Wednesday, 3 February 2010

Pass-through Authentication woes

image Passthrough authentication is a great feature of the XenApp Agent and Web Interface – users don’t like having to type the same password three times when they log on and anything that makes it easier for them to use Citrix means they’re less likely to find ingenious ways of avoiding it and so is good for us admins.
I found though that users fall into two categories – those who think auto logging in is a mission critical feature that they need to work and those that absolutely insist on explicit credentials (probably because they use some nasty shared login to get into Windows.
Anyway, I’ve found that both on Presentation Server 4.0 and XenApp 6 beta there are several things that can doom passthrough to either not work at all, or look like its going to work and then display a second Windows Logon box when you actually launch an app.
These are some of the elephant traps that can scupper passthrough:
Client Problems
  1. Generally, on a client with malfunctioning passthrough look in Task Manager at the running processes. If SSONSVR.exe is not in the list there is a problem with that client and it might need a reinstall. Make sure you
  2. SSONSVR.exe can fail to start on computers using Intel Credentials Manager – see the fix here.
  3. There is an ADM installed on clients from v10 – it will be at:
    C:\Program files\Citrix\ICA client\Configuration\icaclient.adm
    You can import this ADM into Active Directory for the OU containing your client PCs and configure it to allow single sign on using these instructions from Citrix. This will mean less messing about with appserv.ini files.
  4. Some people report you can’t easily use passthrough from a published desktop if using the v11.0 client. Update to the latest client, v11.2 is now available.
  5. Especially if not using the above ADM, check your appserve.ini (in C:\Users\%username%\AppData\Roaming\ICAClient, or c:\documents and settings\%username%\application data\icaclient\, or c:\Program files\citrix\ica client\) for the following line. It needs to be present and on and needs a reboot to take effect.
    SSOnUserSetting=On
  6. Check the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PNAgent. It should have EnablePassThrough set on and a Server URL (which might well begin http://…) and so look something like this:
    image
  7. I saw a report on a forum post that a client installed pointed to a web interface server with passthrough disabled will never be able to use SSO (single sign on) unless the client is reinstalled, even if its been enabled on the server subsequently. You also need to reinstall if you chose not to use passthrough when you installed the client.
  8. v10.1 and v10.2 of the client might need modification or switches to be able to use SSO – see this for more details. I had success with a v10.2 client installed with the following switch (obviously put in the right path for your client):
    msiexec /i c:\ica32pkg.msi enable_sso=YES
  9. One problem we saw was that pass-through (without Kerberos) can fail if a client has logged on before the network was ready.  If you boot the PC, leave it on the CTRL-ALT-DEL screen for about 60 seconds, and then log in, it might work.  If this is the case, configure the group policy setting to wait for the network before logon (confirmed on Windows 7).
Server Problems
  1. Obviously your Web Interface server should be configured to allow Passthrough under Authentication Methods. Use Kerberos only, especially if you are not using HTTPS. You could try specifying the domains allowed explicitly, that can have an effect.
  2. Check in Terminal Services (or RDS…) Configuration and the properties of the ICA protocol. Make sure “Always prompt for password” is not checked.
  3. Some people have reported on XenApp 5 that they need to install the XAE500W2K8042 hotfix if they are not using Kerberos. I say they should be using Kerberos!
  4. On a Windows Server 2008 (or R2) server you have to make a group policy change here (I’ve not found the ADM was needed):
    Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\
    Double click “Allow Delegating Default Credentials”. Set it to Enabled and click Show. Add in a list of all your Web Interface servers. On the server do a “gpupdate /force” and reboot.
Resources:

1 comments:

Unknown said...

I've had same issues - made a case in Citrix, got a new pn.exe which works now.. before that I was trying everything I could possible think to make it work with no luck..

Post a Comment