Summary
This article outlines workarounds and resolutions to specific Citrix pass-through authentication issues (Single Sign-On) with ICA Win32 clients.
For Web Interface configuration, see:
CTX076838 – Troubleshooting the Desktop Credential Pass-Through Feature
General Troubleshooting
1. The "Prompt for Password" option is enabled, it should be disabled, in ica-tcp properties of the Connection tool. If checked and grayed out in Windows 2003, run gpedit.msc and check the following policy under Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Encryption and Security: Always prompt client for password upon connection. In addition, ensure the “inherit client config” box is checked. If the “inherit client config” box is not checked the one is basically logging into the server with “blank” credentials.
2. The "Use default NT Authentication" option is enabled in ica-tcp properties of the Connection tool.
3. Make a RDP and / or ICA Desktop connection to a previously isolated and/or every Terminal Server in the Domain, non-Citrix servers with Terminal Services in Remote Administrative mode can be tested, with the Logon Information configured in the connection setting.
4. Investigate, within the Winlogon Registry key, the values of GinaDLL and CTXGinaDll for any third party Gina’s “chaining” issues. The section titled “Windows Registry GINA Chain Reference” in CTX103185 – GINA Chaining with the MetaFrame Password Manager Agent and TechNet 305971 can be used as references.
5. Look for 1722 and NetLogon errors with Event Viewer. There maybe DNS issues with the Terminal Server talking to a Domain Controller. 280766 – getUserNameEx
6. Does logging into the server console make a difference?
7. How to enable user environment debug logging in retail builds of Windows – 221833
8. Are User Principal Names (UPNs) being used?
9. CTX104733 – The DefaultDomainName Registry Key Remains Blank or Contains an Incorrect Domain Name
10. Is Kerberos being used? CTX105384 – Kerberos and the Citrix Client
12. CTX107466 – LogonServer Environment Variable Contains \\* Instead of the Logon Server Name
13. CTX109216 – Hotfix MPSE300R04W2K029 – For Metaframe Presentation Server 3.0 for Windows 2000 Server – Servers configured for an initial logon message using the domain policies "Interactive logon: Message text for users attempting to log on" and "Interactive logon: Message title for users attempting to log on" do not allow connections using Kerberos pass-through authentication.
[From MPSE300R04W2K029][#131589]
Specific Issues
• Pass-through authentication fails on clean/fresh installs on MetaFrame XP SP2/FR2. Apply XE102w024 or its equivalent.
• CTX104379 – Single Sign-on fails after installing PNAgent 8
• CTX105006 – Single Sign-On fails after upgrading to Program Neighborhood Agent 8.0
• CTX103490 – Async Connections prompt to authenticate to the MSGina and Novell Gina
• CTX632027 – Custom ICA connections and ICA files in pass-through mode prompt for credentials
• CTX101783 – Single Sign On requires MPnotify.exe on the embedded client workstation
• CTX111880 – Case Study: SsonSvr.exe Fails to Start on Windows XP Workstations When Connecting Through RDP
• CTX114276 – The Presentation Server Client 10.100 Installation Does Not Prompt for a Restart if Secure Sign-on is Enabled
• CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10.x of the Presentation Server Client
• CTX118628 – Citrix Single Sign-On (SSONSVR.exe) Fails to Start on Computers using Intel Credentials Manager
• CTX118644 – Case Study – Single Sign-on Not Working,
• CTX118757 – Single Sign On not Working when Presentation Server 4.5 is Installed Using Microsoft SCCM Deployment System
• Ensure the issue is not client version specific. Attempt to upgrade/downgrade the client.
• The Program Neighborhood Agent passes incorrect credentials if the Novell client is installed on the client device and pass-through authentication is being used.
