Deploying a Pre-Configured Citrix Client using Active Directory


This article will show you how to create a pre-configured Citrix Client and leverage Active Directory to deploy the client as well as overcome some of the idiosyncrasies found in the Citrix Client packager.

This article will show you how to create a pre-configured Citrix Client and leverage Active Directory to deploy the client. You may ask, “Why would I want to use Active Directory to deploy the client. Doesn’t Citrix offer the Auto Client Update?” The answer is yes, Citrix does provide an auto client update feature, but there are limitations such as:

If a workstation already has a Citrix client that was installed from an .msi package, then you cannot use the Auto Client Update feature.

From page 90 of the Citrix client Administrator’s Guide:
“Important You cannot automatically update previous versions of the client installed with Windows Installer (.msi) packages. You must redeploy a client installer package when a new version of the client is released.”

Also, refer to Citrix Article CTX108584.

The Auto Client Update feature also adds steps to the logon process since it has to check to see if the workstation has an up-to-date client. This can cause longer login times and user frustration. In fact, I recommend you turn off the Auto Client Update feature via a Citrix policy:

Getting Started

Tools Needed:

  • Citrix Presentation Server Client Packager
  • ORCA to modify the MSI file (today’s trivia, ORCA stands for One Really Cool Application)
  • Citrix Transform File to enable Single Sign On in the MSI file (optional)

The first thing you will need to do is get the Citrix Presentation Server Client Packager. You can download the latest Citrix Client Packager at The Citrix Client Packager contains the Citrix Program Neighborhood client, the Citrix Web client, and the Citrix Program Neighborhood Agent client.

Quote from Citrix:

You can customize the client packager to deploy and maintain any number and combination of clients network-wide. Based on Windows Installer technology (msi), the client packager lets you install, uninstall, modify, and repair clients as well as perform controlled client upgrades. An easy-to-use wizard guides you through the configuration step by step.

Create an Admin Install of the Citrix Client Packager

This is the part where you pre-configure the client(s).

Run msiexec /a Ica32Pkg.msi to create an administrative install of the package.
Note: this doesn’t actually install the client; it just creates the customized client installation files.

Select the “Uncompressed” option if you want to make modifications to the files (such as branding the client).

For this exercise, I have chosen not to install the full Program Neighborhood Client.

Important: If you elect to use the Local Name and Password, you will need to modify the MSI file using a transform (MST) file in order for this to work. More on this later.

In this example, I removed all the dialog boxes. It is not necessary to show any dialogs since we are going to push this client via Active Directory.

Making Post Setup Modifications

There are a couple of common post setup modifications that need to be made for the options I chose in this exercise. The first modification involves a bug in the client packager. If you specify not to install the Program Neighborhood client (as I chose not to in this exercise), it will still be installed to the workstation anyway as “Install on Demand” (see Citrix Article CTX105642).

So, to get around this, you will need to modify the MSI file by following these steps:

  • Launch ORCA.
  • Open the admin install MSI file (Ica32Pkg.msi) created earlier.
  • Select the Condition table.
  • Change the condition to “Not Installed” for the Program Neighborhood client.

There is another “feature” in the client packager that puts an icon for Program Neighborhood on the workstation desktop even if you chose not to install Program Neighborhood (see Citrix Article CTX108212)

So, once again, it’s ORCA to the rescue:

  • Launch ORCA.
  • Open the admin install MSI file (Ica32Pkg.msi) created earlier.
  • Select the Shortcut table.
  • Right click the row with “DesktopFolder…” in the Directory column and select Drop Row.

Enable Single Sign On for Active Directory Deployment

There is yet another “feature” in the client that disables single sign on in the client when deploying via Active Directory (see Citrix article CTX103439). As the article states, you will need to apply a transform (MST) in order for Single Sign On to work.

  • Download slfregfix.mst from
  • Launch ORCA
  • Open the Ica32Pkg.msi file created above.
  • Select Transform -> Apply Transform…
  • Browse to slfregfix.mst.
  • Click on File -> Save Transformed As… and save the package as a different name (such as mod_Ica32Pkg.msi).

