Skip to main content

Delay Starting Published Application in #Citrix #XenApp

Symptoms

Applications with .Net or Java components take long time to start.

Cause

When the user accesses the published XenApp application with .NET or Java component, first time user logon to the published application takes long time to appear after first click over the application. The application appears after a time out that varies and after appearing, the applications behave as expected.

In other cases, the application is started correctly but during scenarios such as execution or accessing different module of the application, this access might take more time to process or fail in some cases.

This behavior occurs when the servers where the applications are published do not have Internet access and these applications have some.NET or Java component certificate that must be verified. If the server does not have Internet access, then the .NET framework or Java component cannot access the crl.microsoft.com website to verify that the digital signatures that are used to sign the binaries for managed applications are valid. Each certificate check has a 15 second timeout in the .NET runtime implementation. Depending on what features are installed, this can add up to a minute of startup time for the application.

Resolution

To avoid this behavior and resolve the application delay, you must change several options in the Internet properties Advanced tab on the servers, applying a GPO or manually through registry modifications

Internet Properties

Open User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page.

The options that must be set to disable value are:

  • Check for publisher’s certificate revocation
  • Check for server certificate revocation*

GPO Policy

Setting the following options through GPO policy and applying to all the users ensures that these changes are updated in the next registry modifications in the servers:

  • For Check for publisher´s certificate revocation:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  • Default setting: 0x00023c00 (166432)
  • After manually setting disabled: 0x23e00 (146944)
  • After applying the GP preference settings: 0x002c9 (713)
  • For Check for server certificate revocation*:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  • Certificate Revocation Dword Key == 0

Once this is done, the application does not attempt to verify the certificate and the time out is not reproduced.

This document applies to:

Leave a Reply

Your email address will not be published. Required fields are marked *

Turn on pictures to see the captcha *