Jump to content


Photo

Director 7.7 Windows Authentication not working with NS LB

Started by Matt Sliva , 03 January 2016 - 07:44 AM
14 replies to this topic

Matt Sliva Members

Matt Sliva
  • 99 posts

Posted 03 January 2016 - 07:44 AM

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt



Anthony Zepeda Members

Anthony Zepeda
  • 152 posts

Posted 03 January 2016 - 07:41 PM

Anyone else having a problem getting the new pass-through Windows Authentication working with Citrix Director 7.7 and a NetScaler load balancer? I can open the Director page on the DDC itself and have it work, but not the NetScaler load balanced URL I have set up. No errors display, just the normal looking sign-in page asking for user, password, and domain.

 

Matt

I had the same issue, it would prompt me for a username and password before getting to the director logon page then I would have to type the login again in director.



Matt Sliva Members

Matt Sliva
  • 99 posts

Posted 04 January 2016 - 02:30 AM

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 04 January 2016 - 03:34 PM

I have a similar issue. I have only one Director 7.7 server configured for now, no load balancing. When connecting locally on the Director server, Windows Authentication works. When connecting remotely, it doesn't work (there is no option to chose authentication method).

 

Note that Director is not installed on the DDC in my case, but I configured delegation according to the documentation.



matthew ingram Members

matthew ingram
  • 826 posts

Posted 05 January 2016 - 12:46 AM

So after playing around with Director 7.7 for another day, I'm finding out the Integrated Windows Authentication only works locally from where I have Director installed. I have two DDCs, both with Director installed. I cannot get Integrated Windows Authentication to work from one DDC to another or from a XenApp server to either DDC. If I open up an Internet Explorer session locally, I can hit either 'localhost' or the server hostname and have my credentials passed through. At this point I don't think it's a NetScaler issue, but probably something IIS related instead.

 

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.



Matt Sliva Members

Matt Sliva
  • 99 posts

Posted 05 January 2016 - 04:37 AM

Did you setup delegated authority for the AD account of the servers hosting director? set the option 'Trust this computer for delegation to any service (Kerberos only)' on the delegation tab of the AD computer object.

 

Yes.

 

Any remote connection to the Director site, through the NS or direct, does not work. The trusty old-fashioned forms based authentication pops up like nothing special is configured. Out of curiosity, is it working for you?



Christoph Wegener Members

Christoph Wegener
  • 3,266 posts

Posted 05 January 2016 - 08:12 AM

*IF* this whole thing is indeed based on Kerberos instead of NTLM2, then you would obviously need to set up SPNs for your Director FQDN appropriately .....

 

Having said that, I have not spent any hands on time with this feature yet .....



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 05 January 2016 - 09:44 AM

Thanks Christoph, that was it, of course ...

 

setspn -S "http/server_URL" domain\server (single server)

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

setspn -S "http/loadbalancer_URL" domain\user

 

I will test the load balanced configuration today and will update this post.



Bertil Hedenström Members

Bertil Hedenström
  • 53 posts

Posted 05 January 2016 - 04:10 PM

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!



Matt Sliva Members
  • #10

Matt Sliva
  • 99 posts

Posted 05 January 2016 - 09:13 PM

Here is the working configuration for me, in a load balanced environment. :)

 

1) create an AD account that will be used as the ApplicationPoolIdentity

2) Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case)

3) create SPN :

setspn -S http/loadbalanced_URL domain\user

4) in IIS manager, on the Director site, disable anonymous authentication and enable Windows Authentication (this step is described in Citrix doc)

5) in IIS manager, on the Application Pools (Director), specify the user we have created in step 1 as ApplicationPoolIdentity

6) in IIS manager, select Default Web Site and open the Configuration Editor.

Navigate to the following section : system.webServer/security/authentication/windowsAuthentication

Set useAppPoolCredentials = True and useKernelMode = False

 

Hope this helps!

 

Wow! Thanks Bertil. This looks promising but ultimately didn't work for me.

 

For example, is http/loadbalanced_URL something like http/director.company.com?

 

 

Edit: I spoke too soon. I let it sit for a while and walked away. It now works. This site helped to provide me more information as Kerberos authentication with IIS is a bit foreign to me.



Christoph Wegener Members
  • #11

Christoph Wegener
  • 3,266 posts

Posted 06 January 2016 - 01:25 PM

Glad it worked for you.



Christoph Wegener Members
  • #12

Christoph Wegener
  • 3,266 posts

Posted 06 January 2016 - 01:27 PM

 

if Director is load balanced, I guess you have to configure the Director AppPool to use a specific account, and set the SPN on that account instead of the Director server

 

It should be possible to "cheat" and add the http/ spn to the computer objects of both IIS servers ... but the recommended way is a service account for the app pool, just as you implemented.



Tracy Winchester Members
  • #13

Tracy Winchester
  • 8 posts

Posted 17 February 2016 - 08:25 PM

I'm not using Load balancing but having trouble accessing director 7.7 with Windows Authentication.

When it is enabled,  and I access the URL from another server , it will auto log me in, but it get "Cannot Retrieve the Data"  . (see attachment).   If I turn off the Windows Authentication and login with credentials everything works fine.  



gpearso324 Members
  • #14

Geoff Pearson
  • 14 posts

Posted 04 May 2016 - 02:24 PM

I hate to bring up an old topic, but I'm having trouble getting SSO working with load balancing and I'm wondering if it's due to our setup. We have Director installed on our StoreFront servers, so we use director.domain.com/Director as our load balanced URL. I've tried setting both that and just director.domain.com as the SPN but neither are working.

 

When I hit the URL it doesn't login and instead displays an "Authentication Required" login window in Chrome that will not accept my username and password no matter how I enter it.

 

I followed Bertil's instructions above, with the only deviation being that I did not set useAppPoolCredentials at the Default Web Site level due to our StoreFront being there, and instead did it on the Director sub-site. Could that be causing the issue?



Andrew Sommerer Members
  • #15

Andrew Sommerer
  • 54 posts

Posted 22 September 2016 - 08:17 PM

Just a heads up if after following these steps you are still having issues you might try uninstalling and reinstalling Director. I just spent some time with support working on SSO not working in my environment with Director. I originally started with Director 7.6 and upgraded to 7.9 somewhere in there a problem occured and the easiest fix was to uninstall and re-install Director. After you reinstall make sure you AppPool is still setup correctly.