Citrix XenApp 5 Explicit authentication requires secondary login

We are trying to setup a farm in a load balanced environment.  I have/had everything working up until today when we entered a DNS record for the farm, it started asking for more credentials and I can't figure out why.

We have 3 servers running XenApp5.  1 is a Windows 2003 SP2 (running XenApp 5 for 2k3) and the other 2 are running Windows 2008 Server (not 64 bit).  As I said, everything was working; then we added a DNS entry and things started breaking.  We have the farm setup with 1 web interface server CS1 and the 3 servers attached to this farm CS1, CS2 & CS3.

We got to rrscitrix and enter our usernames & passwords and the list of apps display in the WI.  Then we click on an app and it launches, then it asks us to log in again with domain credentials.  Once you do this, every other app opens without prompting you again.  But this shouldn't be happening to begin with.

Here is a copy of one of the ICA files that I saved:

[Encoding]
InputEncoding=UTF8

[WFClient]
CPMAllowed=On
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
VSLAllowed=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Excel=

[Excel]
Address=65.114.90.138:1494
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=FD3AD9D114E62E
ClientAudio=On
DesiredColor=8
DesiredHRES=1024
DesiredVRES=768
DoNotUseDefaultCSL=On
Domain=\08F98C78A7AA4FD3
FontSmoothingType=0
InitialProgram=#Excel
LPWD=16
LaunchReference=AGnNcp1q7AqdjH9teJsbqSsOTLvcELWTkNEE7P5mAzc=
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=FD3AD9D114E62E08F98C78A7AA4FD3
LogonTicketType=CTXS1
LongCommandLine=
NRWD=203
ProxyTimeout=30000
ProxyType=Auto
SFRAllowed=Off
SSLEnable=Off
SessionsharingKey=-B+qcXzfJ+GcfOOe1cOSKUC
StartIFDCD=1303850106970
StartSCD=1303850106970
TRWD=0
TWIMode=On
Title=Excel
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

and our ALTADDR is setup like this:
CS1:
Local Address         Alternate Address
--------------------  --------------------
Default               65.114.90.138
10.0.0.24             65.114.90.138
rrs-cs1               65.114.90.138
rrscitrix             65.114.90.138

CS2:
Local Address         Alternate Address
--------------------  --------------------
Default               65.114.90.138
rrs-cs1               65.114.90.138
rrs-cs2               65.114.90.138
rrscitrix             65.114.90.138

CS3: (Windows 2003 server, if that matters)
Local Address         Alternate Address
--------------------  --------------------
Default               65.114.90.138
rrscitrix             65.114.90.138

Currently also, the only server that is NOW giving out connections is CS1; where we used to be able to connect to CS1 & CS3; but no connections were made to CS2, that I recall ever seeing.

Any help would be greatly appreciated as this is extremely important.

What happens is
roadnrailAsked:
Who is Participating?
 
Carl WebsterCommented:
I would not recommend the use of Altaddr at all.  It is unsecure does not scale well at all.  I would use CSG.  It is free, easy to setup and requires just an SSL cert (which you can get very cheap).

http://dabcc.com/Webster/CSG

The XenApp servers will load balance themselves if they have common applications installed.  If you have Word installed on all 3, they will load balance between all 3 with no effort required on your part.  If you install Excel on just 1 server, then there is no load balancing of Excel.
0
 
Carl WebsterCommented:
AltAddr requires a unique public IP for every server.
0
 
roadnrailAuthor Commented:
ok, I was just trying to get the servers to start responding to requests.  I'll get rid of it, do you think this may be the issue though?

Everytime we are prompted for the 2nd login, I try to connect as administrator so I can see what server I'm connecting to and it is always CS1.

Also, do I HAVE to have an ALTADDR tag in server 2 & 3 for XA5 to be load balanced?  If so, I have plenty of outside addresses and can assign them.  But when I didn't have the ALTADDR tag in either 2 or 3, everything was working fine...but that was before the DNS entry as well.  Thanks for the help Carl; I appreciate your fast response.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
roadnrailAuthor Commented:
I just deleted the ALTADDR tag on CS2, but Default cannot be deleted:

C:\Users\administrator>altaddr /delete Default
Unable to delete alternate address.  The entry was not found.

