Microsoft has wonderful products, but half the world is still using Citrix Presentation Servers for their terminal servers. The latest version is no longer called Presenation Server but is now called XenApp. At Windows 2008 R2 with SP1 and all the preferred XenApp updates installed, I ran into some nasty and persistent problems lately, which seems hard to solve.
The problems where mainly the slow loading of https sites and related problems with applications that are using other SSL, SHA 256 and CryptoAPI encryption technologies, in combination with the use of redirected smartcards, USB devices and high-end other card technologies. In this article I will describe the problem and the solution, so the rest of the world can benefit from my experience until the vendor has provided me with a decent solution.

Several of my co-workers looked at it, until I was assiged this issue. After a little testing and debugging, I was able to pinpoint it to the event 0, from the source aetsprov that appeared in the eventlog on opening https sites, among other applications, but more about that later in this article. The event stated: 


































The description for Event ID 0 from source aetsprov cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event:  Failed to load the PKCS #11 library (aetpkss1.dll) (module = C:\Program Files (x86)\Internet Explorer\iexplore.exe)


So,.. Google is my best friend and I found out, that this aetpkss1.dll is created for several software solutions from the company A.E.T. Europe which provides flexible identity solutions in various products. Just google for their SafeSign 1.2 white paper in PDF format, and find all the details. They explained the structure very clearly in it. Now these products has been on the market for a while and the PKCS# 15 library is the default for use with separate Middleware USB sticks. The #11 library is the standard token library in the world. Still strange, ... because the #11 library is a rather common technology, quit the same as the CryptoAPI, so...., lets further debug this issue. The base of my debugging starts at the slow loading of https sites, in combination with the event 0 error.

It seems that every https site starts with trying to load the custom aetpkss1.dll. My theory is, that by installing one of their applications (on a W2K8-R2-SP1) TS server, Internet Explorer is by default looking for the #11 token encryption, even if it is not present on a https site, and finally it fails the lookup with these events. On screen it looks like a DNS time-out, but actually it is a time-out looking for the #11 CryptoAPI interface/token on a website, or the discovery for the related library on an attached USB stick. Eg: the aetpkss1.dll is suddenly the new default dll for (SSL)sites! The problem does not excist on other platforms, therefore it can be related to W2K8(R2)-SP1. Let me explain. Among other cummulative things, the enhanced security (for IE) has been increased with SP1 and is by default "On" now. Just as an example. I cannot debug all dll's, but FireFox browsers doesn't seem to have this issue. It might even be a combination of this increased security, and the re-direction of attached (USB)drives. I experienced the same issue on a server that did not have XenApp installed, so I strongly doubt a XenApp relation. 


Well,... Finally solved my problem by streaming the application towards the server combined with the latest firefox browser, as the customer only used it for a particular website, and thats an easy work around. Installation on a local or laptop device is also possible, depending on the number of users you are dealing with.


Another related issue, with rather the same event that I've seen has the the same source, and event ID 0, but is ending with the text: Failed to load the PKCS #11 library (aetpkss1.dll) (module = C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE). Hey?? Thats nice! There appeared to be some strange issues with Outlooks autodiscovery settings also from time to time, especially on loading additional accounts (see other articles on this site), strange automatic creation of personal outlook profilenames and corruption of only the outlook profile whitin the citrix profile manager (v5.6). I have to do some further testing on that and I will keep you updated on this issue, in this article, in about a month. The office 2010 suite changed a lot in the background for autodiscovery and connected/delegated mailboxes and I did not found the time yet to investigate that thoroughly.

Other, mostly older legacy applications, which directly interact with the CryptoAPI seem to experience issues with this dll as well, and not always log this event I noticed. They seem to be messing up the (de-)coding strings after touching this dll, but as I do not have access to the source code, I'm not able to test that enough. If you experience troubles with one of these applications, I can only advise at this moment to fase them out as fast as you can, and always use the latest available version of the software that your vendor supplies and supports.


In this case, I contacted the vendor, but until now, they haven't provided me with a solution yet. I guess that's "work-in-progress" as most of their applications are a few years old, and W2K8-R2-SP1 is quit new. Whenever I hear from them, I will publish the answer/solution to this problem in this article, the next day I receive it from them.

Besides of this explanation, this is also a good event to implement into your monitoring solution. It appears always more than 4 times, at the exact same second as you can see in the picture. Once it failed to load, the events wil not return until a new IE or Outlook session is opened. As you are probably managing larger enterprises, like I do, implementing this event can help you in an earlier stage, to detect and prevent further problems with all your secure sites and applications.

Please mail me, at Dit e-mail adres is beschermd tegen spambots, u heeft Javascript nodig om het te kunnen zien. , (leaving the capital XX's out), if you have already found any other solutions or a work-around for this issue, or if you are able to provide me with some additional knowledge.
I will add it into this article after reviewing and testing. Thanks for your interest in this article.