Because of the incorrect credentials, users cannot obtain a list of applications from the Citrix NFuse Classic server. If a client device uses Novell Directory Services (NDS) and pass-through authentication, the Program Neighborhood Agent sends NDS credentials to the Citrix server. If NDS is not configured on the Citrix server, the authentication fails. A new logon method, NT_SSON, has been added to the Config.xml file and the Program Neighborhood Agent to use in determining the type of credentials to use. If NT_SSON is defined, the server and Program Neighborhood Agent can use Windows NT credentials for authentication. If Novell client is installed on the client device and you want to use Windows NT credentials with pass-through authentication, you must modify the value of the XML tag <LogonMethod> in the Config.xml file to NT_SSON. The Config.xml file is in the InetpubwwwrootCitrixPNAgent directory. The default logon method is SSON.
• Pass-through authentication of Windows domain credentials does not work from a Windows NT/2000/XP workstation/server when the Novell Client is installed.
The Citrix ICA Win32 Client Version 1050 or later fails to pass the user’s Windows domain credentials when setting the SONCredentialType=NT under the [wfclient] section of the Appsrv.ini file.
To reproduce the issue:
1. Log on to a Windows NT/2000/XP workstation/server or Citrix server with the Novell NetWare Client Version 4.83 or later installed and the Citrix ICA Win32 Client Version 1050 or later installed.
2. Configure the Citrix ICA Win32 Client to use Single Sign-On. If it is not already set, you need to log off and back on again.
3. Publish an application to Windows users (Windows NT or Active Directory).
4. Create a connection to the published application either through an appli
cation set or custom ICA connection.
5. Connect to the published application.
6. A custom connection displays the Windows NT GINA. An application set connection displays the Program Neighborhood Windows logon box.
Workaround
Move the SSONCredentialType=NT setting from the [wfclient] section of the Appsrv.ini file to the [ApplicationServers] section. Below is an example of where to place the setting:
[WFClient]
Version=2
[Smartcard]
[ApplicationServers]
Test=
[Test]
TransportDriver=TCP/IP
SSONCredentialType=NT
• Pass-through authentication of Windows credentials does not work from a Windows NT/2000/XP workstation/server that belongs to a Workgroup that has the Novell Client installed.
Pass-through authentication of Windows credentials does not work from a Windows NT/2000/XP workstation/server that is part of a Workgroup; by design the Workgroup name is passed.
Starting with the Version 6.31.1051 or later Win32 Client, you can modify the registry where the Win32 Client is installed to override the pass-through authentication credentials that include the workgroup name to include the domain name of the domain from which the application is published. The registry value you add is used as the domain name during pass-through authentication.
WARNING! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
1. Open the Registry Editor and navigate to the following registry key:
HKEY_LOCAL_MACHINESOFTWARECitrixICA Client
2. From the Edit menu, choose Add Value and enter the following information:
Value Name: Domain
Data Type: REG_SZ
3. Click OK
4. In the String text box, enter the server’s domain name. If you want to set up authentication only for local users of the Citrix server and not for domain users, enter the server’s name.
After you modify the registry, you can use Windows credentials with pass-through authentication on workstations that belong to a Workgroup and have the Novell Client installed.
• Pass-through authentication does not support Win9x desktop logon credentials when the password differs from the domain logon.
Windows 9x/ME has two types of logons: Authentication against a domain controller or a local authentication Windows desktop logon. When logging on to a Windows 9x/ME workstation by first authenticating against a domain controller and then entering a Windows desktop password, the Citrix Single Sign-On functionality picks up the Windows desktop password and attempts to pass it to the Citrix server when trying to log on to an ICA session. Most likely, the domain password and the Windows desktop password are different. However, if the two passwords are the same, the Single Sign-On works as expected. This scenario, for the most part, is identical to a stand alone NT/Windows 2000 Professional workstation. The local user name and password must be identical to the domain user name and password for the Single Sign-On functionality to work. Windows NT/Windows 2000 Professional workstations that are part of the Citrix server domain are already ensured that the user name and passwords match that of the Citrix server.