Did I do the command incorrectly?

I performed this for both server 2 & 3, and to ensure that each server has a unique altaddr Default entry, I set up default to be the inside address for each of the servers.  I'll test this out now and let you know what's happening.
0
 
Carl WebsterCommented:
If you type just altaddr, what is the result?
0
 
roadnrailAuthor Commented:
Here are the results of ALTADDR from CS2 & CS3 after changing it this morning:

CS2:
Alternate TCP addresses for localhost
Local Address         Alternate Address
--------------------  --------------------
Default               10.0.0.25

CS3:
Alternate TCP addresses for localhost
Local Address         Alternate Address
--------------------  --------------------
Default               10.0.0.30

We only have 3 servers.  I have been here for 6 years and we have only been using 1 up until now (Not saying this was the best thing to do, by any means).

Where do I get CSG from?  Is it free with the purchase of Citrix?  Do I install it on the main server or on a secondary server that has nothing to do with Citrix?

I'll start taking a look at the first question now.
0
 
Carl WebsterCommented:
CSG is available in the install media or as a download from mycitrix.com under XenApp.  For some reason I can't get mycitrix.com to load so I can't get you the link.

http://support.citrix.com/proddocs/topic/xenapp5fp-w2k3/ps-commands-altaddr.html

altaddr /delete /v is all you need.

/delete Deletes the default alternate address on the specified server
0
 
roadnrailAuthor Commented:
I started following your directions and requested the cert from godaddy.  I'm just waiting for it to be generated now before I can move forward; according to your information.

Do I have to wait for the cert before I can move forward with the installation of CSG or is the cert something I can add later on after CSG is installed?
0
 
Carl WebsterCommented:
Gotta wait on the cert.  When I have done it, the wait was always less than 10 minutes.
0
 
roadnrailAuthor Commented:
It would have helped if I would have read the email I got from godaddy.  Didn't realize I had to authorize the request before it was generated; which added to my time.

I'm going through your link now and will test out everything before I move forward with the CSG install.
0
 
Carl WebsterCommented:
My articles are extremely detailed.  If you follow ALL the instructions and do what I say to do then you should not have any issues.
0
 
roadnrailAuthor Commented:
do you have anything that shows IIS7 on windows 2008?  I'm trying to follow your steps for testing, but it currently isn't working on IIS7.  I have the server cert installed, but 443 isn't turned on at the site/server level.  Working through that issue now so i can test the https://rrscitrix.roadandrail.com:444 thing you recommend.
0
 
Carl WebsterCommented:
Sorry, I do not.  I ran into some serious bugs with XenApp 5 on Server 2008 running everything on one server.  With my contacts at Citrix, I was able to reach product level top level people for the various items (CSG, WI, License Server, etc).  They all said the same thing - we don't test in that configuration.  I have just not had the time to do this for server 2008.
0
 
roadnrailAuthor Commented:
That's ok.  I found it under "Edit Bindings" when I right clicked on the Default Web Site in IIS7.

What is the reason to
"Open your Internet browser and go to https://FullyQualifiedDomainName:444.  For me, I went to https://citrix.websterslab.com:444 (Figure 10-81).  Note the SSL Padlock icon." as found on page 6 of your document?  Reason I ask is because you say to go to a secure site (https) but feed it a port of 444; which I haven't heard of.

I have tested just plain https://rrscitrix.roadandrail.com and the apps work from outside without issues; as you have indicated that they should.
0
 
Carl WebsterCommented:
CSG MUST ABSOLUTELY MUST use port 443 so IIS MUST use another port, 444 in my article.  To make sure IIS works with the new SSL cert you have to specify the SSL port #.
0
 
roadnrailAuthor Commented:
ok, got that.  For some reason I thought that going through the config of CSG, you could share the SSL port like you can port 80; sorry for missing that step.

