password which also has sufficient permissions to the NTFS share.
This security loophole was closed on WinFrame 1.8 and MetaFrame 1.8 for Windows NT 4.0, Terminal Server Edition with a random password being assigned to anonymous users each time they logged on. Unfortunately, some users were specifically utilizing the loophoole and were familiar with that default behavior. With this registry change, anonymous passwords can be assigned by an administrator.
  • Note: For WinFrame 1.8, Service Pack 5C or later must be applied; for MetaFrame 1.8 for Windows NT 4.0, Terminal Server Edition, Service Pack 1 or later must be applied:
    WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).
    1. Run Regedt32.exe
2. Go to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\CurrentVersion\ Winlogon
3. With the Winlogon key highlighted, select Edit from the menu.
4. Select Add Value.
5. Add the following value, if not already present:
Value: AnonPassword
Type: REG_SZ
String: password
Note: The String value is where you place the actual password that you want assigned to an anonymous user.
5. Reboot the MetaFrame Server.
6. From the Client, Make a connection to an anonymous published desktop application.
7. Open a command prompt.
8. Type net use * \\fileserver\share /user:anonxxx, /user:%username%, or /user:domain\anonxxx
Note:If prompted for a password, the MetaFrame server was, most likely, not rebooted, the passwords do not match, or the anonymous accounts do not reside on the local fileserver or domain. This scenario can be simulated with local member MetaFrame Server and local fileserver NT/Windows 2000 accounts.
How to Allow Anonymous Applications Requiring Database Access to Connect to a Database
  • Many database applications rely on their own authentication thus can be published anonymously. Theses "anonymous applications" utilize local server accounts and have no rights beyond the MetaFrame server.
    To enable a trusted connection to the database server an IPC$ share can be created. If the application is published inside a .bat file the IPC$ share can be created before the application is launched. The account used can be a generic domain login ID or if there is only one Database server a local account can be used.
    Using a domain account:net use \\sqlserver\ipc$ /user:domain\username password
    OR
Using a local account:net use \\sqlserver\ipc$ /user:username password

Source
__________________
PSP
>> Troubleshooting Common Anonymous User Account Scenarios Reply With Quote
Reply

Troubleshooting Common Anonymous User Account Scenarios « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 03:39 PM.


Powered by vBulletin Version 3.6.0
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0 RC8


GamesAdda - HealthNews - Cheat Zone - Simple Directory - PSP Forum - PSP News - PSP Downloads - Computing Tips - Contact Us - Citrix Guide - Archive - Top

Citrixguide.com is not endorsed by or affiliated with Citrix Systems, Inc. or any of it’s subsidiaries. Installing/Configuring Citrix ::
Citrix Guides :: Citrix Tips/Advanced Concepts :: Citrix White Papers :: Citrix Hotfixes :: Citrix My Experiences :: Citrix Forums