Beware of Hosting Web Interface on XenApp Servers

Do you host your Web Interface on one or more XenApp servers? Then I recommend you heed this article before changing your setup. You may well loose your XML service when migrating the Web Interface to another server. And loosing your XML service may result in an outage of your application delivery infrastructure! When XenApp is installed on a server running the Internet Information Services (IIS), the installer offers to activate port sharing between the XML service and IIS. What this actually means is that the XML service is not setup as a system service but as a DLL inside IIS.

How the XML service works

The XML service consist of several DLLs responsible for the individual services. The following table describes the files involved with the XML service.

File Description
ctxxmlss.txt Encoding information
ctxsta.dll Secure Ticket Authority (STA) Incorporated in the XML service since Presentation Server 4.0
ctxsta.config Configuration data for the STA (ctxsta.dll)
WPnBr.dll Connector for Web Interface (My tools XmlServiceExplorer, XmlServiceDigger and XmlServiceReader are based on information offered through this DLL.)
ctxconfproxy.dll Unknown

If a system service is used for the XML service, these files are used from their original location (%ProgramFiles%\Citrix\system32). But this is not the case when it is provided by a DLL inside IIS, because the files are copied to a separate directory (%SystemDrive%\Inetpub\Scripts).

Why Using IIS is Dangerous

Don’t get me wrong - using IIS is not dangerous in general. But rather having the XML service inside IIS is. There are two major pitfalls:

Fortunately, there is an easy way out of the second problem. Citrix offers a tool to change the port of the XML service called ctxxmlss.exe. This tool ships with all versions of XenApp and is located in %ProgramFiles%\Citrix\system32. Citrix also provides an article describing this tool but misses to state explicitly that the following command also creates the system service on port 81 - in addition to changing the port of an existing XML service:

ctxxmlss.exe /r81

This command makes you independent of IIS with regard to the XML service.

Why XenDesktop is affected as well

The issue also occurs on the Desktop Delivery Controller (DDC) of XenDesktop because of the automated installer. It does a wonderful job by taking care of all the gory details of setting up the DDC, e.g. terminal services are installed automatically. But it also installs the XML service with IIS port sharing enabled.

Unfortunately, this causes the same issue described above - and is resolved by the same command line executed on the DDC.


Explaining and Changing the Citrix XML Service Port (

How to Configure the XML Service to Share with IIS (

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.