[THIN] KB: CTX105290 - After Running Microsoft IIS LockDown on MetaFrame XP, Web Interface Logons Fail
- From: "Jim Kenzig kenzig.com" <jkenzig@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 16 Dec 2004 19:27:19 -0800 (PST)
CTX105290 - After Running Microsoft IIS LockDown on MetaFrame XP, Web Interface
Logons Fail
This document was published at:
http://support.citrix.com/kb/entry.jspa?externalID=CTX105290
Document ID: CTX105290, Created on: Dec 6, 2004, Updated: Dec 16, 2004
Products: Citrix MetaFrame XP 1.0 for Microsoft Windows 2000
Symptoms
After submitting credentials to the server running Web Interface, one of these
errors may appear:
?ERROR: The Citrix MetaFrame servers cannot process your request at this time.
The Citrix XML Service method is not supported. [405 Method not allowed.]?
?ERROR: The Citrix MetaFrame servers cannot process your request at this time.
The Citrix MetaFrame servers sent HTTP headers indicating that an error
occurred. [401 Access Denied.]?
In either case, /Scripts/wpnbr.dll, is the URL from which an ICA client or a
Web Interface server expects the data to be retrieved.
If the XML data is being delivered by IIS, this is port sharing because both
the Citrix XML Service and IIS are available on port 80. However, only IIS is
running and the wpnbr.dll is made available by being placed in the
Inetpub\Scripts directory. This folder is set up for executable content by
default when IIS is installed. Items in this folder are executed on the Web
server instead of simply being returned as static files to a Web browser.
Allowing executables to run on the Web server carries a security risk. By
default, IISLockDown lessens this risk by disabling the execute rights for the
/Scripts folder. If this happens, the XML data can no longer be provided to
clients or Web Interface because the code in wpnbr.dll will not be allowed to
execute.
Cause
If MetaFrame XP was using IIS port sharing to deliver the XML Service, IIS
LockDown may break the XML Service by disabling the /Scripts virtual directory.
Resolution
The following steps turn on the /Scripts folder again to allow IIS port sharing
for the XML Service:
1. In Internet Services Manager, open the Default Web site.
2. Right-click the /Scripts virtual directory and view its Properties.
3. On the Virtual Directory tab, ensure that the Execute Permissions setting is
Scripts and Executables.
4. From the Directory Security tab, under Anonymous access and authentication
control, click Edit.
5. Ensure that Anonymous access is enabled and click OK.
Other related posts:
- » [THIN] KB: CTX105290 - After Running Microsoft IIS LockDown on MetaFrame XP, Web Interface Logons Fail