Inside works fine, with the new 444 port; but outside doesn't.  Do I need to open this port up in my firewall or leave it closed since CSG is going to be using 443 and that is the main one we care about?
0
 
Carl WebsterCommented:
You only need 443 opened.  You can close 1494 and or 2598 also.  CSG sends to IIS/Web Interface which then handles talking to your STA/XML servers (should be your zone data collectors).
0
 
roadnrailAuthor Commented:
Ok, so when you say "Enter citrixone" when setting up the STA; I would enter rrs-cs1 since this is the only WI server we have setup, correct?

Also, would it hurt anything for me to setup WI on all 3 of the machines?
0
 
Carl WebsterCommented:
NO!  GO to one of your XenApp servers and run qfarm from a command prompt.  The server that has a D to the far right is the server you should use.
0
 
roadnrailAuthor Commented:
Here is the output:

Server               Transport Network Address
-------------------- --------- --------------------
RRS-CS1*             TCP/IP    10.0.0.24 D
RRS-CS1*             TCP/IP    10.0.0.28 D
RRS-CS2              TCP/IP    10.0.0.25
RRS-CS2              TCP/IP    10.0.0.29
RRS-CS3              TCP/IP    10.0.0.30 D

Why (if you can shed a little light on it) does CS2 NOT have a D beside it, but the others do?  Reason I ask is because it seems as thought CS1 & CS3 are the one's issuing connections, but CS2 is not.

Also, I'm running into an issue starting the CSG Service where it reports "Unable to create the scoreboard. Service cannot start."

I have it installed on a W2k8 server, but can move it over to a W2k3 server if I need to.  I would have to revoke the SSL certificate though.  Do you have any ideas on this error?
0
 
Carl WebsterCommented:
CS1 and CS2 are dual-homed?  Yuck.  Do you have two Zones?  There can only be one "D" per Zone.  That is a hard and fast rule.

Scorecard error: http://support.citrix.com/article/CTX109600

0
 
roadnrailAuthor Commented:
I added the Network Service to the folder and set their level of permissions to modify.  I was then able to start the service.
0
 
Carl WebsterCommented:
0
 
roadnrailAuthor Commented:
No, I don't have 2 zones.  it is the way that the original server was setup, so I just copied it.  I can easily remove the extra IP; I just figured that it would be good for redundancy sake.

Not sure why there is a D on BOTH IP Addresses for CS1, but I only have 1 zone; Oh well, I guess I have 2.  Default and 10.0.0.0, but only wanted 1.  Can I just delete the 10.0.0.0 and leave the default?
0
 
Carl WebsterCommented:
Remove the 2nd IPs.

On CS1 and CS2:

net stop imaservice /y
dsmaint recreatelhc
net start "Citrix SMA Service"
net start imaservice

On CS1, run dscheck /clean

Move the servers in the 10.0.0.0 zone to the Default Zone first and then delete the 10.0.0.0 Zone.

Once all the servers are in the Default zone, set one of the servers (the one that will be used least) as Most Preferred, another as Preferred and the last as Default Preference.

Now run qfarm and tell me what the results are.
0
 
roadnrailAuthor Commented:
Ok, I have removed CS3 from 10.0.0.0 zone, and am rebooting it now.  

I have selected CS2 as "Most Preferred Server" so it is like CS1 & CS3.  Should I put all 3 as just "preferred" or mark 1 as "Most" and put the others as just "Preferred"?  Does this matter?  I don't want to pound only 1 box since I have 3 of them.
0
 
Carl WebsterCommented:
Only one server can be the data collector.  It is not a shared role.  One and only one.

Make one Most Preferred, one Preferred and one Default.  Unless you have hundreds of users and hundreds of applications, being a Zone Data Collector will not put that much more strain on a server.
0
 
roadnrailAuthor Commented:
Ok, I'll do that then.

