ClickOnce Prompt for Citrix Published App

Thanks to the state of the world currently, I’ve recently had to publish a lot more applications through Citrix for people that need access to on-prem applications, which gave me the following scenario.

I have an on-prem application that runs through Internet Explorer. More specifically, when a user navigates to the site, it triggers an application to run, which brings up the ClickOnce Security Prompt that we all know and love:

Security Warning

Normally, I would expect for Citrix to be able to properly bring this up, but it turns out that Citrix can’t do it without some jiggering. I had published Internet Explorer (C:\Program Files (x86)\Internet Explorer\iexplorer.exe) and added the option to open to the site (http://site/sitepage), but doing so did not bring up the prompt. Doing this on the same server in Desktop mode showed the prompt, so I knew it was a specific issue with the way Citrix publishes apps and allows those apps to interact with other executables.

After some Googling and ill-fated attempts to make registry modifications, NIcolas Couture on this thread gave me the answer I was looking for:
https://discussions.citrix.com/topic/289806-report-builderapplication-run-%E2%80%93-security-warning-before-starting/

Creating a batch file with the following content, and then publishing that batch file did the trick.

CD /D "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
START DFSVC.EXE
Start "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http://myserver.com/webapp/"

For reference as to what I had previously tried that DID NOT work, here’s a list:

  • Setting the site into the Trusted Sites Zone and changing the following settings to “Enable.”
    • Launching applications and unsafe files
    • Launching programs and files in an IFRAME (I don’t know why I thought this would work. This was not in an IFRAME. We’ll call it desperation)
  • Going into the registry and setting the following keys to Enabled at HKLM\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel , in the order I tried them (again, out of desperation) [and here’s the link to the article that gave me this red herring to chase]
    • TrustedSites
    • Internet
    • LocalIntranet
    • MyComputer
    • UntrustedSites

So yeah, don’t do any of these things. Do the thing up top.

Happy hunting, and stay safe out there.