Advertisement
- Home
- Software
- System Utilities
- Remote Access
- Citrix
- Citrix PNA Pass Through Authentication Configuration - Help Needed.
Advertisement
- 1. BLipman 130,105
- 2. croberds 112,950
- 3. CarlWebster 36,810
- 4. tsmvp 24,872
- 5. oBdA 21,730
- 6. ScooterA... 17,175
- 6. mpfister 17,175
- 8. mgcIT 13,035
- 9. GregMoseley 9,518
- 10. nprignano 8,229
- 11. dpetr000 7,675
- 12. dphantom 7,560
- 13. chrisnew... 6,870
- 14. ET0000 6,400
- 15. JaredJ1 5,900
- 1. mgcIT 572,257
- 2. BLipman 345,957
- 3. chrisnew... 172,458
- 4. ITDharam 130,426
- 5. ET0000 115,897
- 6. CarlWebster 113,103
- 7. croberds 112,950
- 8. oBdA 95,983
- 9. gsgi 75,983
- 10. thegordo 73,434
- 11. ScooterA... 57,511
- 12. mpfister 56,074
- 13. tsmvp 55,597
- 14. AdamBNYC 53,999
- 15. nprignano 50,729
| 02.14.2008 at 06:36AM PST, ID: 23162996 |
|
[x]
Attachment Details
|
||
|
[x]
The Solution Rating System
|
||
|
With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.
Your Input Matters If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support. Thank you! |
||
Citrix PNA Pass Through Authentication Configuration - Help Needed.
Tags:
citrix, access suite 4.5, 4.5, New Clean install of 4.5
I have a brand new Citrix 4.5 farm, all server 2003r2. Install is going well, I can publish apps and am working on the new user environment build.
I am publishing a citrix desktop through the web interface for my users. This desktop is delivered by 4 'Tier 1' Presentation servers. I then have a number of application silos in 'Tier 2' for accounts and SAP applications.
I have installed the latest version of the citrix client on the Tier 1 servers with the intention of using the Program Neighborhood agent to populate the tier 1 start menus with the users available apps from the 'tier 2' boxes.
During the install of the client on the tier1 servers I ticked the Allow pass through authentication bit (i did not install program neighborhood - just the agent).
However when my users are presented with the Tier1 desktops, the PNA dialog pops up asking for their user name, password and domian. If they type these in and hit enter, their apps are displayed in their start menu.
So question is - what have I missed? I want users to be able to only have to login once (in the web interface), run a desktop and then have the tier 2 apps on their start menu.
How do I do it? What settings have I missed?
Start your free trial to view this solution
I am publishing a citrix desktop through the web interface for my users. This desktop is delivered by 4 'Tier 1' Presentation servers. I then have a number of application silos in 'Tier 2' for accounts and SAP applications.
I have installed the latest version of the citrix client on the Tier 1 servers with the intention of using the Program Neighborhood agent to populate the tier 1 start menus with the users available apps from the 'tier 2' boxes.
During the install of the client on the tier1 servers I ticked the Allow pass through authentication bit (i did not install program neighborhood - just the agent).
However when my users are presented with the Tier1 desktops, the PNA dialog pops up asking for their user name, password and domian. If they type these in and hit enter, their apps are displayed in their start menu.
So question is - what have I missed? I want users to be able to only have to login once (in the web interface), run a desktop and then have the tier 2 apps on their start menu.
How do I do it? What settings have I missed?
Question Stats
Zone:
Software
Question Asked By:
MartinPluss
Solution Provided By:
croberds
Participating Experts:
2
Solution Grade:
A
Views:
208
Translate:
Loading Advertisement...
Loading Advertisement...
| Microsoft |
- Internet Protocols
- Applications
- Development
- OS
- Hardware
- Windows Security
| Apple |
- Operating Systems
- Hardware
- Programming
- Networking
- Software
| Internet |
- Search Engines
- File Sharing
- WebTrends / Stats
- Spy / Ad Blockers
- Web Browsers
- New Net Users
- Web Development
- Chat / IM
- Anti Spam
- Web Servers
- Anti-Virus
- Email Clients
| Gamers |
- Tips
- Online / MMORPG
- Puzzle
- Emulators
- Action / Adventure
- Role Playing
- Consoles
- Game Programming
- Strategy
- Sports
- Misc
- Computer Games
| Digital Living |
- Hardware
- New Net Users
- New Users
- Software
- Digital Music
- Gaming World
- Home Security
- Apple
- Networking Hardware
| Virus & Spyware |
- Vulnerabilities
- IDS
- Encryption
- Anti-Virus
- Operating Systems Security
- Software Firewalls
- WebApplications
- Cell Phones
- Operating Systems
- Internet
- Hardware Firewalls
| Hardware |
- Handhelds / PDAs
- Displays / Monitors
- Components
- Networking Hardware
- Peripherals
- Laptops/Notebooks
- Storage
- Servers
- Desktops
- New Users
- Misc
- Apple
| Software |
- System Utilities
- Industry Specific
- Network Management
- Photos / Graphics
- Page Layout
- VMWare
- Misc
- Web Development
- OS
- CYGWIN
- Voice Recognition
- Message Queue
- Quality Assurance
- Security
- Firewalls
- MultiMedia Applications
- Development
- Database
- Office / Productivity
- Business Management
- OS/2 Apps
- Server Software
- Internet / Email
| ITPro |
- OS
- Storage
- Encryption
- Operating Systems Security
- Apple Hardware
- Laptops & Notebooks
- Servers
- Networking Hardware
- Peripherals
- Devices
- Displays / Monitors
- WebTrends / Stats
- Search Engines
- Firewalls
- WebApplications
- IDS
- Vulnerabilities
- Email Clients
- File Sharing
- Spy / Ad Blockers
- Web Browsers
- Web Servers
- Networking
- Anti-Virus
- Chat / IM
- Anti Spam
| Developer |
- Web Servers
- Web Browsers
- Game Programming
- Dev Tools
- Industry Specific
- Office / Productivity
- Database
- CYGWIN
- Web Development
- Search Engines
- File Sharing
- WebTrends / Stats
- Programming
- Content Management
- Application Servers
- Protocols
| Storage |
- Removable Backup Media
- Storage Technology
- Servers
- Grid
- Remote Access
- Backup / Restore
- Misc
- Hard Drives
| OS |
- Miscellaneous
- Security
- Development
- Linux
- VMWare
- MainFrame OS
- Unix
- Apple
- OS / 2
- AS / 400
- BeOS
- Microsoft
- VMS / OpenVMS
| Database |
- Oracle
- Miscellaneous
- MySQL
- Software
- Sybase
- Contact Management
- PostgreSQL
- Data Manipulation
- Clarion
- InterSystems Cache
- Siebel
- MUMPS
- OLAP
- SQLBase
- SAS
- GIS & GPS
- 4GL
- Berkeley DB
- DB2
- Informix
- Interbase / Firebird
- FoxPro
- Reporting
- LDAP
- Filemaker Pro
- MS SQL Server
- dBase
- MS Access
| Security |
- Misc
- Web Browsers
- Software Firewalls
- Operating Systems Security
- File Sharing
- Spy / Ad Blockers
- Vulnerabilities
- WebApplications
- IDS
- Anti-Virus
- Encryption
- Anti Spam
- Email Clients
- VPN
- Chat / IM
| Programming |
- Editors IDEs
- Installation
- Handhelds / PDAs
- Multimedia Programming
- System / Kernel
- Algorithms
- Game
- Signal Processing
- Project Management
- Open Source
- Database
- Misc
- Languages
- Processor Platforms
- Theory
| Web Development |
- Scripting
- Blogs
- Web Servers
- Software
- Search Engines
- Web Graphics
- Images
- Internet Marketing
- Images and Photos
- Components
- Document Imaging
- Web Languages/Standards
- Illustration
- WebApplications
- Fonts
- WebTrends / Stats
- Authoring
- Digital Camera Software
- Miscellaneous
| Networking |
- Protocols
- Apple Networking
- Network Management
- Message Queue
- Application Servers
- Content Management
- File Servers
- Email Servers
- Misc
- Java Editors & IDEs
- Wireless
- Networking Hardware
- Backup / Restore
- System Utilities
- ISPs & Hosting
- Web Servers
- Storage Technology
- Removable Backup Media
- Servers
- Broadband
- Grid
- OS / 2
- Novell Netware
- Unix Networking
- Windows Networking
- Security
- Telecommunications
- Operating Systems
- Linux Networking
| Other |
- Community Advisor
- Lounge
- Community Support
- New Net Users
- Philosophy / Religion
- Math / Science
- Miscellaneous
- URLs
- Expert Lounge
- Politics
- Puzzles / Riddles
| Community Support |
- Suggestions
- New to EE
- New Topics
- Community Advisor
- CleanUp
- Announcements
- General
- Feedback
- Input
- EE Bugs
| 02.14.2008 at 07:49AM PST, ID: 20894271 |
If I am understanding correctly you are publishing a desktop and then publishing apps to populate the virtual desktop?
So then the PNA runs again on the citrix desktop? If this is the way you want it it should work if you allow pass through authentication for the tier 2 apps I would think.
So then the PNA runs again on the citrix desktop? If this is the way you want it it should work if you allow pass through authentication for the tier 2 apps I would think.
| 02.14.2008 at 07:57AM PST, ID: 20894365 |
Hi, Thanks for your reply,
Yes I am publishing a citrix desktop via the web interface, and then I want PNA on that citrix desktop to allow pass through authentication for the logged in user so their apps are displayed in the start menu of the citrix desktop.
So PNA is running once (on the Tier 1 citrix desktops) as the user initialtes the citrix desktop using the webclient and the web based application list (on which there is one icon for citrix desktop).
So the question is how do I set PNA on the citrix desktop to pass through authenticate?
Yes I am publishing a citrix desktop via the web interface, and then I want PNA on that citrix desktop to allow pass through authentication for the logged in user so their apps are displayed in the start menu of the citrix desktop.
So PNA is running once (on the Tier 1 citrix desktops) as the user initialtes the citrix desktop using the webclient and the web based application list (on which there is one icon for citrix desktop).
So the question is how do I set PNA on the citrix desktop to pass through authenticate?
| 02.14.2008 at 08:22AM PST, ID: 20894639 |
Check that the tier 2 server(s) properties on the XML Service the "Trust requests sent to the XML service" must be checked. Obviously this should be done inside a firewall or CAG. I have never tried it this way but it should work.
Here is a good link to check if your PNA is set up with the pass through correctly. http://www.msterminalservices.org/ar
Here is a good link to check if your PNA is set up with the pass through correctly. http://www.msterminalservices.org/ar
| 02.14.2008 at 08:37AM PST, ID: 20894799 |
I am curious as to if you are going to publish the desktop, why not just install the applications on the first servers desktop? Is it because only certain users get certain app depending on their credentials? Just wondering as that is a unique setup. Just seems like you could be creating more headaches when troubleshooting later on when an app doesn't work. And if they just need apps why not publish them via the WI based on their credentials? A thin client situation where you want to give them the desktop maybe? Just wondering.
| 02.14.2008 at 08:46AM PST, ID: 20894891 |
Segregating server roles simplifies management for us.
This way we have a standard build for all Tier1 servers (which also have basic apps like Office and Adobe reader installed on them), and I can role out a new Tier 1 server (in case of a fault or due to increased load or whatever) in no time at all.
Then by having tier 2 servers running the more complicated apps (to install and often the more performance hungry), delivered seamlessly to the tier 1 desktops means that if a tier 2 app hangs or soaks up processor time for a user, it's only affecting the very small number of users on that tier 2 box rather than the 30-60 users on the tier 1 server.
Users can run the tier 2 located apps individually from the web interface, but I want to give them a more standardized desktop like their computer at home to make it easier for training purposes, and so why i need shortcuts on the start menu and hence why i want the PNA to authenticate in a pass through manner...
The clients are a range of thin client machines (ce and xpe) and XP boxes - across 30 sites.
This way we have a standard build for all Tier1 servers (which also have basic apps like Office and Adobe reader installed on them), and I can role out a new Tier 1 server (in case of a fault or due to increased load or whatever) in no time at all.
Then by having tier 2 servers running the more complicated apps (to install and often the more performance hungry), delivered seamlessly to the tier 1 desktops means that if a tier 2 app hangs or soaks up processor time for a user, it's only affecting the very small number of users on that tier 2 box rather than the 30-60 users on the tier 1 server.
Users can run the tier 2 located apps individually from the web interface, but I want to give them a more standardized desktop like their computer at home to make it easier for training purposes, and so why i need shortcuts on the start menu and hence why i want the PNA to authenticate in a pass through manner...
The clients are a range of thin client machines (ce and xpe) and XP boxes - across 30 sites.
| 02.14.2008 at 08:52AM PST, ID: 20894952 |
Makes me feel fortunate to only have 8 sites (plus many remote users from home or on the road).
Let me know on the pass through if it worked correctly. You have piqued my interest I may test this on my test server if I have time later.
Let me know on the pass through if it worked correctly. You have piqued my interest I may test this on my test server if I have time later.
| 02.14.2008 at 08:54AM PST, ID: 20894967 |
Thanks croberds, I'll keep on thrashing away at this till I get something to work ;-)
| 02.14.2008 at 09:17AM PST, ID: 20895153 |
I am wondering if the pass through looks at the credentials but doesn't know to go to the TS user profile?
Normally the pass through is looking at the local client, could it somehow be looking at the citrix server's client rather than the TS profile? And even if it is in the right place perhaps the first logon pulls the info from the client and it reads the local PC login instead of the original TS desktop login.
Normally the pass through is looking at the local client, could it somehow be looking at the citrix server's client rather than the TS profile? And even if it is in the right place perhaps the first logon pulls the info from the client and it reads the local PC login instead of the original TS desktop login.
| 02.14.2008 at 07:59PM PST, ID: 20899282 |
It has been a long time since I have set up the PN Agent for someone. I think you need to set Pass Through in the Config of your PNAgent Site. Find the Authentication Methods part, make sure you check pass through and go into the properties to configure the allowed domains. I always prepopulate the list and even set restrictions if you only need to allow the one domain.
| 02.15.2008 at 12:25AM PST, ID: 20900113 |
Hi,
Yes I have done that (right clicked pnaconfig.xml in AMC and ticked the pass-through authentication box). It doesn't solve the issue, and interestingly, when I pop back later to this dialog box it is unticked leaving just the prompt user option.
If I tick the pass-through check box again and close the dialog and then immediately reopen it - even if I reopen it a handful of minutes later its still ticked, but leave it for more than 10-20mins and it resets to the apparent default of prompt user.
Is there a group of settings somewhere that can superceed the AMC? I have a CAG sat on the network but haven't configured it yet...
Let me know if you can think of anything...
Yes I have done that (right clicked pnaconfig.xml in AMC and ticked the pass-through authentication box). It doesn't solve the issue, and interestingly, when I pop back later to this dialog box it is unticked leaving just the prompt user option.
If I tick the pass-through check box again and close the dialog and then immediately reopen it - even if I reopen it a handful of minutes later its still ticked, but leave it for more than 10-20mins and it resets to the apparent default of prompt user.
Is there a group of settings somewhere that can superceed the AMC? I have a CAG sat on the network but haven't configured it yet...
Let me know if you can think of anything...
| 02.15.2008 at 07:53AM PST, ID: 20902832 |
Ah, now we are getting somewhere. Are there any errors in event viewer on either server? Could be a trust or DNS issue between the servers?
I would assume there are no group policies on the servers, is there any that effects all TS users before they logon to a terminal server that already exist?
I found a couple of CTX articles also-they are both kind of basic and seemed written for 3.0 but you can double check and make sure you haven't missed anything: http://support.citrix.com/article/CT
I haven't had time to do a lot but I made a new PNagent site and set up pass through and I am having the same issue. It remembers my name and domain each time but I have to put in the password. I have to finish a few things and I will tinker some more.
I would assume there are no group policies on the servers, is there any that effects all TS users before they logon to a terminal server that already exist?
I found a couple of CTX articles also-they are both kind of basic and seemed written for 3.0 but you can double check and make sure you haven't missed anything: http://support.citrix.com/article/CT
I haven't had time to do a lot but I made a new PNagent site and set up pass through and I am having the same issue. It remembers my name and domain each time but I have to put in the password. I have to finish a few things and I will tinker some more.
| 02.15.2008 at 07:57AM PST, ID: 20902874 |
Well, one thing you need to think back to is the initial installation of Presentation Server...there was a passthrough option there and, if you dis-allowed it, you may have a problem. That is odd that the checkbox is getting de-selected but I do think we are on the right track.
Here are some troubleshooting docs:
http://support.citrix.com/article/CT
http://support.citrix.com/article/CT
Let me think about this some more...
Here are some troubleshooting docs:
http://support.citrix.com/article/CT
http://support.citrix.com/article/CT
Let me think about this some more...
| 02.15.2008 at 08:16AM PST, ID: 20903088 |
I am sure I have selected the pass-through option at the client installation point, and have installed the client on a new clean presentation server build with that option enabled just to be sure.
I have tried the icaclient.adm setting as the docs suggest and this did not help (created a new group policy object and applied it to an ou with both the user I was testing and the presentation server in it).
Can you remind me how I get the advanced connection dialog up? I can get the ICA-tcp properties in TS configuration, but it doesn't look the same...
Thanks for your help on this so far guys, I was running out of brick wall to bounce by bonce on :)
I have tried the icaclient.adm setting as the docs suggest and this did not help (created a new group policy object and applied it to an ou with both the user I was testing and the presentation server in it).
Can you remind me how I get the advanced connection dialog up? I can get the ICA-tcp properties in TS configuration, but it doesn't look the same...
Thanks for your help on this so far guys, I was running out of brick wall to bounce by bonce on :)
| 02.15.2008 at 08:59AM PST, ID: 20903586 |
I believe there is a server setting when you install Presentation Server itself...althought, now that I think about it, this may be the Client installation when it loads on the server during the install. Anyway, the Advanced Config stuff is now all in the TSConfig like you are seeing. The option to "always prompt for password" is on the Logon Settings tab. Let me know if you get anywhere with this...I am sure there is more to try.
| 02.15.2008 at 09:19AM PST, ID: 20903789 |
OK, I did a small test, I used PN and it allowed pass through after logging into the first server from WI, so I know the server allows pass through authentication. It would appear to me now that it has to be a setting on the web interface in the Citrix Access Mgmt console or the pna website itself.
| 02.15.2008 at 10:39AM PST, ID: 20904582 |
Martin,
On the web interface from the Access Management Console when I open up my PNagent website it then shows a config.xml. When I highlight that I can then make changes. Like you, if I try and make it go to a passthrough it accepts it but then it goes back to the way it was.
However, I found a workaround. If you tell it to prompt, but then tick the box below that allows the user to save the password, then the first time they logon they have to put everything in and then check the save password box at the bottom of the logon screen. If you then logout and log back in, it automatically logs the user into PNA, and the icons populate the desktop and programs folder.
Let me know if it works for you.
On the web interface from the Access Management Console when I open up my PNagent website it then shows a config.xml. When I highlight that I can then make changes. Like you, if I try and make it go to a passthrough it accepts it but then it goes back to the way it was.
However, I found a workaround. If you tell it to prompt, but then tick the box below that allows the user to save the password, then the first time they logon they have to put everything in and then check the save password box at the bottom of the logon screen. If you then logout and log back in, it automatically logs the user into PNA, and the icons populate the desktop and programs folder.
Let me know if it works for you.
| 02.19.2008 at 02:55AM PST, ID: 20927147 |
Right, well I have tried as you suggested. Right clicking on config.xml at the moment shows just prompt(default) checked. When I click on properties and click password settings 'Allow user to save password' is checked.
Boringly however there is no change at the PNA end. I have attached the login screen to check against the one you are seeing, as mine doesn't have a checkbox to explicitly allow the password to be saved - does yours?
So I'm thinking that maybe no settings are being passed to the PNA from the config file. I have triple checked DNS resolution and there are no red flags in the event viewer.
To fault find further I have changed the settings in the properties of config.xml for start menu shortcuts, see attached, and these settings are not presenting at the client either. All applications just appear in the root of programs on the start menu.
If feels like the PNA agent isn't receiving settings from the config.xml file at all.... very strange. Any ideas how I can prove the agent is taking its settings from the config.xml file thats presented on the web interface?
Boringly however there is no change at the PNA end. I have attached the login screen to check against the one you are seeing, as mine doesn't have a checkbox to explicitly allow the password to be saved - does yours?
So I'm thinking that maybe no settings are being passed to the PNA from the config file. I have triple checked DNS resolution and there are no red flags in the event viewer.
To fault find further I have changed the settings in the properties of config.xml for start menu shortcuts, see attached, and these settings are not presenting at the client either. All applications just appear in the root of programs on the start menu.
If feels like the PNA agent isn't receiving settings from the config.xml file at all.... very strange. Any ideas how I can prove the agent is taking its settings from the config.xml file thats presented on the web interface?
| 02.19.2008 at 07:09AM PST, ID: 20928983 |
My PNA has a checkbox to save the password.
I am slammed this morning but will look at this and send you my screenshots this afternoon.
I am slammed this morning but will look at this and send you my screenshots this afternoon.
Accepted Solution
| 02.19.2008 at 08:42AM PST, ID: 20930007 |
Whoppee! It works!
croberds info that he had a password check box on his PNA login screen was the big indicator that the client was not talking to the PNAgent configuration service on my Presentation Server.
I deleted the PNAgent site and created a new one, then pointed the agent at it and 'bobs your uncle' everything just worked. To be clear, pass through authentication now happens and although I have the option of using the remember password check box I haven't had to use it yet.
Thank you all for your help with this ;-)
croberds info that he had a password check box on his PNA login screen was the big indicator that the client was not talking to the PNAgent configuration service on my Presentation Server.
I deleted the PNAgent site and created a new one, then pointed the agent at it and 'bobs your uncle' everything just worked. To be clear, pass through authentication now happens and although I have the option of using the remember password check box I haven't had to use it yet.
Thank you all for your help with this ;-)
20080236-EE-VQP-29 / EE_QW_2_20070628
