jaspar1
asked on
Why are some of my new Xenapp 6 servers unable to use pass through authentication when other servers and clients can?
Hello,
I have a strange problem here and I’m not sure what steps to take next in my troubleshooting.
My pass through authentication isn't working on any new server that I build, but it is working for some windows server 2008R2 boxes that have already been built - it also does work for all windows 7 machines including newly built windows 7 images.
Newly imaged windows 2008R2SP1 machines that I deploy fail to use pass through authentication, and won't even work if I set explicit authentication methods on the Citrix Web Server.
I rebuilt a server thinking that there was an issue with my image and the newly installed windows 2008R2SP1 failed to use pass through authentication also.
Failed with explicit authentication also.
The error was 401 from IIS -
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
I know that the credentials were correct; I also confirmed that it wasn't a Kerberos account lock out issue as has happened in previous Citrix versions.
I have been unable to determine what the issue but I believe it to be an IIS issue.
I'm having a hard time finding the issue though as the web site is working for half my servers and all my clients.
When this error occurs, in the event logging on the IIS server the following is reported:
(This is the 2 failing servers attempting to load the PNagent site and being denied which is why you see 2 different IP addresses in the log.
I also noticed that no username or domain name has been passed, I’m not sure why not or if it is supposed to be passed - when a windows 7 machine uses pass through authentication the domain and username are passed through and you can see it in the log.)
I've followed troubleshooting steps on the Citrix website and read over a lot of howto's and troubleshooting different items in Xenapp 6 to no avail.
I've confirmed I have all the needed settings, and I have confirmed that the sson.exe service is running as expected on 'all' my servers.
I can't see a reason as to why my new windows 2008R2SP1 servers are getting an access denied error....
I can attach more information if needed, please find site setup below.
Site info:
Xenapp 6 test environment consisting of the following machines:
Web Interface 5.4 running with IIS7.5 on 2008R2SP1
Xenapp 6 Server 1 2008R2SP1. (First Built Server)
Xenapp 6 Server 2 2008R2SP1. (Streaming Profiler Machine)
Xenapp 6 Server 3, 2008R2SP1. (Published Desktop Test Machine)
Xenapp 6 Server 4, 2008R2SP1. (Published Desktop Test Machine)
Hotfixes Applied: XA600W2K8R2X640001
All servers running as virtual machines on Xenserver 5.6 with FP1 using local storage.
Client OS:
Windows 7 Client 1 X64SP1, (Streaming Profiler Machine)
Windows 7 Client 2 X64SP1, Client Test Machine
Windows 7 Client 3, X64SP1, Client Test Machine
Windows 7 Client 4, X64SP1, Client Test Machine
Windows 7 machines are running the online and offline plugin's - V12.1.0.30 (online), V6.0.2.9 (offline) as well as the streaming client.
Windows 7 clients are HP ProBook 5320m.
I've tried a number of different troubleshooting steps and believe I have narrowed it down an underlying IIS 7.5 problem (However, I’m not 100 precent sure so I’m posting my query here).
Pass through authentication is working for all the windows 7 machines I have but it is only working on the first two Xenapp 6 servers.
I can't see any major differences between my first two and last two Xenapp 6 servers.
1 of them was built from the same image that built the first server (using the method 2 of deployment stated in the Citrix edocs)
I have a strange problem here and I’m not sure what steps to take next in my troubleshooting.
My pass through authentication isn't working on any new server that I build, but it is working for some windows server 2008R2 boxes that have already been built - it also does work for all windows 7 machines including newly built windows 7 images.
Newly imaged windows 2008R2SP1 machines that I deploy fail to use pass through authentication, and won't even work if I set explicit authentication methods on the Citrix Web Server.
I rebuilt a server thinking that there was an issue with my image and the newly installed windows 2008R2SP1 failed to use pass through authentication also.
Failed with explicit authentication also.
The error was 401 from IIS -
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
I know that the credentials were correct; I also confirmed that it wasn't a Kerberos account lock out issue as has happened in previous Citrix versions.
I have been unable to determine what the issue but I believe it to be an IIS issue.
I'm having a hard time finding the issue though as the web site is working for half my servers and all my clients.
When this error occurs, in the event logging on the IIS server the following is reported:
(This is the 2 failing servers attempting to load the PNagent site and being denied which is why you see 2 different IP addresses in the log.
I also noticed that no username or domain name has been passed, I’m not sure why not or if it is supposed to be passed - when a windows 7 machine uses pass through authentication the domain and username are passed through and you can see it in the log.)
2011-05-09 05:29:08 10.1.1.130 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - 10.1.1.146 C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:11 10.1.1.130 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - 10.1.1.146 C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0
2011-05-09 05:29:19 10.1.1.130 POST /Citrix/PNAgent/integrated_enum.aspx - 80 - 10.1.1.126 C:\Program+Files+(x86)\Citrix\ICA+Client\PNAMAIN.EXE 401 2 5 0I've followed troubleshooting steps on the Citrix website and read over a lot of howto's and troubleshooting different items in Xenapp 6 to no avail.
I've confirmed I have all the needed settings, and I have confirmed that the sson.exe service is running as expected on 'all' my servers.
I can't see a reason as to why my new windows 2008R2SP1 servers are getting an access denied error....
I can attach more information if needed, please find site setup below.
Site info:
Xenapp 6 test environment consisting of the following machines:
Web Interface 5.4 running with IIS7.5 on 2008R2SP1
Xenapp 6 Server 1 2008R2SP1. (First Built Server)
Xenapp 6 Server 2 2008R2SP1. (Streaming Profiler Machine)
Xenapp 6 Server 3, 2008R2SP1. (Published Desktop Test Machine)
Xenapp 6 Server 4, 2008R2SP1. (Published Desktop Test Machine)
Hotfixes Applied: XA600W2K8R2X640001
All servers running as virtual machines on Xenserver 5.6 with FP1 using local storage.
Client OS:
Windows 7 Client 1 X64SP1, (Streaming Profiler Machine)
Windows 7 Client 2 X64SP1, Client Test Machine
Windows 7 Client 3, X64SP1, Client Test Machine
Windows 7 Client 4, X64SP1, Client Test Machine
Windows 7 machines are running the online and offline plugin's - V12.1.0.30 (online), V6.0.2.9 (offline) as well as the streaming client.
Windows 7 clients are HP ProBook 5320m.
I've tried a number of different troubleshooting steps and believe I have narrowed it down an underlying IIS 7.5 problem (However, I’m not 100 precent sure so I’m posting my query here).
Pass through authentication is working for all the windows 7 machines I have but it is only working on the first two Xenapp 6 servers.
I can't see any major differences between my first two and last two Xenapp 6 servers.
1 of them was built from the same image that built the first server (using the method 2 of deployment stated in the Citrix edocs)
ASKER
Hello,
Sorry for the delay in reply.
Yes they are in the same OU, and yes I have enabled the group policy pass through settings needed with the ICAClient.adm attached.
Sorry for the delay in reply.
Yes they are in the same OU, and yes I have enabled the group policy pass through settings needed with the ICAClient.adm attached.
ASKER
I believe I may have actually solved my issue - I am doing some testing now to confirm - once confirmed I will post how I solved the issue in the event that someone else should fall prey to this rather annoying problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Closing my own question
http://support.citrix.com/article/CTX076838
Are they in the same OU? Do you have have the ICAClient.adm in that OU and Pass-through enabled for version 10 and higher clients?