Skip to main content

When rolling out Citrix Virtual Apps and Desktops 2507 LTSR VDAs on Dell thin clients for clinical users, we encountered an unexpected 5–6 second delay when entering credentials on the Microsoft login page. Although the policies appeared correctly set and browser redirection was disabled, the delay persisted.

We dug deeper into CDF traces, registry behavior, and how FIDO2 redirection is handled at the VDA level. What we uncovered may help if you’re troubleshooting similar authentication latency.

Initial Symptom and Environment

During the pilot and rollout for clinical users on Dell thin clients, we encountered a delay when entering credentials on the Microsoft login site. As soon as we experienced this issue, we disabled the browser redirection and WebAuthn redirection policy as follows:

  • Browser content redirection: Prohibited
  • Browser content redirection integrated Windows authentication support: Prohibited

The settings were forced on the Citrix VDA servers but did not yield any results on the Dell thin clients.

Troubleshooting and Log Analysis

Our next step was to start troubleshooting and collecting logs. During the troubleshooting process, we collected various traces such as .har files, Procmon logs, and Citrix CDF traces. All we could see from the .har files is that there is a 5-6 second delay due to constant loopback communication for a few seconds on the Citrix VDA.

Reviewing Procmon logs was cumbersome and did not uncover much. Our last review was to check Citrix CDF traces, and something caught my eye; in the last column, we saw the following:

  • DEVICES-FIDO2: C:\Program Files (x86)\Citrix\online plugin\ica client\wfica32.exe in session 1. Called WebAuthNGetPlatformCredentialListHook
  • DEVICES-FIDO2: C:\Program Files (x86)\Citrix\online plugin\ica client\wfica32.exe in session 1. Native API for WebAuthNGetPlatformCredentialList returned 0x80090011, Unknown Error Translation

Policy Testing: Disabling FIDO2 Redirection

With this in the CDF trace, we decided to disable FIDO2 redirection for testing. The FIDO2 policies we disabled are:

  • FIDO2 allowed processes: Disabled
  • FIDO2 Redirection: Prohibited

We checked the Citrix VDA for policies, and they were listed and applied with proper settings within the HKLM\Software\Policies\Citrix registry key.

Registry Behavior and Resolution

The Citrix article FIDO2 and WebAuthn authentication | Citrix Virtual Apps and Desktops™ 7 2507 LTSR details the steps needed for configuring FIDO2 and WebAuthn redirection, and when we checked on the Citrix VDA itself, the following registry keys were already set by default.

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
    • Value name: FilePathName
    • Value type: REG_SZ
    • Value data: C:\Program Files\Citrix\HDX\bin\CtxWebAuthnHook.dll
  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
    • Value name: Flag
    • Value type: DWORD
    • Value data: 00000002

The very next step was to delete the “Flag” key and test. As soon as we did that the issue was gone, and there was no delay for typing into the Username field on the Microsoft login page.

Key Takeaways

During this troubleshooting exercise, we have uncovered a few things that may have contributed to this issue. Even though the article above lists steps to configure FIDO2 and WebAuthn authentication by creating registry values and keys, these registry settings are applied during the installation of Citrix VDA 2507.

Disabling FIDO2 and WebAuthn within Citrix policies places these values in HKLM\Software\Policies\Citrix, but does not revert the “Flag” registry value to disabled, nor remove it, so it does not apply.

This process is only tested on Dell thin clients with Dell ThinOS 8.x, 9.x and 10.x versions, but it may be seen on other client endpoints, as the OEM Citrix Workspace clients may not have the FIDO2 redirection option available.

If you’re seeing similar behavior in your Citrix environment and are struggling to find the root of the problem, our team at Ferroque Systems is happy to help. We can help resolve the issue and restore your environment to a smooth user experience. To learn more, reach out to our team.

 

  • Zeljko Macanovic

    Zeljko is Ferroque’s Chief Architect and a leading expert in Citrix technologies, boasting over three decades of experience with Citrix and Microsoft platforms. His contributions at Citrix include serving on the CCAT board and enhancing Citrix Consulting standards and methodologies.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Categories

Recent Articles

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.
Get in Touch

Continue Reading …

View All Articles