• Pass-through authentication may fail with the Pass-Through Client when access to Cmd.exe is restricted on Windows 2000 Server or later.
When logging on to a Windows-based system, Winlogon.exe launches Pnsson.dll, which is implemented as a network provider. This module launches the Ssonsvr.exe process in one of three ways. In this case, when a user logs on to the Windows 2000-based server with MetaFrame installed and runs the Pass-Through Client, Pnsson.dll launches Ssonsvr.exe by creating the following command-line string:
CMD /C START…SSONSVR.EXE
The string is then passed back to Winlogon.exe and executed as a logon script.
This is by design. Disabling access to Cmd.exe prevents the Ssonsvr.exe process from launching, which is required for the client to obtain the user’s credentials. Users, in this scenario, require at least Read and Execute permissions on Cmd.exe
• Pass-through authentication does not work when using any version of the Win32 Clients embedded in an HTML file.
When creating an HTML file using either the Published Application Manager in MetaFrame 1.8 or Citrix Management Console in MetaFrame XP to embed an ICA connection, users cannot pass their local credentials from Single Sign-On to the session inside the Web browser.
This is by design. Wfica32.exe first checks for two true conditions before launching a connection with the .ica file. Wfcrun32.exe is present in the ICA Client directory and if it is being called from a Web browser. If it is being called from a Web browser, Wfica32.exe launches the connection directly. If it is not being called from a Web browser, Wfcrun32.exe is launched and passes the parameters to establish the session. To use Single Sign-on, Wfcrun32.exe must be the executable that launches the connection.
Other methods of using a Web browser and Single Sign-On are available by using NFuse 1.7 or later and the desktop credential pass-through feature.
To reproduce the issue:
1. Using Published Application Manager or Citrix Management Console, create an HTML file and choose the embedded method.
2. Add the settings to the .ICA file to enable Single Sign-On from an .ICA file. See “How to Enable Pass-Through Authentication Within an ICA File” below.
3. Launch the HTML page either locally or from a Web server. The Winlogon dialog box appears.
4. Launch just the .ICA file; the credentials are automatically passed through.
How to Enable Pass-Through Authentication within an ICA File
If you are using Presentation Server Client version 10.x or later, do not perform the following procedure. See CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10.x of the Presentation Server Client.
Note: The following assumes that user-specific profiles are being used on the client workstations running Windows 9x/ME/2000/xp operating systems:
1. In the Appsrv.ini file of the user’s profile, add the following lines at the bottom of the [wfclient] section:
SSOnUserSetting=On
EnableSSOnThruICAFile=On
2. In the .ica file you want to use, add the following line in the [Application] section (this is the section where all the settings like resolution or encryption are stored):
UseLocalUserAndPassword=On
Note: This change has to be made individually to the Appsrv.ini file for each user. Users must have the full Program Neighborhood Client installed and have Use Local Username and Password selected for logon in the ICA Settings menu.
Example:
[ApplicationServers]
notepad1=
UseLocalUserAndPassword=On (incorrect location)
[notepad1]
Address=notepad1
InitialProgram=#notepad1
ClientAudio=On
AudioBandwidthLimit=2
Compress=On
TWIMode=On
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
UseLocalUserAndPassword=On (correct location)
This document applies to:
- MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
- MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
- MetaFrame XP 1.0 for Microsoft Window
s 2000 - MetaFrame XP 1.0 for Microsoft Windows 2003
- Presentation Server 4.0 for Microsoft Windows 2000
- Presentation Server 4.0 for Microsoft Windows 2003
- Presentation Server 4.5 for Windows Server 2003
- Web Interface 2.0
- Web Interface for MetaFrame Presentation Server 3.0
- Web Interface for Presentation Server 4.0
- XenApp 5.0 for Windows Server 2003 x86
- XenApp Plug-in for Windows (32/64 Bit)
Source: Troubleshooting Citrix Pass-through Authentication (Single Sign-On)