{"id":4264,"date":"2012-08-16T11:47:18","date_gmt":"2012-08-16T09:47:18","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=4264"},"modified":"2013-06-15T13:47:03","modified_gmt":"2013-06-15T11:47:03","slug":"the-citrix-xml-server-explained-and-demystified","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/the-citrix-xml-server-explained-and-demystified\/","title":{"rendered":"The Citrix XML server explained and demystified"},"content":{"rendered":"

\"\"The Citrix XML server is a component of Citrix XenApp and XenDesktop that\u2019s used to enumerates available resources  and provide secure tickets for users that  to use the  WebInterface or CloudGateway.<\/p>\n

 <\/p>\n

In this article I\u2019ll explain what the services the XML service provide, how it does it job and all you need to know about it.<\/p>\n

<\/p>\n

Introduction<\/font><\/h2>\n

The Citrix XML service is a Windows service <\/strong>that is part of the Citrix XenApp and XenDesktop product. It is used to provide XML <\/strong>data requests sent by Citrix components. It is introduced with MetaFrame 1.8 SP2, since MetaFrame XP is is a standard feature.  Up to XenApp 6.0<\/strong> each XenApp server could be a XML broker. Since XenApp 6.5<\/strong>, where the controller-worker architecture is introduced, only a server with the controller<\/strong> role can be a XML broker. A server with the controller role is responsible for farm management. <\/p>\n

The Citrix XML service is most commonly used to provide users access to their applications and desktops via a web portal<\/strong>, leveraging the services of WebInterface, CloudGateway (Storefront) or Access Gateway. It is also used when users connect via the TCP\/IP+HTTP<\/strong> protocol.<\/p>\n

It is recommended to have multiple servers with the Citrix XML server, as close as possible to the servers Zone Data Collectors <\/strong>(XenApp) and Desktop Delivery Controller <\/strong>(XenDesktop).<\/p>\n

 <\/p>\n

<\/font><\/p>\n

Windows Service<\/font><\/h2>\n

\"Citrix<\/a>The windows service is identified by the name CtxHttp<\/strong>,<\/em> which reveals it leverages this protocol<\/strong> for network transportation<\/strong>. Basically the Citrix XML service has a built-in (simplified) webserver to transfer <\/strong>XML documents. <\/p>\n

The service is launched with the predefined local Network Service<\/a><\/em> account<\/strong>, which allows it to communicate over the network.<\/p>\n

XML? XML stands for Extensible Markup Language, it is a markup language for documents containing structured information (wikipedia<\/a>).<\/p>\n

 <\/p>\n

Files<\/font><\/h2>\n

The Citrix XML service consists of a number of files to provide its services. The files are , by default, stored in %ProgramFiles%\\Citrix\\System32<\/em> on a 32-bit operating system and %ProgramFiles(x86)%\\Citrix\\System32<\/em> on a 64-bit operating system.<\/p>\n\n\n\n\n\n\n\n\n\n\n
File<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
ctxadmin.dll<\/td>\nCitrix Web Program Neighborhood<\/td>\n<\/tr>\n
ctxconfproxy.dll<\/td>\nCitrix ConfProxy ISAPI (a Web Service Extension)<\/td>\n<\/tr>\n
ctxsta.config<\/td>\nConfiguration data for the Secure Ticket Authority (STA)<\/td>\n<\/tr>\n
ctxsta.dll<\/td>\nThe Secure Ticket Authority (STA)<\/td>\n<\/tr>\n
ctxxmlss.txt<\/td>\nEncoding information for the windows service (CodePage translation entries)<\/td>\n<\/tr>\n
ctxxmlss.exe<\/td>\nThe windows service (also used to configure and bind the Citrix XML service)<\/td>\n<\/tr>\n
WPnBr.dll<\/td>\nCitrix XML ISAPI (a Web Service Extension), a connector for Web Interface<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Communication<\/font><\/h2>\n

