[THIN] FW: Issue With W2K SP3 Citrix/Terminal Servers and MS04-011(835732)

  • From: Henry Sieff <hsieff@xxxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Tue, 27 Apr 2004 09:33:54 -0500

Thought I'd pass this on.

> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of 
> Manskopf, Michael
> Sent: Friday, April 23, 2004 5:45 PM
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Issue With W2K SP3 Citrix/Terminal Servers and 
> MS04-011(835732)
> 
> 
> We patched half of our W2K SP3 Terminal Servers last night 
> with MS04-011,
> MS04-012, and MS04-014. This morning all of the users logging into the
> patched servers were not able to access their roaming profile 
> and created
> local profiles on the Terminal Servers instead.
> 
> Here's what we've determined so far.
> 
> We have users (clients) in a Windows 2000 SP3 forest 
> connecting through
> Citrix on Windows 2000 SP3 Terminal Servers, which are 
> located in another
> Windows 2000/2003 forest.
> All of the users that are connecting through Citrix/Terminal 
> servers that
> have been patched with 835732 are unable to load their 
> roaming profiles, so
> local profiles are created instead on each Citrix/Terminal server.
> 
> The error in the Application Log is as follows:
> 
> Event Type:     Information
> Event Source:   Userenv
> Event Category: None
> Event ID:       1000
> Date:           23/04/2004
> Time:           12:36:41 PM
> User:           NT AUTHORITY\SYSTEM
> Computer:       %servername%
> Description: The logged on user's forest is different from 
> the machine's
> forest. Cross Forest Group Policy processing is disabled and loopback
> processing has been enforced in this forest for this user account.
> 
> 
> This appears to be a "Cross-Forest" issue that should only 
> affect Windows
> 2000 SP4 and Windows 2003, but is affecting our Windows 2000 SP3
> Citrix/Terminal Servers. The SP4 issue is mentioned in this 
> KB article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823862
> <http://support.microsoft.com/default.aspx?scid=kb;en-us;823862>  .
> 
> What appears to be happening is that an SP4 Cross-Forest 
> security "feature"
> is activating the Group Policy setting for "Allow 
> Cross-Forest User Policy
> and Roaming User Profiles" policy under \Computer
> Configuration\Administrative Templates\System\Group Policy. 
> We tried to
> enable the policy to see if that would fix it, but it only 
> made things worse
> and affected the previously unaffected users as well. We 
> think that since
> our Citrix/Terminal Servers are Windows 2000 SP3, they seem 
> to "see" the SP4
> policy, but don't understand it. There must be some updated 
> component in the
> 835732 patch that is allowing SP3 machines to "see" the SP4 policy.
> 
> As soon as we uninstalled the 835732 patch from one of these 
> Citrix/Terminal
> servers, users were able to access their roaming profiles 
> normally again.
> We're going to keep experimenting with this on one of our 
> test servers. Will
> keep you updated. If anyone else has any info, please let me know.
> 
> 
> Michael Manskopf
> IT - Technology and Infrastructure Group
> CANACCORD CAPITAL CORP.
> #2200 - 609 Granville Street,
> Vancouver, B.C.
> V7Y 1H2
> TEL: (604) 643-7605
> CEL: (604) 841-1534
> EMAIL: <mailto:Michael_Manskopf@xxxxxxxxxxxxx
> <mailto:Michael_Manskopf@xxxxxxxxxxxxx> >
> 
> 
> "Canaccord Capital Corporation <canaccord.com>" made the following
>  annotations on 04/23/2004 03:45:02 PM
> --------------------------------------------------------------
> ----------------
> This message may contain confidential or privileged material. 
> Any use of this information by anyone other than the intended 
> recipient is prohibited.  If you have received this message 
> in error, please immediately reply to the sender and delete 
> this information from your computer. Thank you.
> ==============================================================
> ================
> 
> -----
> Earn up to 10 credit course hours toward the TruSecure ICSA 
> Practitioner (TICSA) Credential and receive a TICSA exam 
> coupon by attending the Infosecurity Canada 2004 conference.  
> Featured speaker, Marcus J. Ranum, TruSecure inventor of the 
> proxy firewall will present on June 3 at 11:30 AM.  Visit 
<https://ticsa.trusecure.com>  for certification details and
<http://www.infosecuritycanada.com>  for conference information.  Become
TICSA certified and see what happens!
-----
********************************************************
This week's sponsor - Emergent Online
Emergent delivers end-to-end solutions for private and public sector clients. 
From centralized application management, business continuity, outsourcing, to 
application development, security, and messaging solutions.
http://www.go-eol.com/index.asp
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: