CTX105290 - After Running Microsoft IIS LockDown on MetaFrame XP, Web Interface Logons Fail This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX105290 Document ID: CTX105290, Created on: Dec 6, 2004, Updated: Dec 16, 2004 Products: Citrix MetaFrame XP 1.0 for Microsoft Windows 2000 Symptoms After submitting credentials to the server running Web Interface, one of these errors may appear: ?ERROR: The Citrix MetaFrame servers cannot process your request at this time. The Citrix XML Service method is not supported. [405 Method not allowed.]? ?ERROR: The Citrix MetaFrame servers cannot process your request at this time. The Citrix MetaFrame servers sent HTTP headers indicating that an error occurred. [401 Access Denied.]? In either case, /Scripts/wpnbr.dll, is the URL from which an ICA client or a Web Interface server expects the data to be retrieved. If the XML data is being delivered by IIS, this is port sharing because both the Citrix XML Service and IIS are available on port 80. However, only IIS is running and the wpnbr.dll is made available by being placed in the Inetpub\Scripts directory. This folder is set up for executable content by default when IIS is installed. Items in this folder are executed on the Web server instead of simply being returned as static files to a Web browser. Allowing executables to run on the Web server carries a security risk. By default, IISLockDown lessens this risk by disabling the execute rights for the /Scripts folder. If this happens, the XML data can no longer be provided to clients or Web Interface because the code in wpnbr.dll will not be allowed to execute. Cause If MetaFrame XP was using IIS port sharing to deliver the XML Service, IIS LockDown may break the XML Service by disabling the /Scripts virtual directory. Resolution The following steps turn on the /Scripts folder again to allow IIS port sharing for the XML Service: 1. In Internet Services Manager, open the Default Web site. 2. Right-click the /Scripts virtual directory and view its Properties. 3. On the Virtual Directory tab, ensure that the Execute Permissions setting is Scripts and Executables. 4. From the Directory Security tab, under Anonymous access and authentication control, click Edit. 5. Ensure that Anonymous access is enabled and click OK.