If this is your first visit, take your time and look around. Here are some things you might be looking for:

• SasLibEx: a library that can simulate the Secure Attention Sequence (Ctrl-Alt-Del) but it can even unlock a workstation or session without entering or needing the user’s credentials (and many more things).
• Who locks my file?
• Patch 32 bit Windows to use the full 4 GB (and even more) memory
• Patch Terminal Server to allow more Concurrent Sessions: 2003, Windows XP X64, 2003 X64, 2008, Vista
• Some of my freeware tools such as LaunchRDP, RDP Password Encryption, Active Directory Excel Addin, RDP Clipboard Fix (well this list can go on and on, see also the Downloads section).

Do you like my work? Did my work help you?

• Leave a comment and tell me how it was usefull to you.
• If you want you can make a donation with the Paypal Donate Button in the right Sidebar.

Thank you!

I imported the NFuse.dtd from the Citrix Web Interface into Delphi with the XML Data Binding Wizard. The results in an NFuse Unit so I can easily create the XML data.

To create an authentication packet I use the following code:

procedure TForm1.NFuseTest;
var
  NFuse: IXMLNFuseProtocolType;
begin
  NFuse := NewNFuseProtocol;
  NFuse.Version := '4.6';

  with NFuse.RequestAppData do
  begin
    ServerType.Add('x');
    ServerType.Add('win32');
    ClientType.Add('ica30');
    ClientType.Add('content');

    with Credentials do
    begin
      Username := 'administrator';
      Password.Encoding := 'ctx1';
      Password.NodeValue := Ctx1Encode('password');
      Domain.Type_ := 'NT';
      Domain.NodeValue := 'CONTOSO';
    end;

    ClientName := GetComputerName;
    ClientAddress.NodeValue := '192.168.2.23';
  end;
end;

And this produces the following XML:

<NFuseProtocol version="4.6">
	<RequestAppData>
		<ServerType>x</ServerType>
		<ServerType>win32</ServerType>
		<ClientType>ica30</ClientType>
		<ClientType>content</ClientType>
		<Credentials>
			<UserName>administrator</UserName>
			<Password encoding="ctx1">NFHALEBBMHGCLEBBMDGGKMAJNOHLLKBP</Password>
			<Domain type="NT">CONTOSO</Domain>
		</Credentials>
		<ClientName>REMLAPTOP</ClientName>
		<ClientAddress>192.168.2.23</ClientAddress>
	</RequestAppData>
</NFuseProtocol>

There doesn’t seem to be any sdk that exposed the data we need so I am trying to reproduce what the Citrix online plugi-in does.

I used a HTTP monitoring tool to capture the traffic between the Online plug-in and the Web Interface. First the online plug-in will retrieve the config.xml from the server specified via the Change Server option:

The config.xml is a rather large xml file, the interesting part is the Request.Enumeration (I left out the other data):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE PNAgent_Configuration SYSTEM "PNAgent.dtd"[]>
<PNAgent_Configuration xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
    <Request>
        <Enumeration>
            <Location replaceServerLocation="true" modifiable="true" forcedefault="false" RedirectNow="false">http://2003xa/Citrix/PNAgent/enum.aspx</Location>
            <Smartcard_Location replaceServerLocation="true">https://2003xa/Citrix/PNAgent/smartcard_enum.aspx</Smartcard_Location>
            <Integrated_Location replaceServerLocation="true">http://2003xa/Citrix/PNAgent/integrated_enum.aspx</Integrated_Location>
            <Refresh>
                <OnApplicationStart modifiable="false" forcedefault="true">true</OnApplicationStart>
                <OnResourceRequest modifiable="false" forcedefault="true">false</OnResourceRequest>
                <Poll modifiable="false" forcedefault="true">
                    <Enabled>true</Enabled>
                    <Period>6</Period>
                </Poll>
            </Refresh>
        </Enumeration>
        <Resource>
            <Location replaceServerLocation="true" modifiable="true" forcedefault="false" RedirectNow="false">http://2003xa/Citrix/PNAgent/launch.aspx</Location>
            <Smartcard_Location replaceServerLocation="true">https://2003xa/Citrix/PNAgent/smartcard_launch.aspx</Smartcard_Location>
            <Integrated_Location replaceServerLocation="true">http://2003xa/Citrix/PNAgent/integrated_launch.aspx</Integrated_Location>
        </Resource>
        <Reconnect>
            <Location replaceServerLocation="true" modifiable="true" forcedefault="false" RedirectNow="false">http://2003xa/Citrix/PNAgent/reconnect.aspx</Location>
            <Smartcard_Location replaceServerLocation="true">https://2003xa/Citrix/PNAgent/smartcard_reconnect.aspx</Smartcard_Location>
            <Integrated_Location replaceServerLocation="true">http://2003xa/Citrix/PNAgent/integrated_reconnect.aspx</Integrated_Location>
        </Reconnect>
        <Change_Password>
            <Location replaceServerLocation="true" modifiable="true" forcedefault="false" RedirectNow="false">http://2003xa/Citrix/PNAgent/change_password.aspx</Location>
        </Change_Password>
        <MachineControl>
            <Location replaceServerLocation="true">http://2003xa/Citrix/PNAgent/desktopControl.aspx</Location>
            <Smartcard_Location replaceServerLocation="true">https://2003xa/Citrix/PNAgent/smartcard_desktopControl.aspx</Smartcard_Location>
            <Integrated_Location replaceServerLocation="true">http://2003xa/Citrix/PNAgent/integrated_desktopControl.aspx</Integrated_Location>
        </MachineControl>
    </Request>
</PNAgent_Configuration>

