Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Citrix Web Interface Authentication Issue

Posted on 2011-09-25
Medium Priority
Last Modified: 2012-06-22
Hello All,

I have a XenApp 6 environment that I am trying to configure with pass through authentication. Authentication is configured to be done at the web interface from internal requests directly (for now). I have enabled pass-through authentication in IIS 7.0 which the web interface also resides on. I have also configured the web interface it-self to use pass-through authentication.  I Installed the on-line plug in and also enabled the group policy template for the clients to use pass-through auth on the PDC. I gave it a couple of days to replicate among the forest.

I am trying to secure the connection with an SSL certificate that I have uploaded and enabled in IIS. I have also enabled the ADFS role on the same server as the web interface. I have chosen to use https with the XML service on port 8080 within the web interface.

The website starts with https://....

Trouble is when I preview the site in the web interface or from any client's web browser (even with the on-line plug in installed) - I get the Citrix logon window - with pass through authentication showing, but stating I didnt enter in the correct credentials - so I know the web site is working, but it does not allow me to log in. I am using the administrator credentials that has the Domain admin etc... group membership. In fact its the account I created this whole environment with. After trying to enter in my credentials (which I don't think I should even have to.. considering that is what pass-through authentication should be doing) It brings me to a 401.1 authentication error. and gives me reasons  like I am not using the correct credentials, or I dont have permission to this website.

After making sure my account had full control over the website - I still get this error.

Also, I am guessing this is part of it to, but my on-line plug in will not connect to the web-site. It just shows "no connectiivity". I have spent hours researching this, and still have not found the solution. I must be doing something wrong.

I hope I was clear enough in my description for someone to help me. I have this project coming due soon, and this is holding me up......

So, if anyone has any ideas, please share them with me :)

Question by:collojh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2

Expert Comment

ID: 36602539
Check your XML port settings and make sure your WI is communicating with your farm through IIS.

Expert Comment

ID: 36602549
Can you take a Application Pool?

Expert Comment

ID: 36602551
Sorry. Screenshot of your Application Pool?
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Expert Comment

ID: 36602558
Check your "Secure Access" Settings in Web Interface and make sure that it says "Direct"

Expert Comment

ID: 36643551
So you are not using Citrix Secure Gateway?  


Author Comment

ID: 36718636
@alexsupertramp - no. We have Access Gateway already configured for the previous environment. I intend on configuring the gateway for this new environment after I get secure internal connectivity working, Do I need to configure Secure Gateway for internal access?  

@MigrationKing - I will be working on this project either later today or tomorrow and can gather that information for you.

Thanks goes to both of you for your responses. I will update you accordingly with any results, or lack thereof.


Author Comment

ID: 36718715
@migrationking - yes, itthe web interface is set to direct.

Author Comment

ID: 36818102
Okay - I installed the secure gateway on another server that is also hosting IIS with STA. Setup the mysta folder and configured the web interface to use gateway direct with the IP address of the STA server. Secure gateway diagnostics shows that is configured correctly - unless I am missing something.

Yet, I am still unable to log into the site.

My XML ports I changed to 80 and SSL is configured to run on 444 (matches that of the gateway SSL setting).
Please see the attached image for my application pool.

Any ideas?

 Application pool screenshot

Author Comment

ID: 36818111
I just noticed that screen shot is not readable.. let me try that again.

Accepted Solution

alexsupertramp earned 1500 total points
ID: 36818523
Sorry to be so long responding to this.

In my experience I have always setup the CSG and WI concurrently so I don't have experience running the WI as a standalone.  

In my configurations IIS (SSL) is running on port 444 and CSG is on 443.  I think that is a common scenario among other Citrix farms.  Also, the xml port is on something other than 80 (sharing with IIS).  I use 8081.

It sounds like your WI is not communicating with your citrix farm, or the authentication is not setup correctly.    Like it was requested earlier, have you verified that your farm xml port settings and your WI xml port settings match?  Again, I think it's recommended that you use something other than port 80.   And are you certain that your domain authentication settings are setup correctly on the WI?    I don't use pass through authentication and I have used IIS 7 sparsely, so I apologize in advance if any of this is irrelevant to your situation.

Author Comment

ID: 36895021
Okay. I have installed CSG used port 444 for communication, STA (on two different servers) configured the Xenapp servers to use port 8080, and also created a policy in the console to enable the XML service for the farm. I also configured XML port sharing in IIS7. Thank you for those suggestions.

Though I am still unable to authenticate. I get the same 401.1 error.

My event logs on the WI show ADFS error " ADFS cannot update the trust relationship.... http network error." Obviously ADFS is not configured correctly and I am having trouble finding straight forward documentation on how to configure it for this kind of environment.

I have a godaddy cert uploaded into IIS and also ADFS.

My web.config file apparently does not contain a valid FS URL. Even when I go to ADFS properties and look at the URLs they are https://servername.domain.com/fs and https://sername.domain.com/fs/adfs

When I type this in the browser, I get page cannot be displayed. So, I know that that is not a valid URL, even though that is a straight forward config (as far as I know). Does anyone have a link to an article that can lay out ADFS and trust relationships within a Xenapp 6 farm using CAG/STA etc..?

I really appreciate all the responses thus far, and any other help you guys can give moving forward!

I feel as though I already made great progress from the small suggestions you had made :)


Author Closing Comment

ID: 36900040
So, doing all of your suggestions AlexsuperTramp, and enabling delegation in active directory between the servers and then re-building my farm allowed for pass-through authentication to work as far as I can see. Now I am experiencing an internal error 500 when I preview the site.

One of the ISAPI filters in IIS is not loading therefore stopping the site from loading.

I created a new post about this.... maybe you can help with that?

Here is the link to that question - http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Citrix/Q_27376223.html 

Either way BIG BIG Thanks for your help so far :)

I only have two days left before we need to start laoding and testing apps :/

So, any information you have regarding ISAPI filters and this issue I am having,  would be awesome.

Thanks again man!


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question