Solved

WYSE ThinOS Device & Citrix XenApp 6.5 Not Authenticating

Posted on 2014-04-18
15
1,217 Views
Last Modified: 2014-06-09
Site A:
WYSE Device boots, connects to FTP server for wnos.ini and presents ThinOS login screen. Login to domain is submitted and auto-connects to Citrix XenApp 6.5 published desktop/app successful.

SITE B:
WYSE device boots, connects to FTP server for wnos.ini and immediately restarts (restart by network) and then boots back up to ThinOS login screen. Domain credentials are not accepted by Citrix message is returned.

Site A and B are connected by SonicWall site VPN tunnel with no firewall rules for lan-to-vpn zones. Also, all servers reside a site A. Lastly, both WYSE devices pull the same wnos.ini file.

;GENERAL
;**********************************************************************
TimeZone='GMT - 05:00' ManualOverride=yes TimeZoneName="Eastern Standard Time" DayLightName="Eastern Daylight Time"
signon=yes
privilege=HIGH
SysMode=VDI
;Desktop=wellmorewallpaper.BMP 
#TimeZone="GMT - 05:00" 
#ManualOverride=yes 
#TimeZoneName="(GMT-05:00) Eastern Time (US & Canada)"
#Daylight=yes 
#Start=030207 
#End=110108 
#TimeServer=nist1-ny.ustiming.org 
#timeformat="12-hour format" 
#dateformat="mm/dd/yyyy"
AutoSignoff=yes

;**********************************************************************
;NETWORK
;**********************************************************************
BootpDisable=yes
DisableDomain=yes
DomainList="cgcgw"
DomainName=cgcgw

;**********************************************************************
;ICA/CITRIX
;**********************************************************************
PnliteServer=192.168.1.26 AutoConnectList="Wellmore:wellmoredesktop" ReconnectAtLogon=2
autoload=1
;connect=ica
;IcaBrowsing=HTTP 
;description="Wellmore Desktop" 
;icon=default
;autoconnect=yes
;username=" " 
;password=" " 
;browserip=192.168.1.26
;application="Wellmore Desktop"
;autoconnect=1
;reconnect=0
;TcpTimeOut=200
;Sessionconfig=all unmapusb=no mapdisks=yes 
;IcaBrowsing=UDP
seamless=yes
ReconnectFromButton=2 Timeout=30 
;Desktop" Timeout="30"

Open in new window

0
Comment
Question by:Lee Seeman
  • 8
  • 3
15 Comments
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
possible the packets are to big for the tunnel?
0
 

Author Comment

by:Lee Seeman
Comment Utility
I don't believe it is a packet size issue over the VPN tunnel;

Some more background:

Remote Site B only has the aforementioned issue when booting to the above noted wnos.ini file, which points to a new XenApp 6.5 farm. Local Site A is fine though.

However, the same WYSE device at Remote Site B when pointed at an older wnos.ini (below) file for a Citrix PS 4.5 farm, boots fine and auto-connects to Citrix PS 4.5 published desktop. Therefore, I don't think its packet size...

connect=ica \
description="Citrix Array" \
icon=default \
username=" " \
password=" " \
domainname=cgcgw \
browserip=192.168.1.33 \
application="Wellpath Array Desktop" \
autoconnect=1 \
reconnect=0 \
TcpTimeOut=200

Open in new window


I did un-comment the 'TcpTimeout=200' statement in the new wnso.ini file to see if that has any impact...
0
 

Author Comment

by:Lee Seeman
Comment Utility
Any help would appreciated...
0
 

Author Comment

by:Lee Seeman
Comment Utility
Anyone one a take a stab at this to help us narrow down the possibilities?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
Comment Utility
Are both site devices connected to the same WI/Storefront? Or each site has its own?
0
 

Author Comment

by:Lee Seeman
Comment Utility
All sites connect to the same Citrix WI server. The only difference is, the FTP credentials used. Anonymous connects them to the default wnos.ini file and the login with username 'xenapp' connects them to the aforementioned wnos.ini customized for XenApp 6.5 WI.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 23

Expert Comment

by:Ayman Bakr
Comment Utility
I see that  domainname is mentioned in the WNOS.ini file for the PS 4.5, but not mentioned in the WNOS.ini file pertaining to the XenApp 6.5.

