Connecting to the Citrix Web Interface from a server that has Application Manager installed causes an error on the web page.
You may also see the following event generated in the Event Viewer or Appsense Management Console:
"AppSense Application Manager denied execution of 'c:\windows\microsoft.net\framework\v2.0.50727\temporary asp.net files\citrix_xenapp\c64e146c\65593d0a\assembly\dl3\715c8be2\cf3fc0a4_c25ecd01\accesstokens.dll' on 'servername'".
The account that is denied is "IIS APPPOOL\CitrixWebInterface5.4.0AppPool"
The cause is due to the fact that when trying to access the Web Interface the Citrix app pool is denied access to the .NET components created by the Web Interface installer.
During the installation of the Web Interface site, the trusted owner is configured as the Web Interface's IIS Pool account.
This leads to Application Manager denying access due to an unknown Trusted Owner.
The issue can be resolved by performing the following Application Manager configuration change.
1) Open your Application Manager configuration.
2) Add a new User condition.
3) Use the "IIS APPPOOL\CitrixWebInterface5.4.0AppPool"as the user account.
4) Change the user account restriction policy to "Unrestricted".
5) Save and deploy the new configuration.
This can be further locked down to restrict the App Pool account and only allow it to access/execute files from the required location in order to carry out its duty. For example, "'c:\windows\microsoft.net\framework\v2.0.50727\temporary asp.net files\citrix_xenapp\". The actual folder path(s) can be found during the auditing phase of implementing Application Manager or from Citrix documentation.
Note: The account "IIS APPPOOL\CitrixWebInterface5.4.0AppPool" may vary depending on the version of the Citrix Web Interface that you are running.