By default the Citrix XML service listens on TCP port: 80. Although this is the default port, Citrix recommends using port 8080. <\/strong><\/p>\n

 <\/p>\n

IIS integration<\/font><\/h5>\n

If Microsoft Internet Information Services (IIS) is installed the Citrix XML Service is integrated <\/strong>by default. Otherwise the Citrix XML service defaults to standalone <\/strong>mode. If during the installation the an IIS server (or the IIS server role) is detected, the <\/strong>files specified<\/strong> above folder are copied from %ProgramFiles(x86)%\\Citrix\\system32\\<\/em> to %SystemRoot%\\inetpub\\scripts<\/em>. Letting the Citrix XML server integrate with IIS effectively (sharing ports) disables<\/strong> the use of the Windows Service and creates a Web Service <\/strong>in IIS. <\/p>\n

You can test the IIS integration by opening the the following url in your browser https:\/\/hostname\/Scripts\/ctxsta.dll<\/em><\/a>. If the integration is configured correctly you should get the following response:<\/p>\n

HTTP Error 405.0 \u2013 method not supported\r\nThe page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.\r\n \r\nModule IsapiModule\r\nNotification ExecuteRequestHandler\r\nHandler ISAPI-dll\r\nError Code 0\u00d700000000<\/pre>\n
<\/font><\/h5>\n
<\/font><\/p>\n
<\/font><\/p>\n
<\/font><\/font><\/p>\n
<\/font><\/p>\n
\"\"It is not <\/strong>recommend to integrate the Citrix XML Server in IIS and use the share port 80 with IIS (Configuring the Citrix XML Service Port and Trust – Citrix eDocs<\/a> – Beware of Hosting Web Interface on XenApp Servers – Nicholas Dille<\/a>)<\/p>\n
 <\/p>\n
Changing the Citrix XML Service port number<\/font><\/h5>\n
If a different process requires the same ports you will receive the message \u201cCitrix XML port selected is in use by another application or service\u201d. If necessary you can change the port of the Citrix XML server. The Citrix XML Service and Microsoft IIS can share a port (default = 80), you should only specify a different port if you don\u2019t want to share ports.<\/em><\/p>\n
\"netstat<\/a>To find out what other process is using the same port you can run the following command: netstat \u2013ano \u2013p tcp <\/font>(or netstat \u2013ban \u2013tcp<\/font> if you have Windows 7 \/ 2008) and locate the process ID (PID) that listens on the same port.<\/font><\/p>\n
In XenApp 6.0 or later changing the XML port can be done with a server policy: XML Service\\XML service port<\/em>. However, this can only be done if you selected a custom <\/strong>port during installation instead of Share with IIS<\/strong>.<\/p>\n
\"Citrix<\/a>\"Citrix<\/a><\/p>\n
The port number can also be changed with the ctxxmlss<\/em><\/a> command-line utility.  This can be done by unloading the Citrix XML Service with \/u<\/strong>, changing the port with \/r<port number><\/strong> and restarting the XML service.<\/p>\n
ctxxmlss \/u\r\nctxxmlss \/r8080<\/pre>\n
An alternative method is by changing the port in the registry <\/strong>(and restart the Citrix XML service after changing).<\/p>\n
\"HKLM\\SYSTEM\\CurrentControlSet\\Services\\CtxHttp\"<\/a>Key: HKLM\\SYSTEM\\CurrentControlSet\\Services\\CtxHttp\r\nValue: TcpPort\r\nType: DWORD (32-bit)<\/pre>\n
The value is listed in hex, you need to change the view to decimal.<\/p>\n
 <\/p>\n
Citrix XML Service Trust<\/font><\/h2>\n
The security level of the Citrix XML service can be lowered by allowing the Citrix XML Service to trust all requests<\/strong>. The trust setting is only for Smooth Roaming <\/strong>when users authenticate using pass-through or smart-card authentication with WebInterface or online plug-in.<\/p>\n
