Jump to content


Single Sign-On Service - PNAMAIN.exe - Impersonation - MDT

Started by Frank Spierings , 21 October 2009 - 02:41 PM
1 reply to this topic

Frank Spierings Members

Frank Spierings
  • 68 posts

Posted 21 October 2009 - 02:41 PM

We have a problem that seems to be the result of a combination of variables.

Please bare with me, even if you don't know the Workspace Extender... ;)

The real problem is RES PowerFuse Workspace Extender will not work when Citrix XenApp Hosted is installed with the Single Sign-On service. When we install Citrix XenApp Hosted without the Single Sign-On service it works correctly. Note that this is on a machine with an unattended installation of Vista, using MDT (Microsoft Deployment Toolkit).

When we manually install a Vista client the RES PowerFuse Workspace Extender works with, or without the Single Sign-On service. Note that this machine has the same policies and basic software layer as the previous mentioned machine. The only difference is its OS installation!

Inspecting the problem further, we can see something strange happening to PNAMAIN.EXE. This process runs as SYSTEM on the first machine. On the manually installed machine it impersonates the current user. PNAMAIN.EXE spawns from SSONSRV.EXE which runs under the SYSTEM account.

When killing SSONSRV.EXE and PNAMAIN.EXE on the first machine, then restarting PNAMAIN.EXE (so it keeps running under the current user credentials!), the Workspace Extender works correctly.

My (first) conclusion therefore is:
- For Workspace Extender to work, it must run under the same credentials as PNAMAIN.EXE

I probably need answers to the following questions to be able to resolve this issue:
- Why does PNAMAIN.EXE impersonate the user on the manually installed machine and why does it keep running under SYSTEM on th DMT installed machine?
- Is there a way to log the behaviour of SSONSRV.EXE?
- Is there a difference in permissions (for the SYSTEM account) on the stock vs a MDT installed machine?

A pointer in the right direction would be very helpful and much appreciated.

Frank Spierings Members

Frank Spierings
  • 68 posts

Posted 05 November 2009 - 08:16 AM

A solution to this problem is using the newer version of Citrix Online Plugin:

The impersonation works in this version even when used from a MDT deployed Vista.