Jump to content
Welcome to our new Citrix community!
  • 0

Director 7.7 Windows Authentication not working with NS LB


Matt Sliva

Question

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt

Link to comment

24 answers to this question

Recommended Posts

  • 1

I couldn't get this working in a standalone configuration (no NLB, and from XA session) trying to use smartcards.  No matter what I did, kept getting IIS app crash.  this worked:

 

- Disable all authentications but windows

-In Director web.config\system.web/authentication

        - change mode from form to Windows.  Apply and Save.

 

Now works, finally.  prompts for credentials.  I am allowed to select CAC/PIN.  Then choose login when the page renders.

  • Like 1
Link to comment
  • 0

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt

I had the same issue, it would prompt me for a username and password before getting to the director logon page then I would have to type the login again in director.

Link to comment
  • 0

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.

Link to comment
  • 0

I have a similar issue. I have only one Director 7.7 server configured for now, no load balancing. When connecting locally on the Director server, Windows Authentication works. When connecting remotely, it doesn't work (there is no option to chose authentication method).

 

Note that Director is not installed on the DDC in my case, but I configured delegation according to the documentation.

  • Like 1
Link to comment
  • 0

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.

 

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.

Link to comment
  • 0

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.

 

Yes.

 

Any remote connection to the Director site, through the NS or direct, does not work. The trusty old-fashioned forms based authentication pops up like nothing special is configured. Out of curiosity, is it working for you?

Link to comment
  • 0

Thanks Christoph, that was it, of course ...

 

setspn -S "http/server_URL" domain\server (single server)

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

setspn -S "http/loadbalancer_URL" domain\user

 

I will test the load balanced configuration today and will update this post.

Link to comment
  • 0

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

  • Like 2
Link to comment
  • 0

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

 

Wow! Thanks Bertil. This looks promising but ultimately didn't work for me.

 

For example, is http/loadbalanced_URL something like http/director.company.com?

 

 

Edit: I spoke too soon. I let it sit for a while and walked away. It now works. This site helped to provide me more information as Kerberos authentication with IIS is a bit foreign to me.

Link to comment
  • 0

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

It should be possible to "cheat" and add the http/ spn to the computer objects of both IIS servers ... but the recommended way is a service account for the app pool, just as you implemented.

Link to comment
  • 0

I hate to bring up an old topic, but I'm having trouble getting SSO working with load balancing and I'm wondering if it's due to our setup. We have Director installed on our StoreFront servers, so we use director.domain.com/Director as our load balanced URL. I've tried setting both that and just director.domain.com as the SPN but neither are working.

 

When I hit the URL it doesn't login and instead displays an "Authentication Required" login window in Chrome that will not accept my username and password no matter how I enter it.

 

I followed Bertil's instructions above, with the only deviation being that I did not set useAppPoolCredentials at the Default Web Site level due to our StoreFront being there, and instead did it on the Director sub-site. Could that be causing the issue?

Link to comment
  • 0

Just a heads up if after following these steps you are still having issues you might try uninstalling and reinstalling Director. I just spent some time with support working on SSO not working in my environment with Director. I originally started with Director 7.6 and upgraded to 7.9 somewhere in there a problem occured and the easiest fix was to uninstall and re-install Director. After you reinstall make sure you AppPool is still setup correctly.

Link to comment
  • 0

Hi @all,

I want to configure the same, but I have Problems. I have two Windows Server 2012R2. There is only the Director installed. I have a Netscaler where Loadbalancing is configured for the Director and also http Redirect as responder

my URL is https://director.test.loc

the Server are director1.test.loc and director2.test.loc

 

1. The AD Account is created (CTXAppPool)

2. The Delegation is created

 

3. The SPN is set

setspn -S http/director.test.loc test.loc\CTXAppPool

 

or which user must configure

or must I setspn like https/director.test.loc

 

4. Authentication is set

5. Application Polls is set

6. useAppPoolcredential is set

 

On the Director Server that work only, when I enter the hostname like https://director.test.loc/director

 

About Netscaler that does not work either.

 

Please help.

Thanks

Link to comment
  • 0

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

 

Hi,

 

Bertils instruction works as expected. SSO to director is possible from a domain joined client using LB (NS in my case) in front. Though I have two minor adjustments to make:

  • It's enough to configure useAppPoolCredentials and useKernelMode on the director Application node in IIS you don't need to configure it on the default website itself with all the possible implications on other applications.
  • You must use a different FQDN (which you register as SPN) than the one you use for StoreFront. Otherwise registering the SPN to the domain user will break StoreFront SSO

Regards

Link to comment
  • 0

for me, its working well with internet explorer 11. But with chrome or edge it doesnt work. I got no login prompt for credentials. And on the formfill website i could only enter my credentials. No drop down menu to switch between integrated auth and custom credentials.

 

Is there any additional configuration steps required for chrome and edge ?

 

I deleted all cached items, but it doesnt work.

  • Like 1
Link to comment
  • 0

Hello,

 

I would like to configure single sign-on but I'm not that familiar with authentication and I have a question.

In my case:

- 2 Netscalers which load balance storefront access and director

- director role is installed on the 2 storefront servers

- XDC's, storefront servers, ... are configured in Domain A and users for which we would like to setup single sign on, are configured in Doman B

 

=> My question now : should I create the AD service account (which will be used as the director's applicationPoolIdentity) in Domain A or in Domain B ?

 

Thanks for your help!

 

Gijs

Link to comment
  • 0

I have the same configuration and it's been working for a long time. Just installed a new 2016 server and 7.18 and configured using the old ad user account for director apppool disabled anonymous and enabled windows author on the director site and set the default site to use the app pool. 

SSO works locally via the local host url it works from a networked client when I use an ad admin user account that did the installation via the url in the spn BUT when a non ad Admin user tries the same url it fails.   Ideas?

Link to comment
  • 0
On 10/13/2017 at 1:53 PM, Richard Weedon1709157541 said:

I couldn't get this working in a standalone configuration (no NLB, and from XA session) trying to use smartcards.  No matter what I did, kept getting IIS app crash.  this worked:

 

- Disable all authentications but windows

-In Director web.config\system.web/authentication

        - change mode from form to Windows.  Apply and Save.

 

Now works, finally.  prompts for credentials.  I am allowed to select CAC/PIN.  Then choose login when the page renders.

This helped me allow chrome and the new edge to work without getting the "An internal error has occurred.  For assistance, contact your administrator." error.  Thanks.  Auto login still only works in ie11 though.  

Link to comment
  • 0

Ok.  For us the final 2 pieces to get the auto logon to work in Chrome and Edge were these 2 gpo settings

 

Edge:

User GPO: Specifies a list of servers that Microsoft Edge can delegate user credentials to (Enabled)

Setting: *.yourdomain.com or director.yourdomain.com

 

Chrome:

User GPO: Kerberos delegation server allowlist (Enabled)

Setting: *.yourdomain.com or director.yourdomain.com

 

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...