<

Go Premium for a chance to win a PS4. Enter to Win

x

Citrix and Internet Explorer 11 Enterprise Mode Part 3

Published on
4,786 Points
1,686 Views
1 Endorsement
Last Modified:
Brian Murphy
Technology Infrastructure Architect, with an unusually unique combination of skills honed over more than 20 years.
Several part series to implement Internet Explorer 11 Enterprise Mode
PART 1 PART 2 | PART 3

Part 1 covered XML design. The XML design is critical to the implementation and adding or removing sites from the sites.xml file. The XML file, like DNS, is read “right to left.” As of this writing, options include; IE 11 Default, IE 8 Emulation Mode, IE 10 Document Mode, IE 9 Document Mode, IE 8 Document Mode, and IE 7 Document Mode.

Part 2 covered XML structure and file parsing right to left and document mode. XML, like DNS, reads right to left (parsed) and greatest to least from a potential impact perspective, although one error at any level can result in an outage. Document mode provides a way to adjust for other document types using the same XML file.  

ADDITIONAL CONCERNS
Moving from IE 8 using compatibility mode to IE 11 Enterprise Mode with compatibility view disabled might result in issues that are unrelated to an IE 11 Upgrade but by default, this is assumed when the issue is related to GPO or some other factor. This section provides examples of such scenarios.

LOCAL INTRANET ZONE USER AUTHENTICATION
By default, IE 11 without custom configuration using Group Policy has the following setting for Local Intranet Zone; one of the several settings that results in project defects. Having this information now resolves a future headache. This setting effectively "disables" the integrated login for every internal website having a full FQDN. Sites without FQDN (Intranet) sites would function but none of your sites having a full DNS name such as site1.vcissgroup.com would resolve.
P3IMAGE1.pngUnfortunately, this causes authentication errors for sites that use Integrated Logon with Active Directory. It requires a modification to group policy objects (GPO) as follows:

P3IMAGE2.pngThis setting enables integrated login for anything listed in Intranet Zone, whether it is the short name, http://vcissgroup or FQDN http://site1.vcissgroup.com

This assumes Active Directory domain joined workstations. Websites that require "Integrated login" use Active Directory credentials: the current logon with current password. Other "type" websites require a separate login ID and password and thus are not impacted by this modification to group policy.

COMPATIBILITY VIEW VERSUS ENTERPRISE MODE
Compatibility View mode and Enterprise Mode cause many issues where one or the other must take precedent. In other words, they must not be used together. Enterprise Mode requires “Compatibility View Mode” to be disabled.

The quickest way to disable Compatibility Mode is a custom filter on Group Policy, Computer Container, All Settings.

Start – Run – MMC.exe > Add or Remove Snap-ins
IMAGE3.pngGroup Policy Object Editor > Highlight > Click ADD (or Double Click)
IMAGE4.pngLocal Computer > FINISH
IMAGE5.pngVerify >Group Policy Object Editor > Local Computer Policy > OK
IMAGE6.pngClick OK
IMAGE7.pngVerify in the top-left that you are at Local Computer\Computer\Configuration\Administrative Templates\All Settings

image7-b.pngAll Settings under Computer configuration.
IMAGE8.pngFILTER SETTINGS
To expedite this process create a custom "Filter" and search for anything with "compatibility".

Right Click > Filter

IMAGE9.pngThis is not considered an optional step. The strategic direction for future versions of IE is meant to dynamically adjust compatibility. For those having to manage thousands of websites in Group Policy will appreciate the not -optional aspect of this change.  

Turn off Compatibility View = Enabled
Turn off Compatibility View button = Enabled IMAGE10.pngIMAGE11.pngExplanation:
To disable compatibility view requires enabling the Group Policy. Disabling this prevents the setting from applying automatically to the Intranet zones, users adding sites, or administrators adding sites.

ENTERPRISE MODE – DO AND DON’T
Historically, Windows XP supported IE 6, 7 and 8. Vista only supported 9 and 10. Windows 7 and Server 2008 shipped with IE 8. Hence, most code was written to the middle version with the release of IE 11.