From this xml data, the enum.aspx url is taken and another HTTP post is sent to that url which contains the following xml in my case:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE NFuseProtocol SYSTEM "NFuse.dtd"><NFuseProtocol version="4.6">
	<RequestReconnectSessionData>
		<Credentials>
			<UserName>administrator</UserName>
			<Password encoding="ctx1">NFHALEBBMHGCLEBBMDGGKMAJNOHLLKBP</Password>
			<Domain type="NT">CONTOSO</Domain>
		</Credentials>
		<ClientName>REMLAPTOP</ClientName>
		<ClientName>REMLAPTOP</ClientName>
		<ServerType>win32</ServerType>
		<ClientType>ica30</ClientType>
		<SessionType>disconnected</SessionType>
		<SessionType>active</SessionType>
	</RequestReconnectSessionData>
</NFuseProtocol>

Notice that the password is encoded so if we want to replicate the HTTP post data we need to be able to encode (and perhaps decode) the password.

The decoding seems to be named Ctx1 but I couldn’t find any information on how it should be encoded so I had to find it out myself.

I wrote a tool that that can encode and decode the passwords and I suspect the password decoding is the same as used for storing passwords in ica files (I haven’t checked that yet…):

The tool can be downloaded below.

The setup would always fail however with the following error:

Obviously the installation doesn’t really fail because of too little memory and neither is the installation disc (an iso file) corrupt, it’s a bug.

Fortunately this particular bug was fixed in SP3 (build number 4.00.1381.32772). So make sure you integrate SP3 or higher in your install media and the it installs perfectly:

I didn’t want to revert to C# so I implemented shift left and shift right functions in PowerShell.

The code isn’t really pretty and could probably be improved (comments/improvements are welcome!) but here goes (please note that I implemented for bit shifting a byte):

# convert (possible negative) value to Hex Byte
function valToHexByte([Int16]$val)
{
	$s = "{0:x2}" -f $val
	$s = "0x" + $s.Substring($s.Length - 2, 2)
	return [byte]$s
}

# shift bits left

function shl([int16]$val, [byte]$index=1)
{
	$b = valToHexByte $val
	$ba1 = New-Object System.Collections.BitArray($b)
	$ba2 = New-Object System.Collections.BitArray(8)

	for ($i=0 ; $i+$index -lt 8 ; $i++)
	{
		$ba2.Set($i + $index, $ba1.Get($i))
	}

	for ($i=0 ; $i -lt $index ; $i++)
	{
		$ba2.Set($i, 0)
	}
	$result =  New-Object System.Byte[] (1)
	$ba2.CopyTo($result, 0)
	return $result
}

# shift bits rights
function shr([Int16]$val, [byte]$index=1)
{
	$b = valToHexByte $val
	$ba1 = New-Object System.Collections.BitArray($b)
	$ba2 = New-Object System.Collections.BitArray(8)
	for ($i=7-$index ; $i -gt -1 ; $i--)
	{
		$ba2.Set($i, $ba1.Get($i + $index))
	}
	for ($i=7 ; $i -gt 7 - $index ; $i--)
	{
		$ba2.Set($i, $ba2.Get(7))
	}
	$result =  New-Object System.Byte[] (1)
	$ba2.CopyTo($result, 0)
	return $result
}

I tried adding the site to the Trusted Sites List and adding the url to the Per Site Privacy list:

But this didn’t work, but I noticed that the site was “flickering” a lot so I suspected that HDX Flash Acceleration was the problem.

I imported the adm file for HDX (HdxFlash-Server.adm) into a GPO and added the site to the Per-URL-blacklist:

That fixed the problem!

