Citrix GoToMeeting Installation Fails with Application Manager URM Elevation

Version 1

    Verified Product Versions

    Application Control 8.5


    After Web Download and Installation, upon connecting to the meeting the following error is displayed:-


    Failed to start application


    "c:\program files(x86)\citrix\gotomeeting\1060\g2minstaller.exe"

    -noop: Method "CreateProcessWithTokenW" returned Win32 error [1314].

    A required privilege is not held by the client. You may refer to the installer log file for more details.


    The Citrix GoToMeeting installer requires that the installation is run with a user with an invoked full-administrator access token.  Under normal circumstances this is done via the UAC (User Access Control) prompt.
    It is important to understand that when an administrator logs on their access token is split into two tokens: a full administrator access token and a standard user access token.  The standard user access token is used to start the desktop shell then all applications inherit the access control data until an administrative task is run and then the administrator token is invoked.
    This means that even an 'administrator' account would require a level of impersonation to invoke using the full-administrative access token.  There are 4 levels of impersonation:- SecurityAnonymous, SecurityIdentification, SecurityImpersonation, and SecurityDelegation.  On NT6 the SE_IMPERSONATE_PRIVILEGE is required to be enabled in order to impersonate the context of an "administrator" at any level above 'SecurityIdentification'.
    In this instance the 'SecurityImpersonation' level is required to elevate a user to the required level for GTM to be executed.  In Windows XP the impersonation can be done without any additional privileges.

    Add 'Citrix Online' to the 'Trusted Vendor' list.  The only caveat found is that the recording function does not work using this method. 

    To completely enable full-usage of the GoToMeeting software:-

    • Elevate the 'Web Installation' and/or individual GTM components using 'Builtin Elevate'. 
    • Additionally create another URM Policy enabling the 'SeImpersonatePrivilege'.
    • In the required 'User Rights' group add 'G2MInstaller.exe' to the 'Applications' tab and apply the new URM Policy.