Nicholas Dille on Terminal Services and related technologies
Do you host your Web Interface on one or more XenApp servers? Then I recommend you heed this article before changing your setup. You may well loose your XML service when migrating the Web Interface to another server. And loosing your XML service may result in an outage of your application delivery infrastructure!
Continue reading ‘Beware of Hosting Web Interface on XenApp Servers’
After having published the XmlServiceReader, I have described how to use this tool to customize health check in XenApp Health Monitoring and Recovery (HMR). In this article I will cover health checks that to not apply to a single server but assure the operation of the farm as a service independently of individual servers.
Continue reading ‘Leveraging the XMLServiceReader for Custom Health Checks’
I have recently worked on an implementation for a customer and was concerned with a large number of group memberships. Although the solution for authenticating against the operating system are well documented by Microsoft (here, here and here), the XML service does not allow requests larger than 4KB. So if users have a large number of group memberships, authentication via the XML service can fail due to this limitation. But here’s the solution.
Continue reading ‘XML Service Chokes on Request Larger Than 4KB’
After publishing the XmlServiceReader and writing about the shortcomings of the health check for the XML service provided by Citrix, I like to expand on the process of creating a custom health check using the XmlServiceReader.
Continue reading ‘Using the XmlServiceReader with Health Monitoring and Recovery (HMR)’
You may well ask why I created a tool to send arbitrary requests to the XML service and parse the reply in scripts – which is, by the way, called XmlServiceReader. First of all, I did not like the tool included with the Health Monitoring and Recovery of Presentation Server and XenApp – called RequestTicket.exe – due to its limitation to being executed on the same host as the XML service is located. Furthermore, this tools has a hard-coded request and does not allow customization of the request sent to the XML service.
Continue reading ‘What does XMLServiceTester.exe in HMR do?’
Since I have released the XmlServiceExplorer and XmlServiceDigger, I have received several requests for another tool allowing for custom health checks against the XML service, e.g. see this comment. The XmlServiceReader is a command line tool sending arbitrary requests to the XML service and printing the reply to the same window. This output can be checked in a script to determine whether the reply is valid and the service fully operational.
Continue reading ‘Health Checking the XML Service with Custom Requests’
After writing and publishing the XmlServiceExplorer, I was asked several times just how much information is disclosed by the XML service. There were also comments (to one of my articles and in Brian’s forums) about a possible security breach caused by offering the access lists of all published applications which I described in a tutorial to the XmlServiceExplorer. Although it is possible to suppress the access lists being disclosed by the XML service, the switch is not documented. Continue reading ‘Reading Farm Information from the XML Service’
In an earlier article about the XmlServiceExplorer, I explained how to obtain the access list of all published applications in a farm from the XML service.
As this information is offered without authentication, it can be considered a security issue. The XML service should rather offer the resulting list of published applications based on the access lists instead of the access list themselves.
Fortunately, this behaviour of the XML service can be suppressed by changing a registry key on the Presentation Server / XenApp server:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XML Service]
“ExposeAccessLists”=dword:00000000
Using the same settings as in the example of my earlier article, the XML service only returns an empty tag called Details.
This configuration option should also be able to settle the discussion in the security forum of Brian’s site.
Please note that this switch is not documented (as far as I know). Be sure to have tested this before deployment in a production environment.
In the last part of this tutorial about the XmlServiceExplorer, I introduced requesting useful information from the farm as well as resolving addresses.
Now, I’d like to demonstrate how chatty the XML service is when it comes to applications and their configuration. Some pieces of information are required for Web Interface to operate while others can be regarded as compromising. Continue reading ‘Debugging Using XmlServiceExplorer – Part 3′
In the first part of my tutorial about the XmlServiceExplorer, I have explained how session management is performed by the Web Interface and how the same behaviour can be reproduced by the XmlServiceExplorer. I recommend you also read the initial article: Talking to the XML Service. Continue reading ‘Debugging Using XmlServiceExplorer – Part 2′
