Citrix states in their article: CTX255624

CTX255624 - How to Resolve Application Errors Caused by Insufficient Rights

This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX255624

Document ID: CTX255624, Created on: May 31, 2000, Updated: Jun 25, 2003

Products: Citrix MetaFrame 1.8 for Microsoft NT 4.0 Server Terminal Server Edition, Citrix WinFrame 1.8

Regular User or Anonymous accounts may fail to run an application within a Citrix ICA session. For anonymous published applications that are failing, typically a User account also fails. Making the User class part of the local and/or Domain Administrators group usually grants the User account sufficient rights to successfully execute the application. This often means that there is a file rights issue on the server(s) in question.

Please follow the steps below to resolve these types of issues:

1. Verify what happens with the particular User account at the server console. If the error appears at the console level, the problem is most likely with the application itself. Ensure the error can be corrected on the console before continuing.

2. Add the User to the local and/or Domain Administrator group. Retest the account at the console.

If the application executes, move to Step 3.

If the application still fails to execute, it is more likely an application configuration problem.

3. Log on to the server as an administrator.

If the Citrix server giving the error is a domain controller, only a Domain account can log on (there are no local accounts).

If the Citrix server giving the error is a standalone server, log on to the server as a local administrator.

If the Citrix server giving the error is a member server in a domain, select the local server name in the drop down box for the server at the Logon prompt.

4. Enable auditing in User Manager for Domains. From the Policies Menu choose Audit. Typically it is enough to select File and Object Access for failure.

5. Audit the directory of your choice; %systemroot%\system32 is a good start and is most commonly the problem. Begin by right clicking the directory, selecting Properties, Security, Auditing.

Add the name of the user to be audited. Check both the Replace Auditing on Subdirectories and Replace Auditing on Existing Files boxes. Also, check off all failures to be audited. Press OK.

6. If you receive an error message that the Pagefile.sys cannot be audited, press OK.

7. You may receive one of the following error messages when setting up auditing on the directory of choice:

"The current Audit Policy doesnt have auditing turned on. Ask an Administrator to use User Manager to turn on auditing."

If this error is displayed, ensure that auditing is enabled for the local SAM database via the domain SAM in User Manager for Domains."

8. Connect to the server desktop as an administrator, open the Event Viewer, and select the Security Log.

9. With a second session to the server desktop, make a "duplicate" copy of a custom ICA connection if needed. Connect with the name of the user you are auditing.

10. When the user has a desktop, delete any entries in the Security Log.

11. Execute the application and acknowledge any error messages.

12. Recheck the Security Log for any new entries. Choose View and then Refresh if needed.

13. Double-click each logged entry (there only should be a few). Note the file path and subsequent dll and exe files. Check the permissions on each file. Locate the file to which the user does not have access and is causing the failure.

Adding the domain users group with Read permissions usually resolves the issue.

NOTE: These steps may need to be repeated for different applications or subsequent errors within the same application.