Citrix - Login Script Not Running via Program Neighborhood Agent... Works great when logging in via Citrix Web Interface


--= Environment =--
- One server, MPS 4.0 on W2k3
- Connecting via web interface (separate WI server) or PNa (pna site local on server/joined to same domain as clients)
- Clients Deployed: PNa 9.150, Web 9.150, Java client (mac)

--= Situation =--

Clients connecting to Citrix using various clients.  User login scripts are via AD user profile (not GPO).  Login script runs fine when clients login to their local PCs, or when they connect to Citrix via the web interface (local client or java).  However, when the clients connect via the Program Neighborhood Agent - no login script runs.  This is true for ALL users connecting via PNA.  We are using pass-through authentication.

Users can navigate to the NETLOGON share and launch the script manually and the network drives appear.  However it will never launch automatically.

I have tried with various batch files to test (using PAUSE command to see if I get the DOS command window) but we use ScriptLogic in production.  ScriptLogic is configured to run create a trace file/log, so I am able to obtain this file once I launch the script manually.

The trace file tells me that my "User's Privilege (domain) = Guest". The same user logging in using the web interface generates the trace file automatically when the script runs (as it should), and the same line reads "User's Privilege (domain) = User".  Obviously the issue has something to do with PNa/pass-through because that is the only difference I can see between WI/PNa.

I spoke with ScriptLogic and they said this was the reason why the script was not running.  But admittedly since I can't get even a batch file to run it is not their product causing the issue.

So my question is this - Why would my login script not run for a user via PNa, but run fine via the web interface? Do these two methods have different security implications that would cause me to be seen as a domain guest upon login to Citrix?
Who is Participating?
NYtechGuyConnect With a Mentor Author Commented:

Resolved on my own, please close question and refund points.


Recreated a website in IIS, using default settings except for allowing scripts to run (which was allowed on other site).  I then created a new PNa site using the new IIS site.  The PNA site has the same settings, uses pass through, etc.

Now when I connect my domain script runs fine.

The issue must have been something to do with IIS passing the correct credentials through.

Have you tried logging on via RDP?  Do the login scripts run?

If you turn passthough authenticatin on via Web Interface do the login scripts run?

Honestly I see no reason why program neighborhood agent would cause this?  
NYtechGuyAuthor Commented:


If I connect to the server using
(1) RDP
(2) Web Interface Login w/local or java client
(3) Full Citrix ICA client the script runs and the scriptlogic trace file reports me as "user".  

If I launch an app using the PNagent the script does not run, and the trace file sees me as a "guest".

I see no reason either, but surmise the issue must be something around pass-through authentication because that is the only difference I can think of between a web interface login and a PNa connection.

Thanks - Justin
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

We use pass-through here, and it works fine.  In the Management Console, can you check up on the apps to make sure that you've unchecked the "Allow Anonymous Connections" box?  
NYtechGuyAuthor Commented:


Confirmed, the "allow anonymous.." box is unchecked for all apps.  

The users are actually logging in as themselves, not as anon, because they are allowed to run Outlook as themselves.

NYtechGuyAuthor Commented:

dmc -

regarding your earlier question:  "If you turn passthough authenticatin on via Web Interface do the login scripts run?"

- unfortunately this is not an option as the server is not part of the domain- which I believe is a requirement for pass-through auth.

NYtechGuyAuthor Commented:

Update on testing:

1. If I set the Program Neighborhood Agent website (which lives on the MPS server itself) to "Prompt" for credentials (instead of using pass-through) the user must manually enter their password into the PNa, but when they connect to Citrix, the domain login script DOES successfully run.

2. Even if a domain admin connects using PNa with pass-through the login script does NOT run at all.

Any ideas?


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.