Jump to content


Photo

Director 7.7 Windows Authentication not working with NS LB

Started by Matt Sliva , 03 January 2016 - 07:44 AM
18 replies to this topic

Matt Sliva Members

Matt Sliva
  • 101 posts

Posted 03 January 2016 - 07:44 AM

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt



Anthony Zepeda Members

Anthony Zepeda
  • 152 posts

Posted 03 January 2016 - 07:41 PM

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt

I had the same issue, it would prompt me for a username and password before getting to the director logon page then I would have to type the login again in director.



Matt Sliva Members

Matt Sliva
  • 101 posts

Posted 04 January 2016 - 02:30 AM

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 04 January 2016 - 03:34 PM

I have a similar issue. I have only one Director 7.7 server configured for now, no load balancing. When connecting locally on the Director server, Windows Authentication works. When connecting remotely, it doesn't work (there is no option to chose authentication method).

 

Note that Director is not installed on the DDC in my case, but I configured delegation according to the documentation.



matthew ingram Members

matthew ingram
  • 826 posts

Posted 05 January 2016 - 12:46 AM

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.

 

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.



Matt Sliva Members

Matt Sliva
  • 101 posts

Posted 05 January 2016 - 04:37 AM

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.

 

Yes.

 

Any remote connection to the Director site, through the NS or direct, does not work. The trusty old-fashioned forms based authentication pops up like nothing special is configured. Out of curiosity, is it working for you?



Christoph Wegener Members

Christoph Wegener
  • 3,266 posts

Posted 05 January 2016 - 08:12 AM

*IF* this whole thing is indeed based on Kerberos instead of NTLM2, then you would obviously need to set up SPNs for your Director FQDN appropriately .....

 

Having said that, I have not spent any hands on time with this feature yet .....



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 05 January 2016 - 09:44 AM

Thanks Christoph, that was it, of course ...

 

setspn -S "http/server_URL" domain\server (single server)

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

setspn -S "http/loadbalancer_URL" domain\user

 

I will test the load balanced configuration today and will update this post.



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 05 January 2016 - 04:10 PM

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!



Matt Sliva Members
  • #10

Matt Sliva
  • 101 posts

Posted 05 January 2016 - 09:13 PM

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

 

Wow! Thanks Bertil. This looks promising but ultimately didn't work for me.

 

For example, is http/loadbalanced_URL something like http/director.company.com?

 

 

Edit: I spoke too soon. I let it sit for a while and walked away. It now works. This site helped to provide me more information as Kerberos authentication with IIS is a bit foreign to me.



Christoph Wegener Members
  • #11

Christoph Wegener
  • 3,266 posts

Posted 06 January 2016 - 01:25 PM

Glad it worked for you.



Christoph Wegener Members
  • #12

Christoph Wegener
  • 3,266 posts

Posted 06 January 2016 - 01:27 PM

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

It should be possible to "cheat" and add the http/ spn to the computer objects of both IIS servers ... but the recommended way is a service account for the app pool, just as you implemented.



Tracy Winchester Members
  • #13

Tracy Winchester
  • 8 posts

Posted 17 February 2016 - 08:25 PM

I'm not using Load balancing but having trouble accessing director 7.7 with Windows Authentication.

When it is enabled,  and I access the URL from another server , it will auto log me in, but it get "Cannot Retrieve the Data"  . (see attachment).   If I turn off the Windows Authentication and login with credentials everything works fine.  



gpearso324 Members
  • #14

Geoff Pearson
  • 14 posts

Posted 04 May 2016 - 02:24 PM

I hate to bring up an old topic, but I'm having trouble getting SSO working with load balancing and I'm wondering if it's due to our setup. We have Director installed on our StoreFront servers, so we use director.domain.com/Director as our load balanced URL. I've tried setting both that and just director.domain.com as the SPN but neither are working.

 

When I hit the URL it doesn't login and instead displays an "Authentication Required" login window in Chrome that will not accept my username and password no matter how I enter it.

 

I followed Bertil's instructions above, with the only deviation being that I did not set useAppPoolCredentials at the Default Web Site level due to our StoreFront being there, and instead did it on the Director sub-site. Could that be causing the issue?



Andrew Sommerer Members
  • #15

Andrew Sommerer
  • 87 posts

Posted 22 September 2016 - 08:17 PM

Just a heads up if after following these steps you are still having issues you might try uninstalling and reinstalling Director. I just spent some time with support working on SSO not working in my environment with Director. I originally started with Director 7.6 and upgraded to 7.9 somewhere in there a problem occured and the easiest fix was to uninstall and re-install Director. After you reinstall make sure you AppPool is still setup correctly.



Carsten Kurrat Members
  • #16

Carsten Kurrat
  • 2 posts

Posted 07 March 2017 - 06:50 PM

Hi @all,

I want to configure the same, but I have Problems. I have two Windows Server 2012R2. There is only the Director installed. I have a Netscaler where Loadbalancing is configured for the Director and also http Redirect as responder

my URL is https://director.test.loc

the Server are director1.test.loc and director2.test.loc

 

1. The AD Account is created (CTXAppPool)

2. The Delegation is created

 

3. The SPN is set

setspn -S http/director.test.loc test.loc\CTXAppPool

 

or which user must configure

or must I setspn like https/director.test.loc

 

4. Authentication is set

5. Application Polls is set

6. useAppPoolcredential is set

 

On the Director Server that work only, when I enter the hostname like https://director.test.loc/director

 

About Netscaler that does not work either.

 

Please help.

Thanks



Christoph Sinabell Members
  • #17

Christoph Sinabell
  • 231 posts

Posted 01 August 2017 - 03:48 PM

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

 

Hi,

 

Bertils instruction works as expected. SSO to director is possible from a domain joined client using LB (NS in my case) in front. Though I have two minor adjustments to make:

  • It's enough to configure useAppPoolCredentials and useKernelMode on the director Application node in IIS you don't need to configure it on the default website itself with all the possible implications on other applications.
  • You must use a different FQDN (which you register as SPN) than the one you use for StoreFront. Otherwise registering the SPN to the domain user will break StoreFront SSO

Regards



Stefan Wendrich Members
  • #18

Stefan Wendrich
  • 255 posts

Posted 12 September 2017 - 09:55 AM

for me, its working well with internet explorer 11. But with chrome or edge it doesnt work. I got no login prompt for credentials. And on the formfill website i could only enter my credentials. No drop down menu to switch between integrated auth and custom credentials.

 

Is there any additional configuration steps required for chrome and edge ?

 

I deleted all cached items, but it doesnt work.



Richard Weedon Members
  • #19

Richard Weedon
  • 3 posts

Posted 13 October 2017 - 06:53 PM

I couldn't get this working in a standalone configuration (no NLB, and from XA session) trying to use smartcards.  No matter what I did, kept getting IIS app crash.  this worked:

 

- Disable all authentications but windows

-In Director web.config\system.web/authentication

        - change mode from form to Windows.  Apply and Save.

 

Now works, finally.  prompts for credentials.  I am allowed to select CAC/PIN.  Then choose login when the page renders.