Deploy the Package with Active Directory

Finally, after all the blood sweat and tears to create the admin install client package, you can deploy the package with Active Directory. The question you must answer here is do you want to assign or publish this package? Also, if you assign the package, do you want to assign it to computer or user objects? In this exercise, I assigned the package to computer objects. (For more information about assigning and publishing packages via a GPO with Active Directory, check out Active Directory® for Microsoft® Windows® Server 2003 Technical Reference)

<disclaimer> I strongly suggest you toughly test this in a separate test environment if you have one. If you do not have a separate test environment, at least create a test OU in your Active Directory to try this out.</disclaimer>

  • Open up Active Directory Users and Computers.
  • Right click on the OU you want to use to host the GPO to deploy the package and select Properties
  • Select the Group Policy tab.
  • Click edit to edit an existing Group Policy or New to create a new Group Policy. (Again, I suggest creating a new GPO for testing purposes).
  • Browse to Computer Configuration -> Software Settings -> Software installation.
  • Right click Software installation and select New -> Package.
  • Browse to the package created above.
  • Select Assigned on the Deploy Software Dialog.

Now, any computer object you move into this OU will automatically have the pre-configured Citrix ICA client installed upon logon (I suggest you only try moving a few computer objects into the OU for testing purposes). 

Be careful about placement of the Citrix client install files and network bandwidth. You may want to have different GPO’s specifying different install points based on location. Here’s what Microsoft has to say:

From Active Directory® for Microsoft® Windows® Server 2003 Technical Reference:

One of the most difficult aspects of managing software distribution using group policies is network utilization management. If you assign a large multi-megabyte application to a large group of users and all of those users install the application at the same time, the installation might take hours because of the significant increase in the volume of network traffic. There are a number of options for managing the network bandwidth. One option is to assign applications to computers and ask users to reboot the computers at the end of the day. You can also force a reboot of the workstation by using the GPUpdate command. If you apply this command to only a few workstations at a time, the impact on the network can be minimized.

Another option is to assign applications to small groups of users at one time. In most cases, you might also want to avoid assigning applications that will be completely installed when the user logs on. If you advertise an application but allow the user to initiate the installation, you will be able to at least spread out the software installation over some time. Although none of these options is ideal, you can use them to at least manage the bandwidth to some extent. Another way to manage network utilization if you have multiple sites is to use the Distributed File System (DFS). With DFS, you can create a logical directory structure that is independent of where the files are actually stored on the network. For example, you might create a DFS root named \\server1\softinst and then create subdirectories for all applications underneath that share point. With DFS, you can locate the subdirectories on multiple servers and configure multiple physical links to the same logical directories. If you use Active Directory-integrated DFS, you can even configure automatic replication of the folder contents between copies of the same directory. DFS is a site-aware application, which means that if you have multiple sites, the client computers will always connect to a copy of a DFS folder in their own site rather than cross a wide area network (WAN) link to access the folder on another site.

It is difficult to predict exactly what the effect of a network installation will be. One of the advantages of using group policies to install software is that you can easily perform a test to see what the effect is likely to be. For example, you can configure a GPO that includes the software package but make sure that GPO is not linked to any OU. You can then create a temporary OU, add a few user or computer accounts to the OU, and link the GPO to the OU. This configuration can be used to test how long it takes to install the applications to a small group of users. You can also pilot the software distribution by linking the GPO to a production OU but using group filtering to limit which users or computers will apply the GPO.

Regardless of the efforts you take to minimize the effect on the network, deploying a large application to a large number of users will always have some impact on the network. Since this is this case, you will probably have to plan on completing the installation over several days.


This article showed you how to make a pre-configured admin install of the Citrix ICA Client and the idiosyncrasies involved to make certain functionalities work. Also, we used Active Directory and Group Policy Objects to deploy this customized package. Note: you can use any deployment method you like to deliver the final MSI (such as SMS), but if you do not have SMS (or another deployment device) available in your environment, this method works well.

69 thoughts on “Deploying a Pre-Configured Citrix Client using Active Directory

  1. Thought this was the answer to my prayers, but when I try to apply the transform via ORCA I get error messages and still prompted for a username and password. Any further ideas?

  2. It looks when you add slfregfix.mst it screws up the configuration you did with the admin install. All my screens came back. So I Ran the msiexec /s after the slfregfix.mst transform.

  3. Is there any way to specify the server information? I am trying to create a package that will allow my users to just click the icon and be taken directly to their application set.

  4. What you can do is put those settings in pn.src in the source files of your package (be sure to select the “Uncompressed” option mentioned in the article so you can access the file). pn.src should be located in “Program Files\Citrix\ICA Classic” within your package. Just populate pn.src with your settings.
    If you do not know what to put in pn.src, just configure Program Neighborhood the way you want and copy the contents of pn.ini (located at C:\Documents and Settings\username\Application Data\ICAClient). Now when your package gets installed, pn.src will become pn.ini on the client – making your client pre-configured.

  5. Last ditch effort to make this work. We have everything working except Single Signon. We have applied the slfregfix.mst, but it just doesn’t work. We have tried adding SSonUserSetting=On and UseLocalUserAndPassword=On We did not select the User Kerberos option. Is there anything else we can do?

  6. I got this working under v9.15. The differences I used were to apply the MST via the Package Deployment in group Policy rather than orca. (ie Modifications tab)

    i used orca to edit the other bits. I also dropped other references (ie start menu)to the PN Shortcuts besides the desktop.

  7. Unpacked original client to network share. Configured not to install PN agent, single sign on etc etc. Only used Orca to apply the slregfix.mst and saved package under different name in network share.
    Set up GPO to deploy, but keep getting errors 119 and 102 stating source cannot be found. The network share contains: Program files, ica32pkg.msi, slregfix.mst and the edited ica32pkg.msi file under a different name. What am i doing wrong here?

  8. Hi

    Thank you for a great article.

    We’re adding a third citrix server to our farm and now we’ve gotta figure out a way to make the clients understand that we ha a new server. First thought would be to modify pn.src and pn.ini in our installation share and then reinstall the .msi on all clients. But the new settings won’t apply and it’s because of the local pn.ini in C:\Documents & Settings\user\Application Data\icaclient\… and C:\Program Files\Citrix\ICA Client\…

    I could bypass this by making a logon script that’ll wipe the local files before the re-install, but is there another way?


  9. My first suggestion would be to use Web Interface.

    Short of that, I have written VBS login scripts in the past to manipulate APPSRV.INI. Send me an email and I will give you the script. You could modify it to suit your needs.

  10. After completing all the steps in the above link I am running into a problem with SSON still ( as others seemed to of at the bottom of the above link). Basically when the msi is installed by simply running it SSON works great, however when deploying via GP it’s not on by default, I can select it in the client properties however it still does not work when I do a App refresh and defaults back to “prompt user”.

    Is there something I am missing here or is this a problem with newer clients?? Anyone have a workaround that could help??


  11. I forgot to mention I have tried that as well with no luck. I get the same problme as stated above.. I’m beating my head against the wall with this.. I was scheduled to deploy this 6 hours ago and still no luck..

  12. well my solution was to go to V9.15 client and apply the transform via group policy and it started working.. It’s an issue related to V9.2

  13. I can not get any of this procedure to work for either 9.150 or 9.230.

    If I apply the transform to the modifed msi file, it removes the silent piece and the pass-through authentication still is not an option.

  14. I’m having the same trouble on some Windows XP workstations. Very inconsistent. I ran procmon and found this difference: The workstation on which the Pass-through WORKED contained the following entries. The one that failed had the same entries in procmon up to the entry just before this point and then went in a different direction:

    5685 11:50:28.4602860 AM pnagent.exe 2472 RegOpenKey HKLM\SOFTWARE\Citrix\ICA Client\PASS THROUGH NAME NOT FOUND Desired Access: Read
    5692 11:50:28.4625486 AM pnagent.exe 2472 RegOpenKey HKLM\SOFTWARE\Citrix\ICA Client SUCCESS Desired Access: Read
    5694 11:50:28.4626488 AM pnagent.exe 2472 RegQueryValue HKLM\SOFTWARE\Citrix\ICA Client\DOMAIN NAME NOT FOUND Length: 144
    5695 11:50:28.4626678 AM pnagent.exe 2472 RegCloseKey HKLM\SOFTWARE\Citrix\ICA Client SUCCESS

  15. This is us, newbis. Your Documentation shows how to customize the MIS package. Now,ow do I convert this into one single file again, like the original.

