Problem Definition

Smart card logons through Web Interface 4.0 Web sites are successful if the site is configured to use a Presentation Server 4.0 farm. If a MetaFrame XP Service Pack 3 Feature Release 3 or Service Pack 4 Feature Release 3 farm is used, the logon attempt fails with the following error message in the Web Interface Message Center:

“An error has occurred when trying to enumerate your applications."

The error message appears after the end user enters their PIN when prompted. The issue began as soon as the customer enabled Smart Card Access in Web Interface.

Environment

• Web Interface 4.0 / Windows 2003 Service Pack 1

• MetaFrame XP Service Pack 4 / /Windows 2003 Service Pack 1

• Citrix Presentation Server 4.0 / Windows 2000 Service Pack 4

• Client workstation: Windows XP Service Pack 2

• Cryptographic Service Provider: Schlumberger

• Smart Card Reader hardware: SCM Microsystems SCR3310 USB

Troubleshooting Methodology

Whenever a smart card logon issue is brought before Citrix Technical Support, the functionality of the smart card features in Windows should always be tested first as a sanity check. In this case, the user was able to log on to the console of the MetaFrame XP server using a smart card.

Given that the user has more than one farm, we also tested the existing Web Interface server by configuring it to use the other farm. In this case, the other farm in question was comprised of Citrix Presentation Server 4.0 servers. Smart card logons in Web Interface were successful when Web Interface was configured to use the Citrix Presentation Server 4.0 farm.

The user volunteered that the environment is comprised of several hundred groups in the Active Directory domain, and a given user account can be a member of as many as 60 domain groups. Once this fact was revealed the source of the problem became much more evident. The MaxRequestSize property of the MetaFrame XP XML Service was not configured in the registry, and thus the XML Service was operating with the default value of 4096 bytes. The MaxRequestSize parameter is documented in CTX943036 - Error: Citrix XML request too large, more than 4096 bytes

Resolution

The user was instructed to reconfigure the XML Service MaxRequestSize parameter in the registry. We suggested basing the new value on the number of groups multiplied by the size of the longest group entry name, added to a minimum amount for overhead. Keeping in mind that the group names are comprised of Unicode characters that use two bytes for every letter, we tested the following:

2000 + (158 bytes per group * 1000 groups) = 160,000 bytes

More Information

The user expressed concern with configuring MaxRequestSize with the value 160000 because every XML Service request will be of this size in a MetaFrame XP server.

We explained to the user that the code governing the XML MaxRequestSize does not have an upper bound defined. Further, we have not found an indication that performance will suffer when using Web Interface even when using values as large as 256,000 bytes. This is because typical server RAM allocations are now along the lines of half or one full gigabyte of RAM given the continuing fall of the price of RAM over the long term.

Increasing the max request size means that extra memory will be allocated to the XML Service for each new request. (Memory has to be allocated before the request is handled.) Supposing an example where MaxRequestSize=256000 and 200 users are logging on at the very same second, the XML Service configuration is going to require 50 megabytes of RAM for the XML Service for that moment in time. By current terms, 50 megabytes of RAM would not tax a typical MetaFrame XP server.