Error 1046: This Version of Citrix Receiver does not support the selected encryption

When starting a ICA session with RES VDX enabled you may receive the error message:

Error: This Version of Citrix Receiver does not support the selected encryption, when starting RES VDX session

After some searching I ended up at the RES support site which tells you:

Q203290 Error: This Version of Citrix Receiver does not support the selected encryption, when starting RES VDX session

When starting a Citrix XenApp session with RES VDX enabled the following error might occur:
“This Version of Citrix Receiver does not support the selected encryption. [Error 1046] The Virtual Driver is not loaded”.
The second logon attempt runs without any problems. This issue only occurs when using the Citrix Receiver. When using earlier ICA client versions , this error will not occur.

Cause 1 – RES VDX tries to initialize the ICA virtual channel when the Citrix Receiver is not ready yet. 95% probability.
In Citrix Receiver 3.0 and higher, Citrix implemented a timeout in their software. Due to this timeout an error is generated by the Citrix Receiver when RES VDX tries to open the ICA virtual channel. At the seccond logon attempt the timeout is expired and the logon process continues without any problems.
Solution 1.1 – Solved in a FixPack based on RES VDX SR2

To request the fixpack please consult RES Support


SOLVED: Citrix Receiver Error 61 on OS X

In my test environment I have installed all Citrix components (required) to access applications from remote locations.


  • Citrix Access Gateway (VPX) Express
  • Self-Signed certificate. (Generated by CAG)
  • Citrix Webinterface (configured Services Site)
  • XenApp 6

This setup works for the following device OS’es:

  • Windows 7
  • IOS 5
  • Android 2.2
Only when trying to connect an OS X machine to the published application (via Citrix Receiver 11.4.3 It did not work.

After importing the self-signed certificate (crt/cer) to the keystore (login or system) I try to setup up a connection to the published application.  After some time the connection failed with I receive the following error:

Citrix ICA SSL Error 61: You have not chosen to trust FQDN, the issuer of the server’s security certificate.
Error number183

After trying some stuff, like importing it in different formats I eventually found the solution while doing the following steps:
  1. Export your self-signed certificate to a convenient location.
  2. Open Terminal and enter :
  3. Enter:
    Sudo su
  4. Enter your admin user password
  5. Enter:
    mkdir /var/CTXScert
  6. And:
    mkdir /var/CTXScert/cacerts
  7. Now copy your certificate to the just created folder, cp <your location> /var/CTXScert/cacerts/
  8. quit Terminal.
Instantly after connecting again I was presented the Published application, the error had disappeared.

Citrix accuses VMWare of lying. (updated)

What an interesting start of the week, today Citrix’s desktop CTO Harry Labana wrote a blog post accusing VMware of lying while refering to a Gartner Report about the TCO of SBC comparing to (un)managed desktops. In this article about VMware’s View, the company refers tho the report and insinuates that VMWare View incorporates SBC technology (which it doesn’t).

As you might know, one of the big differences between VMware’s and Citrix’s desktop virtualization solutions is that  Citrix XenDesktop incorporates VDI/Desktop virtualization capabilities but also includes XenApp which delivers shared Terminal Server-based desktops and applications. While VMware View only incorporates  VDI/desktop virtualization.

Therefore their press release is inaccurate and subject to rectification, in my opinion.

Stay tuned for more….

UPDATE: Brian Madden also picked up the story and has some background information, he also responds to the reaction from VMWare.

The recent joint announcement between Wyse and VMware, on February 9, featured a quote by Gartner looking at the TCO benefits associated with server-based computing (SBC). The Wyse portfolio of thin, zero and cloud PC client solutions supports both SBC and VDI. It is appropriate for Wyse to choose the feature this when talking about their products. VMware’s portion of the announcement featured customer momentum and results related to our portfolio of desktop and application virtualization technologies.

Who knows if it was on purpose or an oversight? They’ll claim it was a mistake. The conspiracy theorists will believe otherwise. If you asked me over a beer I’d tell you that I don’t believe they did it on purpose, but that it was not wise to respond with the statement they used. Instead they should have put a new quote with VDI-specific data in it and reissued the press release. Then they’d be done. But now we’re left with a release where TS is doing the heavy lifting to power the “success” of the TCO savings of VDI. And that’s exactly what I accused them of doing three years ago, which I wish was a thing of the past.

Also Harry Labana responded on his blog to VMWare’s reaction:

Fundamentally VMware is trying to defend an inaccurate press release. After a history of getting away with elastic facts, getting caught twice, the appropriate thing to do would be to retract the statement and claims of SBC having anything to do with VMware.

Citrix PVS command-line tools

After exploring and mastering a product through the GUI, It always tickles me to get to the CLI and get myself fimiliar with the true power and scripting possibilities of that product.  The standard tool for Citrix PVS is MCLI.exe and is installed by default when the console is installed. after installing the PVS Console you may have to run the setup of the SOAP Server Communication, use this command to set the values for the SOAP Server

MCLI Run SetupConnection -p name=value[ name2=value2]
Setup the SOAP server connection that will be used for the MCLI and PowerShell command line interfaces.

-p Parameters needed for this Run.

server Server used for the connection.

port Port used for the connection.

user User used for the connection.
Default=Current user

domain User domain used for the connection.
Default=Current user

password User password used for the connection.
Default=Current user

Add a device
MCLI Add Device -r deviceName=Device1 deviceMac=1a-2b-3c-4d-5e-6f description=”A description”

Remove a device:
MCLI Delete Device -p deviceName=Device1

To get a detailed overview of the capabilities of this interface I have attached the programmer’s guide, there is a Powershell guide available too.

