Multi Domain Authentication in Citrix PS 4.5
Posted on 2007-11-30
We have a Windows 2003 Domain "UK.COMPANY.COM" which has 4 x Citrix Presentation Server 4.5 servers (CITRIX1, CITRIX2, etc). Users access Citrix via WebInterface which is on all 4 servers and uses a round-robin DNS entry "citrix.uk.company.com". These publish a whole load of applications to around 200 users and everything works fine.
The company has two other domains as well: IRELAND.COMPANY.COM and MIDDLEEAST.COMPANY.COM. These have a full trust relationship with the UK.COMPANY.COM domain.
Users in Ireland and the Middle East need to access some of the Citrix applications.
In Web Interface, I have added the two other domains into the authentication bit so they can select the correct domain from the drop down list rather than having to type it in each time. I have also added "IRELAND/Domain Users" and "MIDDLEEAST/Domain Users" into the "Remote Desktop Users" group on each Citrix Server. Various applications have had some of the IRELAND and MIDDLEEAST Domain Users group added to the allowed users.
If Fred in Ireland logs onto Citrix WebInterface (via the internal WAN) as IRELAND/Fred then he can get into Web Interface OK and can see the applications which he is allowed to use. If he clicks onto one of them, then it goes through the logging in bit, and up pops a Windows CTRL+ALT+DEL Logon screen. Fred has to change the Logon Domain from "UK" to "IRELAND" and then re-enter his username and password. The application will then open and he can use it fine.
Obviously the second logon box is getting to be a bit of a pain and at first I couldn't see why it was happening. When I examined the Windows Security event log, I can see it failing to authenticate the user "UK/Fred". It appears that even though Fred has logged into Web Interface using a IRELAND domain account, when he clicks on an application, it tries to authenticate using the username "Fred" but against the "UK" domain instead of the "IRELAND" domain. As far as I can see, there is no attempt to authenticate against the "IRELAND" domain at all - apart from the initial Web Interface login.
Can anyone point me to any more settings I need to change?