Jump to content
Welcome to our new Citrix community!
  • 0

ICA doesn't authenticate on kerberos/ntlm proxy


Question

Hello,

 

We have installed Xendesktop 7.9, with the Storefront in HTTPS. The plateform is behind a Netscaler 11. On a network without proxy, we can connect to our VDI in HTML5 through the browser or in ICA through the software Receiver (4.7.0.13011).

 

But on network with a proxy (get with a .pac file or configure directly with it address) kerberos/ntlm on an Active Directory account, we can't access to our VDI:

  • The receiver connect to the store-front
  • We see our VDI
  • When we try to open a VDI we have this error in the desktop viewer: "The connection to "VDI" failed with status (Unknown client error)."

In the Squid proxy, we see many request to the netscaler without authentication credentials, that is why ICA connection can't achieve. But the receiver connects itself correctly to the store-front through the proxy, it is only when we run the ica connection that it fails. Even with the "ProxyType=Auto" it fails.

 

There is no log in the event viewer. I have compared the Receiver_.log, SelfService.txt between a successful connection without proxy and a failed connection with a proxy and I didn't find difference.

 

Xendesktop: 7.9

Storefront: HTTPS

Netscaler: 11

OS client: Windows 10 64bits

Receiver: 4.7.0.13011

Proxy: Squid

Authentication type: kerberos and ntlm

default.ica: with or without ProxyType=Auto, it fails

 

this is my default.ica:

[WFClient]
Version=2
RemoveICAFile=yes
ProxyTimeout=30000
ProxyFavorIEConnectionSetting=Yes
ProxyUseFQDN=Off

[ApplicationServers]
Application=

[Application]
TransportDriver=TCP/IP
DoNotUseDefaultCSL=On
BrowserProtocol=HTTPonTCP
LocHttpBrowserAddress=!
WinStationDriver=ICA 3.0
ProxyTimeout=30000
AutologonAllowed=ON

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

 

 

Have you got any idea on what is going wrong in my configuration ? Is there some specific options to add to the default.ica file or anything else ? Thank you for your help.

Link to comment

4 answers to this question

Recommended Posts

  • 0

Hello,

 

We stille have the trouble. Currently, all work find when we don't have proxy with authentication.

 

But from a network with a proxy with a Kerberos authentication, our Receiver software connect to the StoreFront and show all the Desktop which are available, but when we run a connection on VDI desktop, the connection failed:

The "desktop Viewer" send a request to our Netscaler gateway, through the proxy, but it doesn't use Kerberos authentication so the proxy drop the packet.

 

On Wireshark I see the receiver which well authenticate all it requests on the proxy but this is not the case of the Desktop Viewer.

I add many proxy options in the file.ica, in the two sections [WFClient] and [VDI-Desktop-Session], but Desktop viewer still not authenticate on the proxy:

ProxyType=Auto
ProxyUseFQDN=On
ProxyAuthenticationKerberos=True
ProxyAuthenticationNTLM=True

 

Or other Kerberos options:

SSPIEnabled=On
EnableSSOThruICAFile=True
SSOnUserSetting=On

 

This my last ICA file for test:

[Encoding]
InputEncoding=UTF8

[WFClient]
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
ProxyAuthenticationKerberos=True
ProxyAuthenticationNTLM=True
SSPIEnabled=On
EnableSSOThruICAFile=True
SSOnUserSetting=On
RemoveICAFile=yes
TransportReconnectEnabled=Off
Version=2
VirtualCOMPortEmulation=On
ClientSessionID=0

[ApplicationServers]
XXXXXXXXXXXX=

[XXXXXXXXXXXXX]
Address=XXXXXXXXXXXXXXXXXXXXX
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=XXXXXXXXXXXX
ClientAudio=On
ConnectionBar=1
DesiredColor=8
DesiredHRES=XXXXXXXXXX
DesiredVRES=XXXXXXXXX
Domain=XXXXXXXXXXXXXX
DoNotUseDefaultCSL=On
FontSmoothingType=0
HTTPBrowserAddress=!
InitialProgram=XXXXXXXXXXXXXXXXX
Launcher=WI
LaunchReference=XXXXXXXXXXXXXXX
LocHttpBrowserAddress=!
LogonTicket=XXXXXXXXXXXXXXXX
LogonTicketType=CTXS1
LongCommandLine=
LPWD=125
NRWD=78
ProxyTimeout=30000
ProxyType=Auto
ProxyAuthenticationKerberos=True
ProxyAuthenticationNTLM=True
SSPIEnabled=On
EnableSSOThruICAFile=True
SSOnUserSetting=On
SecureChannelProtocol=Detect
SessionsharingKey=XXXXXXXXXXXXXXXXXXXXX
SFRAllowed=Off
SSLCiphers=all
SSLEnable=On
SSLProxyHost=XXXXXXXXXXXXXXX
startSCD=XXXXXXXXXXXXXX
Title=XXXXXXXXXXXX
TransportDriver=TCP/IP
TRWD=0
TWIMode=Off
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

 

 

Have you any ideas ?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...