Citrix XenApp 4.0 -> 6.5 issue (Delay in Starting Published Application .Net or Java App)

Symptoms

Published applications with .Net or Java components take longer time to start, when installed on servers without Internet access. This issue affects all users accessing these published applications.

Cause

When a user accesses a published XenApp application with a .NET or Java component, there is a long delay before the application appears. Once the application appears, the application behaves as expected.

In other cases, the application starts normally, but when accessing a different module of the application, this access might take more time to process, or fail.

This behavior occurs when:

  • the application contains a signed .NET or Java component, and:
  • the server where the application is published does not have Internet access

This is because the .NET framework or Java runtime environment attempts to check whether the signing certificate has been revoked. This check requires Internet access.

In case of .NET components, there is a timeout of 15 seconds for each check. Depending on the features that are installed, this can increase up to one minute of startup time for the application.

Resolution

To avoid this behavior, you can configure Microsoft Windows not to perform certification revocation checking.

Note: Before making this change, it is recommended to consult your security specialist. Note the following:

  • the change will have an impact on other applications
  • some other procedure will be needed to deal with revoked certificates that have been used to sign these applications

To configure Microsoft Windows to avoid this behavior, you can apply a user-based Group Policy Object (GPO). For illustration, the setting appears in the Internet Properties dialog.

Internet Properties

  • Open User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page.
    The Internet Options dialog opens.
  • Disable the following option: 
    Check for publisher’s certificate revocation

Group Policy

Setting the following options through GPO policy and applying these settings to all users accessing these published applications ensures that these changes are updated in the next registry modifications in their session:

Check for publisher´s certificate revocation: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

  • Default setting: 0x00023c00 (166432)
  • After manually setting disabled: 0x23e00 (146944)
  • After applying the GP preference settings: 0x002c9 (713)

To make these changes through GPO, complete the following alternative methods:

  • In Windows 2008:
    To get to this policy, open User Configuration\Preferences\Control Panel Settings\Internet Explorer, in this location add policies for all the appropriate versions of Internet Explorer.
  • In Windows 2003:
    To get to this policy, open User Configuration\Internet Explorer Maintenance\Connection Settings. In this location modify the options as required.

Leave a Reply

Your email address will not be published. Required fields are marked *

Turn on pictures to see the captcha *