  16. I am testing upgrading a manually installed Citrix 8.0 client to the Citrix 10.0 client by assigning the Citrix 10.0 client package to a computer via Group Policy. It appears to install okay and the user can logon to Citrix but when the user tries to launch an application they get a message saying “Windows cannot open this file: File: .ica” and you get the option to make the association via the web or manually. Making the association manually works fine.

    Any ideas?

    I have tried creating a custom install package but this also produces the same results.


  17. More info to add:

    Looks like the problem is associated with upgrading from a manual 8.0 install. I removed 8.0 manually and then the assigning of 10.0 via Group Policy worked okay.

    Does anyone know if it’s possible to upgrade from a manual install using Group Policy? Upgrading manually works fine.


  18. Even more info:

    If you logon as a local administrator and open a Citrix app then you do not get the file association error and the problem is then resolved for the other non-admin users.

    So how do I get my Citrix client update via group policy working seamlessly?


  19. Hi – I tried changing pn.src file with my custom settings (farm name, etc.) but when I deploy the package, it just copies down a generic PN.INI to my profile. Am I supposed to do some sort of repacking once I update the SRC file?

  20. I am just installing the web client. I create the custom .msi and it runs great except at the end, the user is prompted if they want to reboot. I would rather not prompt this and when the user reboots next, the program will be available. Is this possible?

  21. Does any one know how to configure the pn or pn agent client authentication window so that the ‘save password’ check box does not appear.
    Doesn’t appear to be an option in the package creation and guess it won’t be a serverside setting? Our organisation insists on a monthly password change which create loads of calls for us cos the users so often choose to save password. If the option is removed we could save 100 calls a month. Any suggestions?

  22. Hello Jason, I’ve looking for an good posibility to change an existing appsrv.ini with new settings and I don’t mind to displace the complet file. By this search I found this articel where you write that you have written an VBS script to do exactly this. Is ist possible that you send me this scrpit? My e-mail adress is [email protected]

    Many thanks and regards


  23. When I try to apply the transform to the v10 client package using ORCA, I get an error saying it cant apply the transform. Does the transform file from Citrix work with the v10 client?

  24. I am getting the same issue with the v10 client. I can’t apply the transform. Same error as mentioned above.

  25. I saw that you were installing the web client only. Did you use the following process…

    Admin install of downloaded ica32pkg.msi
    Choose to make “Program Neighborhood & PN Agent” Unavailable (Red X)
    proceed w/defaults
    Creates msi package to deploy
    I’m deploying via AD, so I used Jason’s article & created transform w/Orca
    (On condition table entered “Not Installed” for PN & PN Agent)
    …. Or is there a better way?
    Also, I saw on the Citrix Web Site that you could download what seemed to be a Web only install, but it seemed identical to the full – ica32web.msi. I did download it & try to create the admin install, but it would not create a single msi file & did not seem any different than the full. I was hoping it would just contain the Web ICA32 Client w/out any references to PN stuff. Which download did you use?

  26. On the contrary, i have this GPO working fine, the transform is no longer needed to enable sson. Under the properties table, addin the condition ENABLE_SSON and set it to Yes and it should work fine.

  27. Create a script file (i.e ctxassoc.cmd) with the following line inserted:

    assoc .ica=Citrix.ICAClient.2.5

    In the same group policy that you use for deploying the citrix client, set the shutdown script (Windows Settings–>Script–>Shutdown) to point to this script file. This recreate the ica association after the client has been updated.



  28. Did not need to transform. I used this to deploy Web & PNA. Only problem is that client has to reboot after install is completed in order for passthrough to work properly. Once rebooted, all is well. Any ideas on how to easily force a reboot after installation is complete?