Can you add the domainname parameter to your new .ini file.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Mutawadi, The DomainName value is set in both from what I can see:

CITRIX XENAPP 6.5 WNOS.INI  :
#
# This file provides an example of an environment where all users
# will log on following processing of this file.  Each user will
#
# The following directive allows the Winterm 1200LE to attempt to
# locate code files on the FTP server and to update the current 
# code on the device if the version on the server is different.
#
#autoload=1
#
# The following URL specifies a bitmap file which overlays the top
# left part of the sign-on dialog box.  It can be used to present a 
# company logo, special instructions for the day (of limited length)
# or any other desired customization. The WT1200LE will attempt to
# locate the file in the directory named bitmap, directly under the
# directory named wnos, which contains this file.
#
# formurl=blazer.bmp
# resolution=1024X768
#
# The following directive causes the WT1200LE to use a different
# FTP server. This overrides and replaces the fileserver in the
# local network setup and/or the one obtained from DHCP option 161.
# It will be used from the time this directive is processed until
# the value in the local user interface is manually edited, until a
# new value is obtained from a DHCP server on reboot, or until
# another fileserver directive is processed.  Until reset using one
# of the named methods, the new value will persist across reboots
# and power cycle events.  The argument may be either an IP address
# or a DNS name.
#
FileServer=192.168.1.31
#
# The following directive causes the WT1200LE to access a different
# path on the FTP server.  This overrides and replaces the path in
# the local network setup and/or the one obtained from DHCP option
# 162.  Its characteristics are the same as the fileserver 
# directive.  When this is actually used, the directory name wnos
# will be appended to the rootpath before use.  For instance,
# (assuming that the DHCP server does not supply values for options
# 161 and 162) immediately after the reboot following the processing
# of these two directives the WT1200LE will start an FTP session
# with fileserv.wyse.com and attempt to retrieve
# /blazer/wyse/wnos/wnos.ini
#
#RootPath=wyse
#
# The following directives specify the global connections that
# will be present on all user desktops or in all user Connect Lists
# following sign-on.
#
# The following directive will, when activated, establish a 
# connection to a specific ICA server.  Note that the directive is
# continued onto multiple lines.  Continuation is accomplished by 
# putting the following characters at the end of lines to be 
# continued:
#
# \<Enter>
#
# This only works if there is no space between the \ and the
# <Enter> character; the line will not be continued otherwise.  The
# function of each of the arguments is:
#
#     connect=ica      Specifies that this is a connect statement
#                      and that the type of connection is ICA, 
#                      (currently, ICA is the only supported
#                      connection type). This must be the first
#                      item specified on the line.
#     description="x"  Text to appear either under the icon on the
#                      WT1200LE desktop or in the Connect List.
#                      The text must be surrounded by double
#                      quotation marks if it contains spaces or
#                      punctuation.
#     icon=default     The bitmap to be used for the WT1200LE
#                      desktop display.  The argument is either
#                      default or a file name.  If a file name is
#                      specified, it must be located in the bitmap
#                      directory under the wnos directory on the
#                      FTP server.
#     host=IP          The IP address or DNS name of the ICA server
#                      to be contacted when this connection is
#                      established.
#     username=me      The username on the server that runs the
#                      published application.  The username
#                      determines the privileges and default
#                      directory used on the server.
#
# Since the following connection omits the password and domainname
# fields, the client will attempt to perform a login using no
# password and the default domain (whatever was last used on that
# system).  This will probably fail and present the user with
# a login dialog box.  This is more secure than putting passwords
# into a file on an FTP server, which can be downloaded by anyone.
#
# terminal will shutdown once users logoff ICA

[b]CITRIX PS 4.5 FARM WNOS.INI :[/b]

