We had an issue come up with a group of Citrix Presentation Servers that were recently introduced as a pilot for one of our customers. All the Citrix servers are newly built using mostly application defaults. Our first application silo contained routine applications like Office, IE, and file share resources. Setup and testing went very smooth. However, the second silo we built published a core application that was launched using a batch file. Testing of the application by our network engineers and by the customer’s head of IT raised no concerns. Everything worked as expected. The application was published to a small set of regular users chosen as a pilot group and we were quickly alerted that none of the users could launch the application. Here is the error that was displayed: [more]

“The desktop you are trying to open is currently available only to administrators”

We were aware of some ongoing Terminal Server licensing issues that this customer was experiencing so we automatically assumed that was the problem. We scrambled to put another Windows 2003 server on the network to run TS licensing thinking it was only a matter of time before the other Citrix servers started having issues. By the end of the day, we had the new TS licensing server online and all the settings deployed via group policy to the problematic servers. A reboot of the servers would fix it…not so much. After the reboot, the issue persisted. Back to square one. After digging through all the settings a few times, I finally found the following setting:

On the surface this setting doesn’t look like it would cause any issues. After all, we were using a published application and it looks like this setting would only prevent users from opening a published desktop on the server. However, after doing some testing, we found that the ICA protocol doesn’t consider launching a batch file to be a published application. Only files with .exe extensions count. Our testing failed to uncover this issue because we had unintentionally done all of our testing with administrator accounts and all the applications published on the first silo were standard .exe apps. Unchecking this box fixed the problem.