locked
Error "Security context not allowed" when starting App-V application as RemoteApp RRS feed

  • Question

  • I tried to publish App-V applications as RemoteApps on our Windows Server 2008 SP2 terminal servers.

    I followed the "Application Virtualization 4.5 for Terminal Services" whitepaper when creating the RemoteApps.
    When users try to start this RemoteApps from the RemoteDesktop Website starting the RemoteApps stops with an error
    "Application Virtualization Client could not be started. The security context is not allowed. Error code 4514197-0C601B33-000006D5."

    At same time the following error is logged on the terminal server:
    Source: Application Virtualization Client
    Event ID:   3164
    Description:
    {tid=804:usr=username} Error on determine authentification informations of the FEC connection. (Error code = 0C601B33-000006D5)

    I was unable to find any informations to this error code.
    Does anyone know something about the cause of this problem?

    Thanks,

    Peter


    Peter
    Thursday, October 29, 2009 4:54 PM

Answers

  • Hello,

    in meantime I was able to get a solution for the RemoteApps: enabling the RemoteApp option on the terminal server "Allow users to start both listed and unlisted programs on initial connection" the App-V RemoteApps now starting without any problem.

    Trying to publish the App-V applications as Citrix XenApp Published Applications still run into the 'security context' error.
    But I'm now shure that the problem is related to the implemented SSO on the terminal server farm using the CredSSP GPO settings:
    when starting the App-V application as Citrix Published Application from a client that is not affected from the CredSSP GPO (and therefore the user has to explicit logon to the terminalserver) App-V client starts the application without any error! So it seems that Citrix XenApp in the CredSSP scenario with Kerberos authentification has a problem to start the App-V client under the users security context?
    Peter
    • Proposed as answer by znack Wednesday, November 4, 2009 10:21 AM
    • Marked as answer by Aaron.ParkerModerator Saturday, November 17, 2012 2:06 PM
    Wednesday, November 4, 2009 10:15 AM

All replies

  • Hello,

    Can the application be started without RemoteApp / on a different client?
    Does it have any services within itself?
    Is the app-v client started?

    /Znack
    Thursday, October 29, 2009 7:05 PM
  • Hello Znack,

    yes, the application starts without any problem in a RemoteDesktop session on the same terminal servers.

    The application doesn't have services in itself.

    One thought I had was that the problem could be related to the implemented SSO (CredSSP GPO settings) from RemoteDesktop site to the terminal server farm:
    'security context' sounds for me something like Kerberos....
    Peter
    Sunday, November 1, 2009 7:29 PM
  • Hello,

    in meantime I was able to get a solution for the RemoteApps: enabling the RemoteApp option on the terminal server "Allow users to start both listed and unlisted programs on initial connection" the App-V RemoteApps now starting without any problem.

    Trying to publish the App-V applications as Citrix XenApp Published Applications still run into the 'security context' error.
    But I'm now shure that the problem is related to the implemented SSO on the terminal server farm using the CredSSP GPO settings:
    when starting the App-V application as Citrix Published Application from a client that is not affected from the CredSSP GPO (and therefore the user has to explicit logon to the terminalserver) App-V client starts the application without any error! So it seems that Citrix XenApp in the CredSSP scenario with Kerberos authentification has a problem to start the App-V client under the users security context?
    Peter
    • Proposed as answer by znack Wednesday, November 4, 2009 10:21 AM
    • Marked as answer by Aaron.ParkerModerator Saturday, November 17, 2012 2:06 PM
    Wednesday, November 4, 2009 10:15 AM
  • Hello,

    Is kerberos used through the entire environment?

    /Znack
    Wednesday, November 4, 2009 10:21 AM
  • Hello,

    yes Kerberos is used through the entire terminal server environment.

    Peter
    Thursday, November 5, 2009 8:38 AM