  29. If i push out v10 via group policy, it doesn’t appear to remove the old version as i can still see it in registry. Is there a way to upgrade to version 10 and remove any old Citrix clients? Can I do this all within the msi or do i need to run a script to remove the old client prior to installing the new one, potentially leaving a machine without a Citrix client at all?

  30. Hey.. heres a little guide I found..

    To disable password saving:
    1. Create an installation set for the ICA Client for Windows 95/98/NT. Proceed through Step 6.
    2. Set all options desired using Program Neighborhood’s options and settings dialog boxes.
    3. Configure the desired application sets.
    4. After saving the client machine’s INI files with .SRC extensions on the correct installation diskette, use a text editor to load one of the following files from the final installation diskette:
    Appsrv.src. Load and modify this file if you want to prohibit password saving for all
    application sets. See Step 5.
    Pn.src. Load and modify this file if you want to prohibit individual application sets from
    saving password information. Skip to Step 6.
    5. Locate the section named [WFClient] in Appsrv.src. Add the following text to the list of parameters and values in [WFClient]:
    If the parameter already exists, set its value to On. Save the file and exit the text editor.
    Adding this parameter and setting it equal to On prevents users from saving passwords in the client disk cache for all application sets. Any existing cached passwords are deleted.
    Password saving modification is complete.
    6. For those who want to modify individual application sets, locate in Pn.src the section name that corresponds to the application set on which you want to disable password saving; for example,
    Add the following text to the list of parameters in the section:
    If the parameter already exists, set its value to On.
    7. Add the parameter and value to each application set section as desired. Save the file and exit the text editor.
    Adding this parameter and setting it equal to On prevents users from saving passwords in the client disk cache for the specified application set(s). Any existing cached passwords are deleted.

  31. Hi, David.

    I had the exact same problem as you, file association error, but with the web client. 8.x client being upgraded to 10.x. The problem is that by default the PN agent and regular PN binaries are installed when installing 8.x, even if only selecting the web client – due to a bug in the MSI. See the 7.0 client readme, quoted below:

    9. If you have both the ICA Win32 Program Neighborhood Agent and the
    ICA Win32 Program Neighborhood Client on the same client device,
    and if you uninstall the ICA Win32 Program Neighborhood Agent, file
    type association for .ica-type files is lost. As a result, the ICA
    Client is unable to connect to MetaFrame servers.

    When installing 10.x, it uninstalls the “hidden” PN Agent and PN binaries, which kills the file association.

    Furthermore, in the MSI for the 10.x install, the RemoveExistingProducts step in the InstallExecuteSequence table is AFTER the RegisterExtensionInfo step. So, it uninstalls the 8.x product (and kills the file association) AFTER it installs the 10.x file extension. Not so smart. I changed the RemoveExistingProducts step to earlier in the install process (sequence 1450), and it worked. You need ORCA to edit the MSI in this way.

    Hope this helps. The MSI architechture pages at helped me a TON.

  32. I am trying to deploy 10.150 for the first time via AD (2000). currently using 9.1 clients, some 10.0 and I can’t get the install process to happen. getting “the assignment of application Citrix Presentation server client from policy (OU) failed. the error was: the group policy framework should call the extension in the synchronous foreground policy refresh.

    new to deploying software via AD.. what does that mean?

  33. I need to be able to customize the appsrv.ini, appsrv.src, pn.ini and pn.srv files for a custom installation of the Program Neighborhood. Can you provide me with a script.

  34. You don’t actually have to reboot – all you have to do is log out and back in again. But if you want to reboot, not sure how to do it, but you should be able to edit the msi to force a reboot.

  35. A directory, as used in computing and telephony, refers to a repository or database of information which is heavily optimized for reading, under the assumption that data updates are very rare compared to data reads. Commonly, a directory supports search and browsing in addition to simple lookups.

  36. Heya – Just looking through some blogs, seems to be a fairly nice platform, certainly better than blogger but still playing with the idea of wordpress. Any major plus points you have found over WP at all?



Leave a Reply

Your email address will not be published. Required fields are marked *