Jump to content


Photo

Pass through authentication not working with WI 5.0 and XenApp web client

Started by Hoan Vu , 08 February 2009 - 12:53 AM
5 replies to this topic

Hoan Vu Members

Hoan Vu
  • 11 posts

Posted 08 February 2009 - 12:53 AM

Simple setup. External users come through Windows ISA 2006 server. Provide domain credentials and then ISA send the request to Web Interface 5.0 server (dedicated). Credentials are passed through to Web Interface just fine and users are presented with their applications (here comes the same old issue). When they launch their applications, yep, they are prompted for their credentials again. All external users use the XenApp Web Client 11.0. Remember, these are users from remote (home) locations using their own computers (not company issued devices). I get the same issue if I run "behind" ISA. That is if I connect using a corporate workstation, browse to WI site and provide credentials (still using XenApp web client). I the credentials pass through to the applications just fine but.......once I launch them.....I have to provide credentials again. Any hope for a resolution?



KEN ZYGMUNT Members

KEN ZYGMUNT
  • 1,228 posts

Posted 08 February 2009 - 11:02 PM

Geoffrey

what are your DMZ settings on the Web Interface? I'm guessing that there's one entry - "Default - Gateway Direct"? and the gateway server is your ISA Server?

for internal "corporate" desktops, you need to add an entry above this - "x.x.x.x - direct", where x.x.x.x is yoru internal network range, e.g. 172.20.0.0.

If the above scenario is correct, what appears to be happening is that when you click on an icon, this tells the local ICA client to make a connection to the ISA server, but because this is a separate program, the ISA server is asking for domain authentication again.

Ken Z



Hoan Vu Members

Hoan Vu
  • 11 posts

Posted 12 February 2009 - 01:54 PM

Thanks Ken. I got the first issue working (sort of) by turning off "pass through" and turning on "explicit". For now that allows users to log into the Web Interface page, get their list of published applications, then launch each application and have it actually launch without a second login prompt. So, this is good so far. My next issue is this. We have to present two different sites through Web Interface. One that we apply Safeword for Citrix and one that does not require two factor authentication. I have that working fine. Now for the real challenge. We are required to "force" administrators to use tokens (Safeword site) while letting general users in without those tokens. To do this I have to be able to deny access to the "unsecured (non-Safeword) site" for administrators. The problem I have is that Web Interface (i.e., IIS) uses anonymous access to get to the sites. This means that a "lazy" admin can still get to, and log into, the unsecured site. I'd like to use ISA to manage this access. The problem is that once I have users login to an ISA page (forms based authentication) I can't get those credentials to then pass all the way down to the published applications. This means that everyone has to login twice (once at ISA, then once when they launch their published applications). This will never pass management approval. When we used Citrix Access Gateway Advanced with Web Interface, I could use Access policies to keep admins out of the "unsecured" logon point. With Web Interface only, I can't seem to get that to work.

Kind of long story but that's where I'm stuck. Any ideas?



KEN ZYGMUNT Members

KEN ZYGMUNT
  • 1,228 posts

Posted 13 February 2009 - 08:47 AM

Geoffrey

This is a tricky one. Doing this on the Citrix Access Gateway Standard with Web Interface would be easy.is you performed the authentication on the CAG before passing the credentials through. Why did you stop using the CAG?

Ken Z

Edited by: Ken Zygmunt on 13-Feb-2009 08:49



Hoan Vu Members

Hoan Vu
  • 11 posts

Posted 14 February 2009 - 05:36 AM

Ken,

Complex question. We stopped using the CAGs because of the cost of licensing (concurrent) and the fact that we no long need to use tokens for some users. We want to pass traffic directly from the "outside" world, through ISA and into our intenral network (not our DMZs). I think I've got everything working though using some policy. However, now I'm stuck trying to launch the published applications. They launch fine internally but externally I get the Error: Cannot connect to the Citrix server. There is no Citrix server configured on (or routed to) the specified address. Seems like one thing after another. Don't want to hold you up on my problem. But, if you have any ideas...here's the setup again. External User --> public IP --> ISA listens then passes traffic to WI server --> user tries to launch published app and gets error. Presentation servers are in same zone as WI server.



Hoan Vu Members

Hoan Vu
  • 11 posts

Posted 20 February 2009 - 05:10 PM

Turns out the issue was the translation of addressing to the source client. That is, everything worked internally since the client and servers were on the same network. When the client was "external" we had to either use "alternate" addresses for each Metaframe Presentation server (which we didn't want to do) or to deploy the Citrix Secure Gateway to consolidate that traffic. Once we got the CSG installed, everything worked fine.