Friday 19 February 2010

Kerberos and pass-through authentication

imageThis post could have been called “the curse of the second login box”.

I’ve just spent a frustrating few days trying different ways of installing a v11.2 Citrix client that let pass-through authentication work on web and the agent.  This all appeared to make no sense – some clients inexplicably worked, but most did not.  I was sure the server was configured fine, no errors in the event logs, apps enumerated fine in the client, yet every application I launched gave one of these lovely Windows Server logon boxes.  And on some installations it just worked.

I compared a working client and a broken one.  The only difference was in C:\Program Files\Citrix\ICA Client\wfclient.ini – the broken clients had an extra line:

UseSSPIOnly=On

This line is the equivalent in the installation of the “Use Kerberos only” checkbox.  Without it (even if your web interface server is configured to “Use Kerberos only”), pass-through authentication will work using NTLM if Kerberos fails.  With this line, Kerberos authentication is forced – and if it fails, you get your second Windows log in box.  So in other words, in my case Kerberos was failing. 

After more research (http://support.citrix.com/article/CTX121918) the glaring omission was that I had not set the checkbox on the AD Computer account of the web interface and Citrix servers to “Trust this computer for delegation”.  I was worried about this step without even researching it since activating it causes a popup every time warning that this was a “security-sensitive operation” and alarmingly “should not be done indiscriminately”. 

So I’ve changed my standard 11.2 batch install to ENABLE_KERBEROS="No" and taken the UseSSPIOnly=on line out of the existing clients, and its all good.  I think for now I would rather stick to disabling the Kerberos requirement than performing an indiscriminate action on my servers!

image

2 comments:

Steve Ballantyne said...

Wow - thanks for posting this. I found this at the end of a "hair pulling session" which has lasted most of the day. Part of my problems with passthrough authentication were with bugs in the product. But even after applying the hotfix, it still wasn't working.

Somewhere in the process of trying to figure things out, I had enabled Kerberos authentication earlier in the day. This post got me back on track.

Thank you!!

Andre said...

not useful for me. turning off kerberos is not an option :)

Post a Comment