It is important to understand the logic of IE 8 Emulation mode versus running IE 8 and using Compatibility Mode to fix something written for IE 7. IE 8 emulation mode adjusts for IE 8 and IE 7 coded sites. It does this without Compatibility mode but instead is native to Enterprise Mode.

It is important to understand that this version of XML and syntax is specific to Windows 7 operating system and IE 11 running in Enterprise mode. The syntax for Windows 8.1 and 10 requires a different syntax. This series is applicable for 2008 R2 / 2012 / 2012 R2 mixed mode or native mode domain running Windows 7 client operating systems.  

LIST OF DO's
  1. IE 11 Enterprise mode is enabled using a dedicated Group Policy Object 
  2. The Group Policy should be different for each instance where a different website is hosting a XML file
  3. Create IE 11 Enterprise mode group policy objects (GPO) for Workstation and Citrix servers.  
    • Workstation operating system is assumed to be Windows 7 
    • Server operating system is assumed to be Microsoft server 2008, 2008R2, 2012, 2012 R2
  4. IE 11 Enterprise mode should emulate IE 11 by default and add exclusions as needed (See PART 1)
  5. IE 11 Enterprise mode XML files are hosted on separate, dedicated web servers using HTTP
  6. Due to the critical nature, multiple web servers and load balancing technology is recommended
  7. XML file and web server must be accessible by all Workstations by HTTP on TCP port 80
  8. XML file and web server must be accessible by all Citrix Servers by HTTP on TCP port 80
  9. Use IE 11 Enterprise mode by default
  10. IE 11 Compatibility View mode is disabled 
LIST OF DON’Ts
  1. Do not use the Compatibility Mode View list or carry these forward from previous Group Policy settings
  2. Do not add sites to Compatibility Mode View in GPO in parallel with IE 8 Emulation mode
  3. Do not add sites to Compatibility Mode View in GPO before attempting IE 8 Emulation mode
  4. Not applicable to Windows 8.1 or higher 
GLOBAL REQUIREMENTS
  1. Dedicated Server assigned per line-of-business (LOB)
  2. Uses IIS 7.5 or higher
  3. Does not require new Application Pool, just a virtual directory with correct permissions
  4. To use port 80, already opened, a virtual directory is created under the Default Web Site
  5. The XML File share should meet the requirement of being accessible by all users using IE 11 per line-of-business (LOB). Best practice is to utilize IIS and HTTP protocol.
  6. Required when enabling Enterprise Mode global and utilizing a centralized file for managing exclusions
DEDICATED OU ACTIVE DIRECTORY
The aforementioned ADMX files must be copied to the “Central Repository” used to manage each prospective line of business.
  1. None of the IE 8, 9 or 10 settings under IE sections of linked group policy objects (GPO) are applicable and cause major problems.
  2. A new Group Policy Object is required in AD that pertains to only IE 11 and has the corresponding ADMX files must be referenced
    • One for workstation operating system - Windows 7 or lower
    • One policy for server operating system - Windows 2008 or higher  (IE 11 is installed)
  3. This GPO is then linked to the new IE 11 organizational unit (OU)
  4. At implementation, no Compatibility View settings should link to the new organizational unit (OU) for IE 11
  5. Placement of the IE 11 organizational unit (OU) is key
    • Legacy browser Compatibility View settings must not apply
    • Sites listed in Trusted, Intranet, and Internet still apply
NOTE
This applies to the version 1 for IE 11 Enterprise Mode using Windows 7 and Internet Explorer 11

SUMMARY
This three-part series provides beginning information to implement Internet Explorer 11 Enterprise Mode. Done correctly IE 11 Enterprise mode eliminates the need for compatibility mode and uses IE 11 emulation and document modes for internal or external websites that require legacy modes to work.
 
1
Comment
0 Comments

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Join & Write a Comment

Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month