citrix 11 client and pass-through authentication

Another fun one for citrix. The settings for the client application have moved around a few places. Basically starting at version 10 they moved from the appserv.ini to the registry. The issue I found, was with the new version 11 client. If you right click the system tray icon and select options.. you should see a drop down box for "prompt user" or "pass-through authentication". If you don't.. reboot (the single sign on piece needs a reboot after client install, but doesn't ask for it for some reason). If after a reboot you still don't see it.. you need to get a new client install package (that's another blog for another time). Now say you have it in the drop down, but need to set it for your whole network.. well the registry setting isn't easy to find. There are a number of registry settings that look like they should work like:
HKLM\Software\Citrix\PNAgent]"EnablePassThrough" set to 1.
While this setting does have some play (if it's set to 0 things definitely won't work), it's not the end all be all of enabling pass-through.

This little sucker is the one that eluded me for some time:
HKEY_CURRENT_USER\Software\Citrix\PNAgent]"Configuration Model 000"

The contents of that key is what is modified when you change the drop down box from "prompt user" to "pass-through authentication". The contents is a hex bunch of crap as far as i can tell. I'll be testing if I can just drop this key on all my machines and walla .. or if I have to come up with 3-4 different ones based on difference variables.. (maybe the type of machine matters? the user account?, the full moon?.. just not sure what makes up that key exactly yet).

Citrix SSL relay name could not be resolved (SSL error 40)

This was a particularly difficult one to resolve. Dealing with maintenance windows and lack of a testing environment makes things particularly stressful. In the end pay close attention to what address the SSL certificate is issued to. In my case the common name was issued to an old url that was no longer used in day to day work, but had a dns entry published to point to the old IP address. The old ip address (also not used in day to day talks) was added as an additional ip to the working secure gateway. We wanted to add some redundancy to the setup by adding an additional SG. The problem was that when the new SG would check it's certificate, it would resolve to the IP of the other SG and route traffic though it. The fix?
adding a host entry to the local host file of the new SG to map the common name url to the new SG ip address. Effectively keeping the traffic on the new SG.

Citrix CCA 4.0 4.5 5.0??

The Citrix CCA for Presentation Server has gone through some changes. I think I'll be taking the 259 test in a week or 3. There's some confusion over what the current test covers and what test(s) are required for the CCA cert. Citrix has removed the requirement for the online elearning session. So all you have to pass is the 259 test and it covers 4.5 and 5. There is some talk about 5.0 on windows 2003 is just 4.5 plus a patch. I'm not sure I agree with that, but can't offer any facts to back that up. Maybe one of you can comment.