aleprevost
asked on
Multi Domain Authentication in Citrix PS 4.5
We have a Windows 2003 Domain "UK.COMPANY.COM" which has 4 x Citrix Presentation Server 4.5 servers (CITRIX1, CITRIX2, etc). Users access Citrix via WebInterface which is on all 4 servers and uses a round-robin DNS entry "citrix.uk.company.com". These publish a whole load of applications to around 200 users and everything works fine.
The company has two other domains as well: IRELAND.COMPANY.COM and MIDDLEEAST.COMPANY.COM. These have a full trust relationship with the UK.COMPANY.COM domain.
Users in Ireland and the Middle East need to access some of the Citrix applications.
In Web Interface, I have added the two other domains into the authentication bit so they can select the correct domain from the drop down list rather than having to type it in each time. I have also added "IRELAND/Domain Users" and "MIDDLEEAST/Domain Users" into the "Remote Desktop Users" group on each Citrix Server. Various applications have had some of the IRELAND and MIDDLEEAST Domain Users group added to the allowed users.
If Fred in Ireland logs onto Citrix WebInterface (via the internal WAN) as IRELAND/Fred then he can get into Web Interface OK and can see the applications which he is allowed to use. If he clicks onto one of them, then it goes through the logging in bit, and up pops a Windows CTRL+ALT+DEL Logon screen. Fred has to change the Logon Domain from "UK" to "IRELAND" and then re-enter his username and password. The application will then open and he can use it fine.
Obviously the second logon box is getting to be a bit of a pain and at first I couldn't see why it was happening. When I examined the Windows Security event log, I can see it failing to authenticate the user "UK/Fred". It appears that even though Fred has logged into Web Interface using a IRELAND domain account, when he clicks on an application, it tries to authenticate using the username "Fred" but against the "UK" domain instead of the "IRELAND" domain. As far as I can see, there is no attempt to authenticate against the "IRELAND" domain at all - apart from the initial Web Interface login.
Can anyone point me to any more settings I need to change?
Many thanks.
The company has two other domains as well: IRELAND.COMPANY.COM and MIDDLEEAST.COMPANY.COM. These have a full trust relationship with the UK.COMPANY.COM domain.
Users in Ireland and the Middle East need to access some of the Citrix applications.
In Web Interface, I have added the two other domains into the authentication bit so they can select the correct domain from the drop down list rather than having to type it in each time. I have also added "IRELAND/Domain Users" and "MIDDLEEAST/Domain Users" into the "Remote Desktop Users" group on each Citrix Server. Various applications have had some of the IRELAND and MIDDLEEAST Domain Users group added to the allowed users.
If Fred in Ireland logs onto Citrix WebInterface (via the internal WAN) as IRELAND/Fred then he can get into Web Interface OK and can see the applications which he is allowed to use. If he clicks onto one of them, then it goes through the logging in bit, and up pops a Windows CTRL+ALT+DEL Logon screen. Fred has to change the Logon Domain from "UK" to "IRELAND" and then re-enter his username and password. The application will then open and he can use it fine.
Obviously the second logon box is getting to be a bit of a pain and at first I couldn't see why it was happening. When I examined the Windows Security event log, I can see it failing to authenticate the user "UK/Fred". It appears that even though Fred has logged into Web Interface using a IRELAND domain account, when he clicks on an application, it tries to authenticate using the username "Fred" but against the "UK" domain instead of the "IRELAND" domain. As far as I can see, there is no attempt to authenticate against the "IRELAND" domain at all - apart from the initial Web Interface login.
Can anyone point me to any more settings I need to change?
Many thanks.
I'm having the same problem. I have two domains that I support, and it doesn't matter which domain the user is coming in from, they always get a login prompt. Does no one know why that is?
Hi there. I'm having the same problem in my environment but with accounts from both the local and trusted domains. However I have just put a newly built citrix server into the farm using a different build yet this server is NOT exhibiting the problem. The difference between the two servers is as follows:-
1. Working server has hotfix ps450win2k3r01 installed, broken one does not.
2.Working server is not Natted (therefore does not have the altaddr switch) Broken server is natted.
3.When saving an ica file from a published app on the working server it has the CGPAddress=*:2598 switch in the file whereas broken server does not.
4.Broken server is configured with relaxed security mode, Working server = Full Security
5.Broken server has non-administrators only launch published apps ticked, working one does not.
I haven't had the chance to apply each of the changes above yet but will let you know the outcome as soon as I do. I suspect it's number 1!
1. Working server has hotfix ps450win2k3r01 installed, broken one does not.
2.Working server is not Natted (therefore does not have the altaddr switch) Broken server is natted.
3.When saving an ica file from a published app on the working server it has the CGPAddress=*:2598 switch in the file whereas broken server does not.
4.Broken server is configured with relaxed security mode, Working server = Full Security
5.Broken server has non-administrators only launch published apps ticked, working one does not.
I haven't had the chance to apply each of the changes above yet but will let you know the outcome as soon as I do. I suspect it's number 1!
I'll try adding that hotfix to my broken servers tomorrow night when I apply the MS patches anyway. That sounds like it's probably the culperate.
Cool I will probably be updating mine tomorrow afternoon. I don't want to do it yet as I'm using the server for load testing tomorrow so don't want to screw that up!
ASKER
We still have this problem as well. Will also try the hotfix and see if it makes any difference.
the hotfix did not fix my issue. I have a 3rd party coming in to look at this problem, and I'll let everyone know if we get it fixed.
Hi there, I applied the hotfix on my other server that didn't work for me either. Then I noticed that on the working server under temrinal services configuration ica the "Always prompt for password" box was checked. I unchecked this and it then worked!
Hope this sorts yours out
Hope this sorts yours out
i don't have that box checked...guess we'll see what the help says. I'm curious if the question asker is still having the problem.
ASKER
I haven't been able to check it yet as the offices where the Citrix Servers are have been busy working on other projects and haven't wanted any chances made to the servers yet. Hopefully I can get a chance to stick it on the next week or so......
Has anyone got a resolution to this issue?
Does anyone have a solution for this? I am experienceing a related mutli-domain authentication issue to running apps off my Citrix portal.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Andrew.