I booted the VA using the Ubuntu Live CD and opened a Terminal. Then I used the cfdisk tool (sudo cfdisk /dev/sda) to view the partitions:

I assumed I needed sda2 so I mounted this partition:

# sudo su
# mkdir /mnt/va
# mount /dev/sda2 /mnt/va

However if we try to change the password we get an error:

Apparently the /dev directory is filled while booting to make sure that it’s filled only with available devices.

To be able the change the password I mounted the /dev directory from the Ubuntu Live CD and then it works nicely:

First of all there is no direct way to create new objects in Active Directory. You always need to bind to the Domain or an Organizational Unit and call the Create method.

Example:

# Bind to OU
$ou = [ADSI]"LDAP://OU=OU=Groups,DC=Contoso,DC=COM"

# Create the Group
$group = $ou.Children.Add("CN=TestGroup", "Group")
$group.CommitChanges()

However the group is not yet complete:

So we need to set the sAMAccountName property:

# Create the Group
# Bind to OU
$ou = [ADSI]"LDAP://OU=OU=Groups,DC=Contoso,DC=COM"

$group = $ou.Children.Add("CN=TestGroup", "Group")

# Set Account Name
$group.sAMAccountName = "TestGroup"

# Commit Changes
$group.CommitChanges()

however this will fail with the error message:

Exception calling "CommitChanges" with "0" argument(s): "A constraint violation occurred. (Exception from HRESULT: 0x8007202F)"

This happens because we first need to call CommitChanges() before setting additional properties:

# Bind to OU
$ou = [ADSI]"LDAP://OU=OU=Groups,DC=Contoso,DC=COM"

# Create the Group
$group = $ou.Children.Add("CN=TestGroup", "Group")

# Commit Changes
$group.CommitChanges()

# Set Account Name
$group.sAMAccountName = "TestGroup"

# Commit Changes
$group.CommitChanges()

Last step is to change the group type, which can be done using the groupType property:

# These constants come from Iads.h
$ADS_GROUP_TYPE_GLOBAL_GROUP       = 0x2
$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x4
$ADS_GROUP_TYPE_LOCAL_GROUP        = 0x4
$ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 0x8
$ADS_GROUP_TYPE_SECURITY_ENABLED   = 0x80000000

# Set GroupType
$group.groupType = $ADS_GROUP_TYPE_GLOBAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED

And all the pieces together:

# These constants come from Iads.h
$ADS_GROUP_TYPE_GLOBAL_GROUP       = 0x2
$ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x4
$ADS_GROUP_TYPE_LOCAL_GROUP        = 0x4
$ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 0x8
$ADS_GROUP_TYPE_SECURITY_ENABLED   = 0x80000000

# Bind to OU
$ou = [ADSI]"LDAP://OU=Applications,OU=Groups,OU=GHZ,DC=ZORGMH,DC=LOCAL"

# Create the Group
$group = $ou.Children.Add("CN=TestGroup", "Group")

# Commit Changes
$group.CommitChanges()

# Important: first call CommitChanges() before setting other properties!
# Else you will get ERROR_DS_CONSTRAINT_VIOLATION (0x8007202F)

# Set Account Name
$group.sAMAccountName = "TestGroup"

# Set GroupType
$group.groupType = $ADS_GROUP_TYPE_GLOBAL_GROUP -bor $ADS_GROUP_TYPE_SECURITY_ENABLED

# Commit Changes
$group.CommitChanges()

This happens because either the Current User or the All Users PowerShell profile is empty.

Solution is to either delete the file (by default it’s not present) or fill it with at least one line of code.

The path to the Current User profile is located in %UserProfile%\My Documents\WindowsPowerShell\profile.ps1.

The path to the All Users profile is located in %windir%\system32\WindowsPowerShell\v1.0\profile.ps1.

See also: Windows PowerShell Profiles

Users reported that logons failed after they had changed their password. After contacting the users we learned that this only happened with special characters in the password like ! and +.

To do the actual logon to Citrix Imprivata uses an executable which is actually an AutoIT script compiled to an executable.

After authentication the executable get’s the password from the Imprivata Appliance.

I decompiled the executable to source and read the line that passes the password to XenApp:

ControlSend("Citrix online plug-in", "", "[ID:1004]", $password)

I then checked the AutoIT documentation for the ControlSend function and learned there’s an extra parameter Flag with a default value of 0. This flags determines how keys are processed.

When Flag = 0 (default), special characters like + are used to indicate moving the cursor or indicate SHIFT. When Flag =1 the keys are send raw which is what we need for the passsword.

I changed the line to:

ControlSend("Citrix online plug-in", "", "[ID:1004]", $password, 1)

And now it works fine!