Solved

Citrix Web Interface Authentication Issue

Posted on 2011-09-25
12
1,345 Views
Last Modified: 2012-06-22
Hello All,

I have a XenApp 6 environment that I am trying to configure with pass through authentication. Authentication is configured to be done at the web interface from internal requests directly (for now). I have enabled pass-through authentication in IIS 7.0 which the web interface also resides on. I have also configured the web interface it-self to use pass-through authentication.  I Installed the on-line plug in and also enabled the group policy template for the clients to use pass-through auth on the PDC. I gave it a couple of days to replicate among the forest.

I am trying to secure the connection with an SSL certificate that I have uploaded and enabled in IIS. I have also enabled the ADFS role on the same server as the web interface. I have chosen to use https with the XML service on port 8080 within the web interface.

The website starts with https://....

Trouble is when I preview the site in the web interface or from any client's web browser (even with the on-line plug in installed) - I get the Citrix logon window - with pass through authentication showing, but stating I didnt enter in the correct credentials - so I know the web site is working, but it does not allow me to log in. I am using the administrator credentials that has the Domain admin etc... group membership. In fact its the account I created this whole environment with. After trying to enter in my credentials (which I don't think I should even have to.. considering that is what pass-through authentication should be doing) It brings me to a 401.1 authentication error. and gives me reasons  like I am not using the correct credentials, or I dont have permission to this website.

After making sure my account had full control over the website - I still get this error.

Also, I am guessing this is part of it to, but my on-line plug in will not connect to the web-site. It just shows "no connectiivity". I have spent hours researching this, and still have not found the solution. I must be doing something wrong.

I hope I was clear enough in my description for someone to help me. I have this project coming due soon, and this is holding me up......

So, if anyone has any ideas, please share them with me :)

0
Comment
Question by:collojh
  • 6
  • 4
  • 2
12 Comments
 
LVL 1

Expert Comment

by:MigrationKing
ID: 36602539
Check your XML port settings and make sure your WI is communicating with your farm through IIS.
0
 
LVL 1

Expert Comment

by:MigrationKing
ID: 36602549
Can you take a Application Pool?
0
 
LVL 1

Expert Comment

by:MigrationKing
ID: 36602551
Sorry. Screenshot of your Application Pool?
0
 
LVL 1

Expert Comment

by:MigrationKing
ID: 36602558
Check your "Secure Access" Settings in Web Interface and make sure that it says "Direct"
0
 
LVL 4

Expert Comment

by:alexsupertramp
ID: 36643551
So you are not using Citrix Secure Gateway?  

0
 

Author Comment

by:collojh
ID: 36718636
@alexsupertramp - no. We have Access Gateway already configured for the previous environment. I intend on configuring the gateway for this new environment after I get secure internal connectivity working, Do I need to configure Secure Gateway for internal access?  

@MigrationKing - I will be working on this project either later today or tomorrow and can gather that information for you.

Thanks goes to both of you for your responses. I will update you accordingly with any results, or lack thereof.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:collojh
ID: 36718715
@migrationking - yes, itthe web interface is set to direct.
0
 

Author Comment

by:collojh
ID: 36818102
Okay - I installed the secure gateway on another server that is also hosting IIS with STA. Setup the mysta folder and configured the web interface to use gateway direct with the IP address of the STA server. Secure gateway diagnostics shows that is configured correctly - unless I am missing something.

Yet, I am still unable to log into the site.

My XML ports I changed to 80 and SSL is configured to run on 444 (matches that of the gateway SSL setting).
Please see the attached image for my application pool.

Any ideas?


 Application pool screenshot
0
 

Author Comment

by:collojh
ID: 36818111
I just noticed that screen shot is not readable.. let me try that again.
0
 
LVL 4

Accepted Solution

by:
alexsupertramp earned 500 total points
ID: 36818523
Sorry to be so long responding to this.

In my experience I have always setup the CSG and WI concurrently so I don't have experience running the WI as a standalone.  

In my configurations IIS (SSL) is running on port 444 and CSG is on 443.  I think that is a common scenario among other Citrix farms.  Also, the xml port is on something other than 80 (sharing with IIS).  I use 8081.

It sounds like your WI is not communicating with your citrix farm, or the authentication is not setup correctly.    Like it was requested earlier, have you verified that your farm xml port settings and your WI xml port settings match?  Again, I think it's recommended that you use something other than port 80.   And are you certain that your domain authentication settings are setup correctly on the WI?    I don't use pass through authentication and I have used IIS 7 sparsely, so I apologize in advance if any of this is irrelevant to your situation.
0
 

Author Comment

by:collojh
ID: 36895021
Okay. I have installed CSG used port 444 for communication, STA (on two different servers) configured the Xenapp servers to use port 8080, and also created a policy in the console to enable the XML service for the farm. I also configured XML port sharing in IIS7. Thank you for those suggestions.

Though I am still unable to authenticate. I get the same 401.1 error.

My event logs on the WI show ADFS error " ADFS cannot update the trust relationship.... http network error." Obviously ADFS is not configured correctly and I am having trouble finding straight forward documentation on how to configure it for this kind of environment.

I have a godaddy cert uploaded into IIS and also ADFS.

My web.config file apparently does not contain a valid FS URL. Even when I go to ADFS properties and look at the URLs they are https://servername.domain.com/fs and https://sername.domain.com/fs/adfs

When I type this in the browser, I get page cannot be displayed. So, I know that that is not a valid URL, even though that is a straight forward config (as far as I know). Does anyone have a link to an article that can lay out ADFS and trust relationships within a Xenapp 6 farm using CAG/STA etc..?

I really appreciate all the responses thus far, and any other help you guys can give moving forward!

I feel as though I already made great progress from the small suggestions you had made :)

0
 

Author Closing Comment

by:collojh
ID: 36900040
So, doing all of your suggestions AlexsuperTramp, and enabling delegation in active directory between the servers and then re-building my farm allowed for pass-through authentication to work as far as I can see. Now I am experiencing an internal error 500 when I preview the site.

One of the ISAPI filters in IIS is not loading therefore stopping the site from loading.

I created a new post about this.... maybe you can help with that?

Here is the link to that question - http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Citrix/Q_27376223.html

Either way BIG BIG Thanks for your help so far :)

I only have two days left before we need to start laoding and testing apps :/

So, any information you have regarding ISAPI filters and this issue I am having,  would be awesome.

Thanks again man!

collojh
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Citrix XenDesktop 7.6 Citrix Policies Graphics
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now