Solved

Multi Domain Authentication in Citrix PS 4.5

Posted on 2007-11-30
14
2,853 Views
Last Modified: 2012-08-13
We have a Windows 2003 Domain "UK.COMPANY.COM" which has 4 x Citrix Presentation Server 4.5 servers (CITRIX1, CITRIX2, etc).  Users access Citrix via WebInterface which is on all 4 servers and uses a round-robin DNS entry "citrix.uk.company.com".  These publish a whole load of applications to around 200 users and everything works fine.

The company has two other domains as well: IRELAND.COMPANY.COM and MIDDLEEAST.COMPANY.COM.  These have a full trust relationship with the UK.COMPANY.COM domain.

Users in Ireland and the Middle East need to access some of the Citrix applications.  

In Web Interface, I have added the two other domains into the authentication bit so they can select the correct domain from the drop down list rather than having to type it in each time.  I have also added "IRELAND/Domain Users" and "MIDDLEEAST/Domain Users" into the "Remote Desktop Users" group on each Citrix Server.  Various applications have had some of the IRELAND and MIDDLEEAST Domain Users group added to the allowed users.

If Fred in Ireland logs onto Citrix WebInterface (via the internal WAN) as IRELAND/Fred then he can get into Web Interface OK and can see the applications which he is allowed to use.  If he clicks onto one of them, then it goes through the logging in bit, and up pops a Windows CTRL+ALT+DEL Logon screen.  Fred has to change the Logon Domain from "UK" to "IRELAND" and then re-enter his username and password.  The application will then open and he can use it fine.

Obviously the second logon box is getting to be a bit of a pain and at first I couldn't see why it was happening.  When I examined the Windows Security event log, I can see it failing to authenticate the user "UK/Fred".  It appears that even though Fred has logged into Web Interface using a IRELAND domain account, when he clicks on an application, it tries to authenticate using the username "Fred" but against the "UK" domain instead of the "IRELAND" domain.  As far as I can see, there is no attempt to authenticate against the "IRELAND" domain at all - apart from the initial Web Interface login.

Can anyone point me to any more settings I need to change?

Many thanks.
0
Comment
Question by:aleprevost
  • 4
  • 3
  • 3
  • +3
14 Comments
 

Author Comment

by:aleprevost
ID: 20394597
Points increased to 500.  I need to get this sorted!

Thanks.  Andrew.
0
 
LVL 1

Expert Comment

by:liqiud
ID: 20798241
I'm having the same problem.  I have two domains that I support, and it doesn't matter which domain the user is coming in from, they always get a login prompt.  Does no one know why that is?
0
 

Expert Comment

by:dan92
ID: 20879267
Hi there. I'm having the same problem in my environment but with accounts from both the local and trusted domains. However I have just put a newly built citrix server into the farm using a different build yet this server is NOT exhibiting the problem. The difference between the two servers is as follows:-

1. Working server has hotfix ps450win2k3r01 installed, broken one does not.
2.Working server is not Natted (therefore does not have the altaddr switch) Broken server is natted.
3.When saving an ica file from a published app on the working server it has the CGPAddress=*:2598 switch in the file whereas broken server does not.
4.Broken server is configured with relaxed security mode, Working server = Full Security
5.Broken server has non-administrators only launch published apps ticked, working one does not.

I haven't had the chance to apply each of the changes above yet but will let you know the outcome as soon as I do. I suspect it's number 1!
0
 
LVL 1

Expert Comment

by:liqiud
ID: 20879323
I'll try adding that hotfix to my broken servers tomorrow night when I apply the MS patches anyway.  That sounds like it's probably the culperate.
0
 

Expert Comment

by:dan92
ID: 20879471
Cool I will probably be updating mine tomorrow afternoon. I don't want to do it yet as I'm using the server for load testing tomorrow so don't want to screw that up!
0
 

Author Comment

by:aleprevost
ID: 20880234
We still have this problem as well.  Will also try the hotfix and see if it makes any difference.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:liqiud
ID: 20949352
the hotfix did not fix my issue.  I have a 3rd party coming in to look at this problem, and I'll let everyone know if we get it fixed.
0
 

Expert Comment

by:dan92
ID: 20950588
Hi there, I applied the hotfix on my other server that didn't work for me either. Then I noticed that on the working server under temrinal services configuration ica the "Always prompt for password" box was checked. I unchecked this and it then worked!

Hope this sorts yours out
0
 
LVL 1

Expert Comment

by:liqiud
ID: 20950637
i don't have that box checked...guess we'll see what the help says.  I'm curious if the question asker is still having the problem.
0
 

Author Comment

by:aleprevost
ID: 20951283
I haven't been able to check it yet as the offices where the Citrix Servers are have been busy working on other projects and haven't wanted any chances made to the servers yet.  Hopefully I can get a chance to stick it on the next week or so......
0
 
LVL 1

Expert Comment

by:juleswale
ID: 22719985
Has anyone got a resolution to this issue?

0
 

Expert Comment

by:ehesik
ID: 23014661
Does anyone have a solution for this? I am experienceing a related mutli-domain authentication issue to running apps off my Citrix portal.
0
 
LVL 1

Accepted Solution

by:
gltusc earned 500 total points
ID: 24712182
My organization has a single forest with multiple domains all trusting eachother and we were having the same issue for a while. I ran into a the following site and one of the solutions they posted fixed my issue. Here's what worked for us plus the link...

http://forums.citrix.com/thread.jspa?threadID=53393&tstart=0

Solution:
The problem you are having is done to two sets of authentication. you have desktop pass-through and the ica pass-through authentication. The combination of both gives you the single sign-on. This single sign-on will only work if you installed the Full Win32 ICA client.

In your case the desktop pass-through is working as the web interface is using your currently logged on credentials to authenticate against the web server but upon launching an application you are getting the extra prompt for the "ica pass-though authentication"

FIX:
Ensure you install the Full ICA Client that can from the CD and select the Enable pass-through checkbox. upon finishing it will ask you to reboot the machine.

The file that grabs the credentials is called "ssonsvr.exe" and runs as a process under the system's context.

To finish off the configuration you have to edit the Appsrv.ini file in c:\program files\citrix\ica client and add the following entries to the WFClient section.

SSOnUserSetting=On
EnableSSOnThruICAFile=On

note that if the ica client was installed properly you will already have the "SSOnUserSetting=On" enabled.

Once this is done you might have to make the same modifications to the appsrv.ini file in your profile if you want to keep some settings in it or alternatively delete the ICAClient folder under "%system drive%:\Documents and Settings\%username%\Application Data. The next time you connect it will be re-created for you.

The above fix is for ica clients up to version 7. Your other option is to use ica version 8 which tends to fix this problem.

-eleon-
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
#CITRIX #XENDESKTOP #POC #Citrix Studio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now