;**********************************************************************************************************
;GENERAL
;**********************************************************************************************************
TimeZone='GMT - 05:00' ManualOverride=yes TimeZoneName="Eastern Standard Time" DayLightName="Eastern Daylight Time"
signon=yes
privilege=HIGH
SysMode=VDI
;Desktop=wellmorewallpaper.BMP 
#TimeZone="GMT - 05:00" 
#ManualOverride=yes 
#TimeZoneName="(GMT-05:00) Eastern Time (US & Canada)"
#Daylight=yes 
#Start=030207 
#End=110108 
#TimeServer=nist1-ny.ustiming.org 
#timeformat="12-hour format" 
#dateformat="mm/dd/yyyy"
AutoSignoff=yes

;*****************************************************************************************************
;NETWORK
;************************************************************************************************
BootpDisable=yes
DisableDomain=yes
DomainList="cgcgw"
DomainName=cgcgw

;**********************************************************************************************************
;ICA/CITRIX
;**********************************************************************************************************
PnliteServer=192.168.1.26 AutoConnectList="Wellmore:wellmoredesktop" ReconnectAtLogon=2
autoload=1
;connect=ica
;IcaBrowsing=HTTP 
;description="Wellmore Desktop" 
;icon=default
;autoconnect=yes
;username=" " 
;password=" " 
;browserip=192.168.1.26
;application="Wellmore Desktop"
;autoconnect=1
;reconnect=0
TcpTimeOut=200
;Sessionconfig=all unmapusb=no mapdisks=yes 
;IcaBrowsing=UDP
seamless=yes
ReconnectFromButton=2 Timeout=30 
;Desktop" Timeout="30"

;**********************************************************************************************************
;PRINTING
;**********************************************************************************************************
SessionConfig=ALL 
VUSB_PRINTER=Yes 
Printer=LPT1 Enabled=yes 
Name="Brother PCL5e Driver" 
PrinterID="Brother PCL5e Driver" 
Class=PCL5 
Enabled=yes 
EnabledLPD=no 

;*************************************
;RDP
;*************************************

Open in new window


CITRIX PS 4.5 WNOS.INI :
#
# This file provides an example of an environment where all users
# will log on following processing of this file.  Each user will
# have (potentially) a different desktop display of available
# connections.  Each user may have a different password for
# authentication.
#
# The user desktop displayed following sign-on will be a combination
# of connections specified here (global) and connection specified
# in their individual environment specifications.  Winterm 1200LE
# is capable of accepting up to 16 connection definitions, total.
# Those defined globally will be displayed first, followed by those
# specified for the individual. If the sum of the number of
# connections in the two files exceeds sixteen only the first
# sixteen will be processed.
#
# The following directive enables the use of the sign-on dialog box.
#
signon=0
privilege=HIGH
#
# The following directive allows the Winterm 1200LE to attempt to
# locate code files on the FTP server and to update the current 
# code on the device if the version on the server is different.
#
autoload=1
#
# The following URL specifies a bitmap file which overlays the top
# left part of the sign-on dialog box.  It can be used to present a 
# company logo, special instructions for the day (of limited length)
# or any other desired customization. The WT1200LE will attempt to
# locate the file in the directory named bitmap, directly under the
# directory named wnos, which contains this file.
#
# formurl=blazer.bmp
# resolution=1024X768
#
# The following directive causes the WT1200LE to use a different
# FTP server. This overrides and replaces the fileserver in the
# local network setup and/or the one obtained from DHCP option 161.
# It will be used from the time this directive is processed until
# the value in the local user interface is manually edited, until a
# new value is obtained from a DHCP server on reboot, or until
# another fileserver directive is processed.  Until reset using one
# of the named methods, the new value will persist across reboots
# and power cycle events.  The argument may be either an IP address
# or a DNS name.
#
#FileServer=192.168.1.31
#
# The following directive causes the WT1200LE to access a different
# path on the FTP server.  This overrides and replaces the path in
# the local network setup and/or the one obtained from DHCP option
# 162.  Its characteristics are the same as the fileserver 
# directive.  When this is actually used, the directory name wnos
# will be appended to the rootpath before use.  For instance,
# (assuming that the DHCP server does not supply values for options
# 161 and 162) immediately after the reboot following the processing
# of these two directives the WT1200LE will start an FTP session
# with fileserv.wyse.com and attempt to retrieve
# /blazer/wyse/wnos/wnos.ini
#
#RootPath=wyse
#
# The following directives specify the global connections that
# will be present on all user desktops or in all user Connect Lists
# following sign-on.
#
# The following directive will, when activated, establish a 
# connection to a specific ICA server.  Note that the directive is
# continued onto multiple lines.  Continuation is accomplished by 
# putting the following characters at the end of lines to be 
# continued:
#
# \<Enter>
#
# This only works if there is no space between the \ and the
# <Enter> character; the line will not be continued otherwise.  The
# function of each of the arguments is:
#
#     connect=ica      Specifies that this is a connect statement
#                      and that the type of connection is ICA, 
#                      (currently, ICA is the only supported
#                      connection type). This must be the first
#                      item specified on the line.
#     description="x"  Text to appear either under the icon on the
#                      WT1200LE desktop or in the Connect List.
#                      The text must be surrounded by double
#                      quotation marks if it contains spaces or
#                      punctuation.
#     icon=default     The bitmap to be used for the WT1200LE
#                      desktop display.  The argument is either
#                      default or a file name.  If a file name is
#                      specified, it must be located in the bitmap
#                      directory under the wnos directory on the
#                      FTP server.
#     host=IP          The IP address or DNS name of the ICA server
#                      to be contacted when this connection is
#                      established.
#     username=me      The username on the server that runs the
#                      published application.  The username
#                      determines the privileges and default
#                      directory used on the server.
#
# Since the following connection omits the password and domainname
# fields, the client will attempt to perform a login using no
# password and the default domain (whatever was last used on that
# system).  This will probably fail and present the user with
# a login dialog box.  This is more secure than putting passwords
# into a file on an FTP server, which can be downloaded by anyone.
#
# terminal will shutdown once users logoff ICA


