Why are some of my new Xenapp 6 servers unable to use pass through authentication when other servers and clients can?

Posted on 2011-05-08
Last Modified: 2012-06-21

I have a strange problem here and I’m not sure what steps to take next in my troubleshooting.

My pass through authentication isn't working on any new server that I build, but it is working for some windows server 2008R2 boxes that have already been built - it also does work for all windows 7 machines including newly built windows 7 images.

Newly imaged windows 2008R2SP1 machines that I deploy fail to use pass through authentication, and won't even work if I set explicit authentication methods on the Citrix Web Server.

I rebuilt a server thinking that there was an issue with my image and the newly installed windows 2008R2SP1 failed to use pass through authentication also.
Failed with explicit authentication also.

The error was 401 from IIS -
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

I know that the credentials were correct; I also confirmed that it wasn't a Kerberos account lock out issue as has happened in previous Citrix versions.

I have been unable to determine what the issue but I believe it to be an IIS issue.
I'm having a hard time finding the issue though as the web site is working for half my servers and all my clients.

When this error occurs, in the event logging on the IIS server the following is reported:
(This is the 2 failing servers attempting to load the PNagent site and being denied which is why you see 2 different IP addresses in the log.
I also noticed that no username or domain name has been passed, I’m not sure why not or if it is supposed to be passed - when a windows 7 machine uses pass through authentication the domain and username are passed through and you can see it in the log.)

2011-05-09 05:29:08 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:11 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:19 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0

Open in new window

I've followed troubleshooting steps on the Citrix website and read over a lot of howto's and troubleshooting different items in Xenapp 6 to no avail.
I've confirmed I have all the needed settings, and I have confirmed that the sson.exe service is running as expected on 'all' my servers.

I can't see a reason as to why my new windows 2008R2SP1 servers are getting an access denied error....

I can attach more information if needed, please find site setup below.

Site info:
Xenapp 6 test environment consisting of the following machines:

Web Interface 5.4 running with IIS7.5 on 2008R2SP1
Xenapp 6 Server 1 2008R2SP1. (First Built Server)
Xenapp 6 Server 2 2008R2SP1. (Streaming Profiler Machine)
Xenapp 6 Server 3, 2008R2SP1. (Published Desktop Test Machine)
Xenapp 6 Server 4, 2008R2SP1. (Published Desktop Test Machine)
Hotfixes Applied: XA600W2K8R2X640001
All servers running as virtual machines on Xenserver 5.6 with FP1 using local storage.

Client OS:
Windows 7 Client 1 X64SP1, (Streaming Profiler Machine)
Windows 7 Client 2 X64SP1, Client Test Machine
Windows 7 Client 3, X64SP1, Client Test Machine
Windows 7 Client 4, X64SP1, Client Test Machine
Windows 7 machines are running the online and offline plugin's - V12.1.0.30 (online), V6.0.2.9 (offline) as well as the streaming client.
Windows 7 clients are HP ProBook 5320m.

I've tried a number of different troubleshooting steps and believe I have narrowed it down an underlying IIS 7.5 problem (However, I’m not 100 precent sure so I’m posting my query here).

Pass through authentication is working for all the windows 7 machines I have but it is only working on the first two Xenapp 6 servers.

I can't see any major differences between my first two and last two Xenapp 6 servers.
1 of them was built from the same image that built the first server (using the method 2 of deployment stated in the Citrix edocs)

Question by:jaspar1
    LVL 12

    Expert Comment

    by:Daniel Borger

    Are they in the same OU? Do you have have the ICAClient.adm in that OU and Pass-through enabled for version 10 and higher clients?

    Author Comment


    Sorry for the delay in reply.

    Yes they are in the same OU, and yes I have enabled the group policy pass through settings needed with the ICAClient.adm attached.

    Author Comment

    I believe I may have actually solved my issue - I am doing some testing now to confirm - once confirmed I will post how I solved the issue in the event that someone else should fall prey to this rather annoying problem

    Accepted Solution

    Well that was a rather annoying problem.

    It appears that if you have not disabled the first run wizard in IE 8 the pnagent/xenclient will actually prompt for credentials instead of using pass through - and even if you have configured it all correctly.

    The reason my windows 7 clients were unaffected was because the first run IE 8 wizard was already disabled in the image. (I.e. it didn't matter that they were in the same GPO the servers were still failing etc.)

    The reason the first two 2008R2 servers of mine worked is due to the fact that I set them both up manually from the same base image, disabling things like IE first run settings and IE ESC and other tiddly bits.
    I was creating a template for my deployment image & the other server I was setting up as a streaming profile creation machine.

    After I successfully tested the server I was to use as a template, I imaged the new servers to find out later that sysprep had actually re-enabled some of the disabled items (IE first run being one of them).

    After realising this I set up the GPO to disable the IE 8 first run and pass through all worked as intended from server and client as well as any new server or client machine imaged.

    Author Closing Comment

    Closing my own question

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    #SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
    #Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now