[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Why are some of my new Xenapp 6 servers unable to use pass through authentication when other servers and clients can?

Posted on 2011-05-08
Medium Priority
Last Modified: 2012-06-21

I have a strange problem here and I’m not sure what steps to take next in my troubleshooting.

My pass through authentication isn't working on any new server that I build, but it is working for some windows server 2008R2 boxes that have already been built - it also does work for all windows 7 machines including newly built windows 7 images.

Newly imaged windows 2008R2SP1 machines that I deploy fail to use pass through authentication, and won't even work if I set explicit authentication methods on the Citrix Web Server.

I rebuilt a server thinking that there was an issue with my image and the newly installed windows 2008R2SP1 failed to use pass through authentication also.
Failed with explicit authentication also.

The error was 401 from IIS -
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

I know that the credentials were correct; I also confirmed that it wasn't a Kerberos account lock out issue as has happened in previous Citrix versions.

I have been unable to determine what the issue but I believe it to be an IIS issue.
I'm having a hard time finding the issue though as the web site is working for half my servers and all my clients.

When this error occurs, in the event logging on the IIS server the following is reported:
(This is the 2 failing servers attempting to load the PNagent site and being denied which is why you see 2 different IP addresses in the log.
I also noticed that no username or domain name has been passed, I’m not sure why not or if it is supposed to be passed - when a windows 7 machine uses pass through authentication the domain and username are passed through and you can see it in the log.)

2011-05-09 05:29:08 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:11 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:19 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0

Open in new window

I've followed troubleshooting steps on the Citrix website and read over a lot of howto's and troubleshooting different items in Xenapp 6 to no avail.
I've confirmed I have all the needed settings, and I have confirmed that the sson.exe service is running as expected on 'all' my servers.

I can't see a reason as to why my new windows 2008R2SP1 servers are getting an access denied error....

I can attach more information if needed, please find site setup below.

Site info:
Xenapp 6 test environment consisting of the following machines:

Web Interface 5.4 running with IIS7.5 on 2008R2SP1
Xenapp 6 Server 1 2008R2SP1. (First Built Server)
Xenapp 6 Server 2 2008R2SP1. (Streaming Profiler Machine)
Xenapp 6 Server 3, 2008R2SP1. (Published Desktop Test Machine)
Xenapp 6 Server 4, 2008R2SP1. (Published Desktop Test Machine)
Hotfixes Applied: XA600W2K8R2X640001
All servers running as virtual machines on Xenserver 5.6 with FP1 using local storage.

Client OS:
Windows 7 Client 1 X64SP1, (Streaming Profiler Machine)
Windows 7 Client 2 X64SP1, Client Test Machine
Windows 7 Client 3, X64SP1, Client Test Machine
Windows 7 Client 4, X64SP1, Client Test Machine
Windows 7 machines are running the online and offline plugin's - V12.1.0.30 (online), V6.0.2.9 (offline) as well as the streaming client.
Windows 7 clients are HP ProBook 5320m.

I've tried a number of different troubleshooting steps and believe I have narrowed it down an underlying IIS 7.5 problem (However, I’m not 100 precent sure so I’m posting my query here).

Pass through authentication is working for all the windows 7 machines I have but it is only working on the first two Xenapp 6 servers.

I can't see any major differences between my first two and last two Xenapp 6 servers.
1 of them was built from the same image that built the first server (using the method 2 of deployment stated in the Citrix edocs)

Question by:jaspar1
  • 4
LVL 12

Expert Comment

by:Daniel Borger
ID: 35720035

Are they in the same OU? Do you have have the ICAClient.adm in that OU and Pass-through enabled for version 10 and higher clients?

Author Comment

ID: 35742479

Sorry for the delay in reply.

Yes they are in the same OU, and yes I have enabled the group policy pass through settings needed with the ICAClient.adm attached.

Author Comment

ID: 35782641
I believe I may have actually solved my issue - I am doing some testing now to confirm - once confirmed I will post how I solved the issue in the event that someone else should fall prey to this rather annoying problem

Accepted Solution

jaspar1 earned 0 total points
ID: 35820710
Well that was a rather annoying problem.

It appears that if you have not disabled the first run wizard in IE 8 the pnagent/xenclient will actually prompt for credentials instead of using pass through - and even if you have configured it all correctly.

The reason my windows 7 clients were unaffected was because the first run IE 8 wizard was already disabled in the image. (I.e. it didn't matter that they were in the same GPO the servers were still failing etc.)

The reason the first two 2008R2 servers of mine worked is due to the fact that I set them both up manually from the same base image, disabling things like IE first run settings and IE ESC and other tiddly bits.
I was creating a template for my deployment image & the other server I was setting up as a streaming profile creation machine.

After I successfully tested the server I was to use as a template, I imaged the new servers to find out later that sysprep had actually re-enabled some of the disabled items (IE first run being one of them).

After realising this I set up the GPO to disable the IE 8 first run and pass through all worked as intended from server and client as well as any new server or client machine imaged.

Author Closing Comment

ID: 35865682
Closing my own question

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Audio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question