[download id=”3″]
[download id=”4″]

Visio Stencils for Citrix Products

When I was drawing an architectual document in visio, I needed some stencils after a quick search on google I found some and bundled them for my convinience hopefully you like them as well.  [download id=”2″]

Flexible Active/Idle Session Timeout

Yesterday I was asked to implement a time-out on active citrix sessions. The purpose for the script was to limit the maximum active session time for the user. The HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\ICA-TCP\MaxActiveSession registry key was not flexible enough and I couldn’t find a ready made solution. I decided to develop my own script based on information in the XenApp Management SDK and on CDN. After some time of scripting I found the following script working and flexible enough to meet the demands of the customer. Basically you schedule the command with the following parameter “cscript <filename.wsf> min <time-out in minutes>”

XX minutes before the session if logged off the user is send an message, the XX minutes is defined by the WarnThreshold value in the script. the Message can be customized by editing the strMsg + strTitle value.

The script can be easily adjusted to be used for a flexible Idle Time-out . the only property that has to be adjusted is Session.LogonTime into Session.LastInputTime

All warnings are logged to a logfile which you can set in the script. Make sure the account used for running the script is a XenApp Administrator.

Off course the usage of the script is based on own risk.

Download file here: [download id=”1″]



  • Changed calculation logic
  • Changed MessageType to SystemModal + Warning


  • Initial Release

Mcafee ePo considerations using Citrix Provisioning Services

In a hunt for complete best practices guide I found the following considerations:

ePo Agent recommendations:

Delete the Agent GUID for McAfee EPO agent; otherwise all machines deployed came up in EPO server as the same computer. So, if you are going to use the Provisioning Services image in Shared Image mode, Citrix recommends stopping the McAfee framework service and deleting the following registry key, just before your create your Provisioning Services image.
  • Stop the McAfee Framework service (but leave on Automatic start up) and delete the AgentGUID registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\
Additional registry keys may need to be cleared or deleted before rolling out an image in Standard Image mode. To run McAfee 8.5i and EPO on a vDisk in Standard Image mode, the values for the following registry keys must be deleted before imaging the Master Target Device (this could also be done after building the image by putting the image back into Private Image Mode):
  • Associates\ePolicy Orchestrator\Agent\AgentGUID
  • Associates\ePolicy Orchestrator\Agent\MACADDRESS
  • (if using Host Intrusion)
Make sure there is not a policy applied to this PC on EPO that restarts the framework service after X seconds…. (Otherwise this key might be recreated before you start the Provisioning Services image creation process).
The problem here is that each time a PC restarts in Shared Image Mode, a different GUID is recreated. It might be necessary to set EPO to delete stale entries from its Asset database. The results might also not provide a true reflection in reports of a particular PCs infection history, as it will have a new record in the EPO database each time a reboot occurs. This is preferable over having lots of PCs with only one of them having updated antivirus at a time.
Virusscanning recommendations:
  • Scan local drives only. DO NOT scan network drives.
  • Only scan “Incoming” files (ie. write events).
  • Exclude the pagefile(s) from being scanned.
  • The “%ProgramFiles%\Citrix” folder contains many configuration and log files that are always changing, especially the Local Host Cache (imalhc.mdb) and Resource Manager Local Database (RMLocalDatabase.mdb). You could exclude the whole folder. More specifically, the main ones are:
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB”
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\SummaryFiles”
  • “%ProgramFiles%\Citrix\Independent Management Architecture”
  • “%ProgramFiles%\Citrix\logs”
  • Exclude the Print Spooler (%SystemRoot%\System32\spool\PRINTERS) folder. Note that in our deployments we typically place these folders on the non-System Drive.
  • We would recommend excluding as much of the user’s profile (%UserProfile%) as possible. In fact, the only folder that is of major concern is the Temporary Internet Cache (”%UserProfile%\Local Settings\Temporary Internet Files”).
  • If you do not exclude the Profiles, then exclude the user‘s Presentation Server Client bitmap cache (”%UserProfile%\Application Data\ICAClient\Cache” or “%AppData%\ICAClient\Cache”) used for ICA pass-through connections by the locally installed PNClassic and PNAgent.
  • Exclude .dat and .tmp files.
  • Disable the heuristics mode of scanning, this setting can be very intensive on the system
  • Exclude smss.exe, winlogon.exe, userinit.exe, csrss.exe and wfshell.exe
  • Exclude the Softgrid folders (especially the cache)
Provisioning Services recommendations:

Limit antivirus definition updates to the Target Device. Create a plan to upgrade the vDisk periodically using manual, automatic or automated techniques such as Automatic vDisk updates or by using something like WorkFlow Studio.
  • Avoid scanning your disk write cache location if that write cache is hosted on the Provisioning Services server. In limited testing it has been observed that most scanners cannot detect a virus within this location because of their inherit design and the methods used to determine a virus.
  • Do not scan your Targets I/O stream in real-time. This can cause excessive retries when the Target expects it’s I/O and that process is delayed by real-time scanning, there is good potential for a second and maybe more requests for the same packet fragment.
  • Avoid scanning the BNDevice.exe process on the Target. There are a few drivers that should be excluded from scanning, as well, in the <systemroot>\windows\system32\drivers directory you can exclude BNNS.sys, BNNF.sys, BNPort.sys, and bnistack.sys


General server recommendations

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder: %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
  • “%windir%\SoftwareDistribution\Datastore\Logs” Specifically, exclude the following files: