jnordeng
asked on
Troubleshooting Authentication Issues with StoreFront 3.15
Rewriting post to make this more concise: Any assistance is appreciated.
Configuration: Netscaler MPX 9700’s pointing to StoreFront 3.15 VM’s (Windows 2012), pointing to XenApp 6.5.
Issue: Authentication failure when trying to login thru both Netscaler and Storefront. Narrowed down via troubleshooting, seems the StoreFront is not passing traffic to domain for authentication.
What is logged in Event Logs on StoreFront Server:
DebugView log:
Verified:
Any additional thoughts on how to troubleshoot this?
Thanks in advance.
Configuration: Netscaler MPX 9700’s pointing to StoreFront 3.15 VM’s (Windows 2012), pointing to XenApp 6.5.
Issue: Authentication failure when trying to login thru both Netscaler and Storefront. Narrowed down via troubleshooting, seems the StoreFront is not passing traffic to domain for authentication.
What is logged in Event Logs on StoreFront Server:
- Security Log:
- Event ID 4625 Unknown user name or bad password.
- Citrix Delivery Services Log:
- An authentication attempt was made for user: testuser that resulted in: Failed (Windows Error Code: 1326) Password expiry information was requested but none was returned.
- StoreFront Splash error when accessing URL: "Incorrect Username or Password"
DebugView log:
- An authentication attempt was made for user: testuser resulting in: Failed (Windows Error: 1326)
- Citrix.DeliveryServices.Ex
plicit Warning: 0 : - Expiry information was requested, but none was returned
- Citrix.DeliveryServices.Lo
calisation Verbose: 0 : - ResXNamespacedResourceMana
ger found value 'Incorrect user name or password' for key 'ExplicitCore:Failed'
Verified:
- I can telnet the Domain Controller's/Active Directory from StoreFront over port 389, success.
- Loopback to onUsingHttp is set in StoreFront.
- None of these attempts are logged on the Domain Controller itself.
Any additional thoughts on how to troubleshoot this?
Thanks in advance.
ASKER
Yes, Storefront server is part of Domain A, Users login via Domain B where there users are nested in AD groups of Domain C. The thing is we have another set of Netscaler's and Storefront servers with the same architecture and domain trusts and this one works. However; they are in different subnets.
Window's firewall is off. No real special hardening, disabled UAC, and Windows updates, other than that, followed the std setup docs. TLS settings match, etc.
I find it interesting I can't find these login attempts on the Domain Controller and have verified it hasn't or I would have been locked out multiple times already. So, therefore, trying to understand the mechanism or if there is anything special in the AD auth call so I can verify that's working as expected as I can telnet to them with success.
Window's firewall is off. No real special hardening, disabled UAC, and Windows updates, other than that, followed the std setup docs. TLS settings match, etc.
I find it interesting I can't find these login attempts on the Domain Controller and have verified it hasn't or I would have been locked out multiple times already. So, therefore, trying to understand the mechanism or if there is anything special in the AD auth call so I can verify that's working as expected as I can telnet to them with success.
I doubt the subnets would make a difference as long as the trusts are set up the same.
The fact that you're not seeing the login attempts on the DC seems to signify either a routing or firewall issues (despite the fact that you can TELNET to it).
Can you see the authentication attempt in the firewall logs?
The fact that you're not seeing the login attempts on the DC seems to signify either a routing or firewall issues (despite the fact that you can TELNET to it).
Can you see the authentication attempt in the firewall logs?
ASKER
I'm working with the network guy next week as I don't have visibility into the firewall logs. But wanted to see if I could get something concrete there before i have his time to ensure it gets resolved.
I've found out the hard way that some firewalls are application-aware, and won't allow traffic through unless the application has been defined to it.
ASKER
True, thanks though. Didn't know if anyone had any other tricks to identify the path it's taking. Trying to do a wirecapture on the StoreFront box for more info, so hopefully I can find something.
Also, still learning the Netscaler/Storefront in how they work, so appreciate you taking the time.
Also, still learning the Netscaler/Storefront in how they work, so appreciate you taking the time.
While I can't help much with your firewall, please let me know if you have any NetScaler/StoreFront questions.
You might find this Citrix KB article helpful in understanding the NetScaler => StoreFront => application communication data flow:
https://support.citrix.com/article/CTX227054
You might find this Citrix KB article helpful in understanding the NetScaler => StoreFront => application communication data flow:
https://support.citrix.com/article/CTX227054
ASKER
Thanks for talking this through with me. While setting up my XenApp 7.15 environment, uncovered what I missed in the config. Under Authentication Methods, the working cluster had the password validation set to Delivery Controllers, my non-working ones had Active Directory.
Something I overlooked I guess in these StoreFront servers to point to XenApp 6.5 as we must have changed this when getting the working cluster to work.
I can now authenticate after setting the non-working ones to Delivery Controllers.
Now onto the other one that isn't working - always something ;) One step closer today though :)
Something I overlooked I guess in these StoreFront servers to point to XenApp 6.5 as we must have changed this when getting the working cluster to work.
I can now authenticate after setting the non-working ones to Delivery Controllers.
Now onto the other one that isn't working - always something ;) One step closer today though :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is Windows Firewall on? If so, see if it helps if you turn it off.
Was any special hardening done to the server?