Here is the qfarm info now:
C:\Users\administrator.ROADANDRAIL>qfarm
Server               Transport Network Address
------------------ --------- --------------------
RRS-CS1*             TCP/IP    10.0.0.24
RRS-CS2              TCP/IP    10.0.0.25 D
RRS-CS3              TCP/IP    10.0.0.30

I'll setup CS1 as Most, CS2 as Preferred and CS3 as Default.

Right now, when I connect to the WI, I am logged in as 2 different users and both are accessing the SAME (CS3) server.  Another user connected and was logged into the same server, CS3.  I just made the changes to the preference of the servers in the zone and am in the process of rebooting them now.

Do you think that everyone connected to CS3 because all of them were set as preferred or is there something I may be missing now?
0
 
Carl WebsterCommented:
run qfarm /load and send the results
0
 
roadnrailAuthor Commented:
QFarm load on CS1:
C:\Users\administrator.ROADANDRAIL>qfarm /load
Server Name           Server Load
--------------------  ------------
RRS-CS1               100
RRS-CS3               0

QFarm load on CS2 (Just because it wasn't in the list above)
C:\Users\administrator.ROADANDRAIL>qfarm /load
Failed to connect to the local IMA server.
0
 
roadnrailAuthor Commented:
I rebooted all 3 servers after I made a change to the zone preference and the IMA service didn't start on CS2.  I started it and here is the qfarm /load results now:

C:\Users\administrator.ROADANDRAIL>qfarm /load
Server Name           Server Load
--------------------  ------------
RRS-CS1               100
RRS-CS2               20000
RRS-CS3               0
0
 
Carl WebsterCommented:
A load of 20000 indicates a license error.
0
 
roadnrailAuthor Commented:
But licensing is installed on CS1; not CS2.
0
 
Carl WebsterCommented:
LICENSE error not license server error.

Is CS2 set to use CS1 for the license server?  Is CS2 set for the right product edition (Platinum, Enterprise, Advanced)?
0
 
roadnrailAuthor Commented:
Sorry, been looking at different stuff for a little too long I guess.

Yes, the product edition is set properly; Enterprise (all 3 set this way).  I do have a "KMS" error when I log into the machine.  Since we don't have a KMS server, and I guess the key I used was KMS as opposed to MAC.  Could this be something that would cause it?  I'll check the licensing server that it is using and post later.  I have a dr appointment to head to.
0
 
Carl WebsterCommented:
KMS _may_ be part of the issue but probably not.  Change the key to MAK and activate the server and see what happens.
0
 
roadnrailAuthor Commented:
After looking at the servers, NEITHER CS1 nor 2 were activating because of KMS license key.  

Changed to MAK and tried looking into the citrix licensing, but the helpdesk tech didn't get a chance.  

I just ran qfarm /load and here are the results:
C:\Users\administrator.ROADANDRAIL>qfarm /load
Server Name           Server Load
--------------------  ------------
RRS-CS1               100
RRS-CS2               100
RRS-CS3               100

Looks like that was one (or the) issue with the licensing issue.

I'll try the servers now and see what's going on, but the helpdesk tech tried using the server last night and she reported that the first attempt to access an app returned "Failed to connect to Citrix Server" but then she tried to access the same app and had no issues with it.

Another user (using an old link) connected to http:// as opposed to httpS:// and returned "You are not part of the Remote Desktop User group.  You need to be part of this group to access this application."  Then he clicked on the "Desktop" tab and launched remote desktop without issues.

Is this an issue with the server or user?  What are your thoughts on this one?
0
 
Carl WebsterCommented:
Unless the issues repeat I wouldn't worry about them.  Some people do a redirect from http to https.  I don't know html and have never gotten mine to work.  I just tell the people to use https.
0
 
roadnrailAuthor Commented:
Thanks for all the help.  I'm going to close this question and award the points to you.  If something occurred and it is not resolved, I'll ask another question.  

Thanks for all the help once again, I greatly appreciate your assistance.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.