SysMode=VDI

# Desktop=wellmorewallpaper.BMP \

TimeZone='GMT - 05:00' ManualOverride=yes TimeZoneName="Eastern Standard Time" DayLightName="Eastern Daylight Time"

#TimeZone="GMT - 05:00" \
#ManualOverride=yes \
#TimeZoneName="(GMT-05:00) Eastern Time (US & Canada)"
#Daylight=yes \
#Start=030207 \
#End=110108 \
#TimeServer=nist1-ny.ustiming.org \
#timeformat="12-hour format" \
#dateformat="mm/dd/yyyy"


connect=ica \
description="Citrix Array" \
icon=default \
username=" " \
password=" " \
domainname=cgcgw \
browserip=192.168.1.33 \
application="Wellpath Array Desktop" \
autoconnect=1 \
reconnect=0 \
TcpTimeOut=200

#Printer Settings
SessionConfig=ALL \
VUSB_PRINTER=Yes \
Printer=LPT1 Enabled=yes \
Name="Brother PCL5e Driver" \
PrinterID="Brother PCL5e Driver" \
Class=PCL5 \
Enabled=yes \
EnabledLPD=no 

#connect=rdp \
#description="All Applications" \
#icon=default \
#username=" " \
#password=" " \
#domainname=mfound1.local \
#host=192.168.11.243 \
#autoconnect=0 \
#reconnect=0
#TcpTimeOut=200

#connect=rdp \
#description="ABS/GAIN" \
#icon=default \
#username=" " \
#password=" " \
#domainname=mfound1.local \
#host=192.168.1.208 \
#autoconnect=0 \
#reconnect=0
#TcpTimeOut=200

Open in new window

0
 
LVL 23

Accepted Solution

by:
Ayman Bakr earned 500 total points
Comment Utility
I see, but I realize that the position of the domainname in the new WNOS.ini file is different from that in the old. I wonder if this might be causing the issue.

Try placing the domainname parameter below the connect=ica just like in the old WNOS.ini file.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Gotcha; will give it a whirl....
0
 

Author Comment

by:Lee Seeman
Comment Utility
After moving the domainname statement down under the connect=ica statement, it worked on one so far. We will test 2x more and update this accordingly.

Thank you Mutawadi
0
 

Author Closing Comment

by:Lee Seeman
Comment Utility
Thank you very much for the fix!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now