Citrix Web Interface Authentication Issue

Hello All,

I have a XenApp 6 environment that I am trying to configure with pass through authentication. Authentication is configured to be done at the web interface from internal requests directly (for now). I have enabled pass-through authentication in IIS 7.0 which the web interface also resides on. I have also configured the web interface it-self to use pass-through authentication.  I Installed the on-line plug in and also enabled the group policy template for the clients to use pass-through auth on the PDC. I gave it a couple of days to replicate among the forest.

I am trying to secure the connection with an SSL certificate that I have uploaded and enabled in IIS. I have also enabled the ADFS role on the same server as the web interface. I have chosen to use https with the XML service on port 8080 within the web interface.

The website starts with https://....

Trouble is when I preview the site in the web interface or from any client's web browser (even with the on-line plug in installed) - I get the Citrix logon window - with pass through authentication showing, but stating I didnt enter in the correct credentials - so I know the web site is working, but it does not allow me to log in. I am using the administrator credentials that has the Domain admin etc... group membership. In fact its the account I created this whole environment with. After trying to enter in my credentials (which I don't think I should even have to.. considering that is what pass-through authentication should be doing) It brings me to a 401.1 authentication error. and gives me reasons  like I am not using the correct credentials, or I dont have permission to this website.

After making sure my account had full control over the website - I still get this error.

Also, I am guessing this is part of it to, but my on-line plug in will not connect to the web-site. It just shows "no connectiivity". I have spent hours researching this, and still have not found the solution. I must be doing something wrong.

I hope I was clear enough in my description for someone to help me. I have this project coming due soon, and this is holding me up......

So, if anyone has any ideas, please share them with me :)

Who is Participating?
alexsupertrampConnect With a Mentor Commented:
Sorry to be so long responding to this.

In my experience I have always setup the CSG and WI concurrently so I don't have experience running the WI as a standalone.  

In my configurations IIS (SSL) is running on port 444 and CSG is on 443.  I think that is a common scenario among other Citrix farms.  Also, the xml port is on something other than 80 (sharing with IIS).  I use 8081.

It sounds like your WI is not communicating with your citrix farm, or the authentication is not setup correctly.    Like it was requested earlier, have you verified that your farm xml port settings and your WI xml port settings match?  Again, I think it's recommended that you use something other than port 80.   And are you certain that your domain authentication settings are setup correctly on the WI?    I don't use pass through authentication and I have used IIS 7 sparsely, so I apologize in advance if any of this is irrelevant to your situation.
Check your XML port settings and make sure your WI is communicating with your farm through IIS.
Can you take a Application Pool?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Sorry. Screenshot of your Application Pool?
Check your "Secure Access" Settings in Web Interface and make sure that it says "Direct"
So you are not using Citrix Secure Gateway?  

collojhAuthor Commented:
@alexsupertramp - no. We have Access Gateway already configured for the previous environment. I intend on configuring the gateway for this new environment after I get secure internal connectivity working, Do I need to configure Secure Gateway for internal access?  

@MigrationKing - I will be working on this project either later today or tomorrow and can gather that information for you.

Thanks goes to both of you for your responses. I will update you accordingly with any results, or lack thereof.

collojhAuthor Commented:
@migrationking - yes, itthe web interface is set to direct.
collojhAuthor Commented:
Okay - I installed the secure gateway on another server that is also hosting IIS with STA. Setup the mysta folder and configured the web interface to use gateway direct with the IP address of the STA server. Secure gateway diagnostics shows that is configured correctly - unless I am missing something.

Yet, I am still unable to log into the site.

My XML ports I changed to 80 and SSL is configured to run on 444 (matches that of the gateway SSL setting).
Please see the attached image for my application pool.

Any ideas?

 Application pool screenshot
collojhAuthor Commented:
I just noticed that screen shot is not readable.. let me try that again.
collojhAuthor Commented:
Okay. I have installed CSG used port 444 for communication, STA (on two different servers) configured the Xenapp servers to use port 8080, and also created a policy in the console to enable the XML service for the farm. I also configured XML port sharing in IIS7. Thank you for those suggestions.

Though I am still unable to authenticate. I get the same 401.1 error.

My event logs on the WI show ADFS error " ADFS cannot update the trust relationship.... http network error." Obviously ADFS is not configured correctly and I am having trouble finding straight forward documentation on how to configure it for this kind of environment.

I have a godaddy cert uploaded into IIS and also ADFS.

My web.config file apparently does not contain a valid FS URL. Even when I go to ADFS properties and look at the URLs they are and

When I type this in the browser, I get page cannot be displayed. So, I know that that is not a valid URL, even though that is a straight forward config (as far as I know). Does anyone have a link to an article that can lay out ADFS and trust relationships within a Xenapp 6 farm using CAG/STA etc..?

I really appreciate all the responses thus far, and any other help you guys can give moving forward!

I feel as though I already made great progress from the small suggestions you had made :)

collojhAuthor Commented:
So, doing all of your suggestions AlexsuperTramp, and enabling delegation in active directory between the servers and then re-building my farm allowed for pass-through authentication to work as far as I can see. Now I am experiencing an internal error 500 when I preview the site.

One of the ISAPI filters in IIS is not loading therefore stopping the site from loading.

I created a new post about this.... maybe you can help with that?

Here is the link to that question - 

Either way BIG BIG Thanks for your help so far :)

I only have two days left before we need to start laoding and testing apps :/

So, any information you have regarding ISAPI filters and this issue I am having,  would be awesome.

Thanks again man!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.