Citrix Web Interface Authentication Issue

Posted on 2011-09-25
Last Modified: 2012-06-22
Hello All,

I have a XenApp 6 environment that I am trying to configure with pass through authentication. Authentication is configured to be done at the web interface from internal requests directly (for now). I have enabled pass-through authentication in IIS 7.0 which the web interface also resides on. I have also configured the web interface it-self to use pass-through authentication.  I Installed the on-line plug in and also enabled the group policy template for the clients to use pass-through auth on the PDC. I gave it a couple of days to replicate among the forest.

I am trying to secure the connection with an SSL certificate that I have uploaded and enabled in IIS. I have also enabled the ADFS role on the same server as the web interface. I have chosen to use https with the XML service on port 8080 within the web interface.

The website starts with https://....

Trouble is when I preview the site in the web interface or from any client's web browser (even with the on-line plug in installed) - I get the Citrix logon window - with pass through authentication showing, but stating I didnt enter in the correct credentials - so I know the web site is working, but it does not allow me to log in. I am using the administrator credentials that has the Domain admin etc... group membership. In fact its the account I created this whole environment with. After trying to enter in my credentials (which I don't think I should even have to.. considering that is what pass-through authentication should be doing) It brings me to a 401.1 authentication error. and gives me reasons  like I am not using the correct credentials, or I dont have permission to this website.

After making sure my account had full control over the website - I still get this error.

Also, I am guessing this is part of it to, but my on-line plug in will not connect to the web-site. It just shows "no connectiivity". I have spent hours researching this, and still have not found the solution. I must be doing something wrong.

I hope I was clear enough in my description for someone to help me. I have this project coming due soon, and this is holding me up......

So, if anyone has any ideas, please share them with me :)

Question by:collojh
  • 6
  • 4
  • 2

Expert Comment

ID: 36602539
Check your XML port settings and make sure your WI is communicating with your farm through IIS.

Expert Comment

ID: 36602549
Can you take a Application Pool?

Expert Comment

ID: 36602551
Sorry. Screenshot of your Application Pool?

Expert Comment

ID: 36602558
Check your "Secure Access" Settings in Web Interface and make sure that it says "Direct"

Expert Comment

ID: 36643551
So you are not using Citrix Secure Gateway?  


Author Comment

ID: 36718636
@alexsupertramp - no. We have Access Gateway already configured for the previous environment. I intend on configuring the gateway for this new environment after I get secure internal connectivity working, Do I need to configure Secure Gateway for internal access?  

@MigrationKing - I will be working on this project either later today or tomorrow and can gather that information for you.

Thanks goes to both of you for your responses. I will update you accordingly with any results, or lack thereof.

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 36718715
@migrationking - yes, itthe web interface is set to direct.

Author Comment

ID: 36818102
Okay - I installed the secure gateway on another server that is also hosting IIS with STA. Setup the mysta folder and configured the web interface to use gateway direct with the IP address of the STA server. Secure gateway diagnostics shows that is configured correctly - unless I am missing something.

Yet, I am still unable to log into the site.

My XML ports I changed to 80 and SSL is configured to run on 444 (matches that of the gateway SSL setting).
Please see the attached image for my application pool.

Any ideas?

 Application pool screenshot

Author Comment

ID: 36818111
I just noticed that screen shot is not readable.. let me try that again.

Accepted Solution

alexsupertramp earned 500 total points
ID: 36818523
Sorry to be so long responding to this.

In my experience I have always setup the CSG and WI concurrently so I don't have experience running the WI as a standalone.  

In my configurations IIS (SSL) is running on port 444 and CSG is on 443.  I think that is a common scenario among other Citrix farms.  Also, the xml port is on something other than 80 (sharing with IIS).  I use 8081.

It sounds like your WI is not communicating with your citrix farm, or the authentication is not setup correctly.    Like it was requested earlier, have you verified that your farm xml port settings and your WI xml port settings match?  Again, I think it's recommended that you use something other than port 80.   And are you certain that your domain authentication settings are setup correctly on the WI?    I don't use pass through authentication and I have used IIS 7 sparsely, so I apologize in advance if any of this is irrelevant to your situation.

Author Comment

ID: 36895021
Okay. I have installed CSG used port 444 for communication, STA (on two different servers) configured the Xenapp servers to use port 8080, and also created a policy in the console to enable the XML service for the farm. I also configured XML port sharing in IIS7. Thank you for those suggestions.

Though I am still unable to authenticate. I get the same 401.1 error.

My event logs on the WI show ADFS error " ADFS cannot update the trust relationship.... http network error." Obviously ADFS is not configured correctly and I am having trouble finding straight forward documentation on how to configure it for this kind of environment.

I have a godaddy cert uploaded into IIS and also ADFS.

My web.config file apparently does not contain a valid FS URL. Even when I go to ADFS properties and look at the URLs they are and

When I type this in the browser, I get page cannot be displayed. So, I know that that is not a valid URL, even though that is a straight forward config (as far as I know). Does anyone have a link to an article that can lay out ADFS and trust relationships within a Xenapp 6 farm using CAG/STA etc..?

I really appreciate all the responses thus far, and any other help you guys can give moving forward!

I feel as though I already made great progress from the small suggestions you had made :)


Author Closing Comment

ID: 36900040
So, doing all of your suggestions AlexsuperTramp, and enabling delegation in active directory between the servers and then re-building my farm allowed for pass-through authentication to work as far as I can see. Now I am experiencing an internal error 500 when I preview the site.

One of the ISAPI filters in IIS is not loading therefore stopping the site from loading.

I created a new post about this.... maybe you can help with that?

Here is the link to that question - 

Either way BIG BIG Thanks for your help so far :)

I only have two days left before we need to start laoding and testing apps :/

So, any information you have regarding ISAPI filters and this issue I am having,  would be awesome.

Thanks again man!


Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 76
How do I make sure SQL Server data is encrypted at rest and in transit? 3 62
Cloud to Hybrid 4 22
Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now