Citrix: Mandatory Profiles and Microsoft Online Services Sign In client (User Certificates)

Share Button

I’ve been working on project where we’re building a XenApp/XenDesktop environment based on Windows 7/Windows 2008R2 with RES Workspace Manager and Automation Manager. One of the design decisions was to use mandatory profiles, which worked pretty great until we had to test the Microsoft Online Services Sign In client. This uses User Certificates which are stored in the user profile.. wait.. Mandatory profiles, stored in the user profile.. That’s not the best combination so I did a search on the (excellent!) RES Software knowledge base and found the following article:

Cause 1
Solution 1.1 HOWTO: Preserve all Security and Certificates settings.
User Preferences can be used to preserve all Security and Certificates in user profiles.Create a new User Setting and add the following:- Type: Folder tree
– Folder: %USERPROFILE%Application DataMicrosoftSystemCertificates- Type: Folder tree
– Folder: %USERPROFILE%Application DataMicrosoftProtect- Type: Folder tree
– Folder: %USERPROFILE%Application DataMicrosoftCredentials- Type: Registry tree
– HKEY_CURRENT_USERSoftwareMicrosoftProtected Storage System ProviderConfigure the appropiate Access Control and click OK to save this User Setting.Please note that this example is based on Windows XP/ Windows 2003. For Vista and Windows 2008 “Application Data” should be replaced with “AppDataRoaming”Review Whitepaper: “Streamlining User Settings in a Windows Environment” for more information about User Preferences. This Whitepaper can be found at:http://services.res.eu/Downloads/Stream.aspx?RequestGuid=813a5fb4-bc2e-44d9-b037-c5e39dc24129
Solution 1.2 – HOWTO: Preserve Java certificates with UserSettings
17% probability.
User Preferences can be used to preserve all Java Certificates that are used to sign Java applets:Create a new User Setting and add the following:- Type: File
– File: %LOCALAPPDATA%SunJavaDeploymentsecuritytrusted.certs-or– Type: File
– File: %LOCALAPPDATA%LowSunJavaDeploymentsecuritytrusted.certsThe file will be created on one of both locations. Please verify on which location the file will be created and choose the appropriate location.Configure the appropiate Access Control and click OK to save this User Setting.

But this wouldn’t work because the client would check to profile type and when the profile state was mandatory it wouldn’t accept the user certificates so we just went digging around and found the two following scripts:

logon.vbs

logoff.vbs

Main goal of this script is to set the profile state of the current logged on profile to 256 which ‘spoofes’ the profile letting Windows think it’s a roaming profiles and therefore be able to store the certificates. With knowing this it was easy to create tasks to set the profile state to 256 at logon and back to the original value of the mandatory profile state at logoff getting the Microsoft Online Services Sign In client to work.

For this blogpost I have to thank my colleague Misja Geuskens and Duco Rob from SBCSolutions.

Share Button

Leave a Reply