To avoid security risks, only enable<\/strong> the Citrix XML service to trust requests it receives when you\u2019re confident<\/strong> that only trusted<\/strong> services communicate with the Citrix XML Service. This can be achieved by using firewalls or using IPSec. By default the trust is disabled<\/strong>.<\/p>\n
In XenApp 5.0and Presentation Server 4.x enabling the XML trust can be done via the Citrix Access Management Console (AMC) in the the server settings<\/strong>: XML Service<\/em><\/p>\n
\"Server<\/a><\/p>\n
In XenApp 6.0 or later enabling the XML trust can be done with a server policy: XML Service\\Trust XML requests<\/em>. <\/p>\n
\"Citrix<\/a>\"Citrix<\/a><\/p>\n
 <\/p>\n
Services provided <\/font><\/h2>\n
When a user <\/strong>starts his browser <\/strong>and connects to the URL of the web portal (WebInterface or Citrix Access Gateway), authenticates and launches an application (or desktop) a number of transactions <\/strong>take place between the WI\/CAG and the XML Service. <\/p>\n
In a basic environment where the users connects to a published resource via a Citrix Access Gateway, the following transactions takes places.<\/p>\n
\"Example<\/a><\/p>\n
    \n
  1. The provides his credentials<\/strong> to the webserver (WI or CAG) <\/li>\n
  2. The webserver reads the credentials and authenticates<\/strong> the user (based on the settings of the web site) <\/li>\n
  3. The webserver sends the credentials to one (or more) Citrix XML servers <\/strong>for each farm <\/strong>to validate the credentials (RequestValidateCredentials<\/font>) and to get a list of available resources (RequestAppData<\/font>) <\/li>\n
  4. The Secure Ticket Authorithy (STA), part of the Citrix XML server, returns a secure ticket <\/strong><\/li>\n
  5. The XML broker, part of the Citrix XML server, queries <\/strong>the IMA service (XenApp) or Desktop Delivery Controller (XenDesktop) for resources available <\/strong>for the user <\/li>\n
  6. The XML service returns <\/strong>an XML file <\/strong>containing the secure ticket (ResponseValidateCredentials<\/font>) and available resources (ResponseAppData<\/font>) <\/li>\n
  7. The web server generates <\/strong>a web page containing all the resources the user can access (or the shortcuts are placed on the desktop \/ start menu by the PN agent) <\/li>\n
  8. The user clicks on a resource <\/li>\n
  9. The webserver requests <\/strong>the XML server (from the farm \/ site where the resource belongs to) for the system <\/strong>to connect to (RequestAddress<\/font>) <\/li>\n
  10. The STA server queries <\/strong>the IMA service (XenApp) or Desktop Delivery Controller (XenDesktop) for the system that can provide <\/strong>the resource <\/li>\n
  11. The STA returns the system that can provide the resource to the CAG (ResponseAddress<\/font>) <\/li>\n
  12. The webserver sends a default.ica<\/em> file<\/strong> containing information<\/strong> about the resource, STA server (as configured in the secure access settings in the WebInterface) secure ticket and connection properties (more information about the ICA file can be found here<\/a>). <\/li>\n
  13. The Citrix client (for instance the Receiver) makes a connection<\/strong> to the CAG<\/strong> <\/li>\n
  14. The CAG requests<\/strong> the STA server (stored in the ICA file) if the secure ticket is valid <\/strong>and to which system to connect <\/li>\n
  15. The STA server validates<\/strong> the secure ticket (from memory<\/strong>) <\/li>\n
  16. The CAG server accepts<\/strong> the connection and the connection<\/strong> is started. <\/li>\n<\/ol>\n
    Nicholas Dille wrote an excellent article called \u2018<\/em>Talking to the XML Service<\/em><\/a>\u2019. If you want to dive deeper in the messages being sent by the Citrix XML Service, you should read it.<\/em><\/p>\n
     <\/p>\n
    So, basically the XML service has two functions:<\/p>\n