Citrix Web Interface Authentication Issue

Posted on 2011-09-25
Last Modified: 2012-06-22
Hello All,

I have a XenApp 6 environment that I am trying to configure with pass through authentication. Authentication is configured to be done at the web interface from internal requests directly (for now). I have enabled pass-through authentication in IIS 7.0 which the web interface also resides on. I have also configured the web interface it-self to use pass-through authentication.  I Installed the on-line plug in and also enabled the group policy template for the clients to use pass-through auth on the PDC. I gave it a couple of days to replicate among the forest.

I am trying to secure the connection with an SSL certificate that I have uploaded and enabled in IIS. I have also enabled the ADFS role on the same server as the web interface. I have chosen to use https with the XML service on port 8080 within the web interface.

The website starts with https://....

Trouble is when I preview the site in the web interface or from any client's web browser (even with the on-line plug in installed) - I get the Citrix logon window - with pass through authentication showing, but stating I didnt enter in the correct credentials - so I know the web site is working, but it does not allow me to log in. I am using the administrator credentials that has the Domain admin etc... group membership. In fact its the account I created this whole environment with. After trying to enter in my credentials (which I don't think I should even have to.. considering that is what pass-through authentication should be doing) It brings me to a 401.1 authentication error. and gives me reasons  like I am not using the correct credentials, or I dont have permission to this website.

After making sure my account had full control over the website - I still get this error.

Also, I am guessing this is part of it to, but my on-line plug in will not connect to the web-site. It just shows "no connectiivity". I have spent hours researching this, and still have not found the solution. I must be doing something wrong.

I hope I was clear enough in my description for someone to help me. I have this project coming due soon, and this is holding me up......

So, if anyone has any ideas, please share them with me :)

Question by:collojh
  • 6
  • 4
  • 2

Expert Comment

ID: 36602539
Check your XML port settings and make sure your WI is communicating with your farm through IIS.

Expert Comment

ID: 36602549
Can you take a Application Pool?

Expert Comment

ID: 36602551
Sorry. Screenshot of your Application Pool?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 36602558
Check your "Secure Access" Settings in Web Interface and make sure that it says "Direct"

Expert Comment

ID: 36643551
So you are not using Citrix Secure Gateway?  


Author Comment

ID: 36718636
@alexsupertramp - no. We have Access Gateway already configured for the previous environment. I intend on configuring the gateway for this new environment after I get secure internal connectivity working, Do I need to configure Secure Gateway for internal access?  

@MigrationKing - I will be working on this project either later today or tomorrow and can gather that information for you.

Thanks goes to both of you for your responses. I will update you accordingly with any results, or lack thereof.


Author Comment

ID: 36718715
@migrationking - yes, itthe web interface is set to direct.

Author Comment

ID: 36818102
Okay - I installed the secure gateway on another server that is also hosting IIS with STA. Setup the mysta folder and configured the web interface to use gateway direct with the IP address of the STA server. Secure gateway diagnostics shows that is configured correctly - unless I am missing something.

Yet, I am still unable to log into the site.

My XML ports I changed to 80 and SSL is configured to run on 444 (matches that of the gateway SSL setting).
Please see the attached image for my application pool.

Any ideas?

 Application pool screenshot

Author Comment

ID: 36818111
I just noticed that screen shot is not readable.. let me try that again.

Accepted Solution

alexsupertramp earned 500 total points
ID: 36818523
Sorry to be so long responding to this.

In my experience I have always setup the CSG and WI concurrently so I don't have experience running the WI as a standalone.  

In my configurations IIS (SSL) is running on port 444 and CSG is on 443.  I think that is a common scenario among other Citrix farms.  Also, the xml port is on something other than 80 (sharing with IIS).  I use 8081.

It sounds like your WI is not communicating with your citrix farm, or the authentication is not setup correctly.    Like it was requested earlier, have you verified that your farm xml port settings and your WI xml port settings match?  Again, I think it's recommended that you use something other than port 80.   And are you certain that your domain authentication settings are setup correctly on the WI?    I don't use pass through authentication and I have used IIS 7 sparsely, so I apologize in advance if any of this is irrelevant to your situation.

Author Comment

ID: 36895021
Okay. I have installed CSG used port 444 for communication, STA (on two different servers) configured the Xenapp servers to use port 8080, and also created a policy in the console to enable the XML service for the farm. I also configured XML port sharing in IIS7. Thank you for those suggestions.

Though I am still unable to authenticate. I get the same 401.1 error.

My event logs on the WI show ADFS error " ADFS cannot update the trust relationship.... http network error." Obviously ADFS is not configured correctly and I am having trouble finding straight forward documentation on how to configure it for this kind of environment.

I have a godaddy cert uploaded into IIS and also ADFS.

My web.config file apparently does not contain a valid FS URL. Even when I go to ADFS properties and look at the URLs they are and

When I type this in the browser, I get page cannot be displayed. So, I know that that is not a valid URL, even though that is a straight forward config (as far as I know). Does anyone have a link to an article that can lay out ADFS and trust relationships within a Xenapp 6 farm using CAG/STA etc..?

I really appreciate all the responses thus far, and any other help you guys can give moving forward!

I feel as though I already made great progress from the small suggestions you had made :)


Author Closing Comment

ID: 36900040
So, doing all of your suggestions AlexsuperTramp, and enabling delegation in active directory between the servers and then re-building my farm allowed for pass-through authentication to work as far as I can see. Now I am experiencing an internal error 500 when I preview the site.

One of the ISAPI filters in IIS is not loading therefore stopping the site from loading.

I created a new post about this.... maybe you can help with that?

Here is the link to that question - 

Either way BIG BIG Thanks for your help so far :)

I only have two days left before we need to start laoding and testing apps :/

So, any information you have regarding ISAPI filters and this issue I am having,  would be awesome.

Thanks again man!


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question