User logs into SF3.7 gets another users apps showing in portal

[Brad Langford]

Citrix XenApp farm 7.6, StoreFront 3.7

 

"Bob" 1st authenticates using SmartCard via a Cisco ASA Firewall which then brings up the Citrix 3.7 StoreFront.  "Bob" logs in there with domain credentials.  Once "Bob" gets the app page he notices that an app or two is missing, but he goes ahead and launches our RDP published app.  it connects to a desktop which he then notices that it's someone else's desktop PC and she is logged in and working in it.  

 

"Bob" then logs off the session and relaunches the same RDP app and gets the same lady's desktop and seems to be able to have control in the session.

 

He then logs completely out of the session and SF, goes for a coffee and logs back in the same way he had before and sees all his published apps and connects to his own PC via the published RDP app and all is well.  He's not had the problem before or since then (3 days ago).

 

When I look at director I see "Bob"s end client (home PC) machine name with the lady's name as the user at the time when "Bob" had actually logged in.  I also see the lady had already been logged in for about an hour or so before "Bob" had logged on.

 

Neither user is in the remote access for the other persons PC, We do not see "Bob"s profile folder on the lady's pc, so he was logged in as her, viewing her session.

 

"Bob" was the one who reported the issue (to our VP no less), so I don't suspect foul play here.

 

We see "Bob"s user ID log in at like 8:00:32 in the network logs and then at 8:00:33 we see the lady's credentials where "Bob" was.

 

  It's like when "Bob" logged into StoreFront, A.D. or kerberos changed his log in to the lady's that granted him access to all her apps.

 

  Citrix support says they've never seen this and this had to be user error (which makes no sense how that could happen).

 

  I see where in old forum posts and such that in 6.0 or 6.5 sessions could be "stolen" but I'm not seeing anything similar for 7.6

 

  I can go in to the local server group policies on each of the hosting servers and set RDP to only allow one session instance per user, but I'm not sure that will fix this issue.  We've never seen it before (or at least no one's reported it before) and I've been working the Citrix team for 12 yrs now for our company and have never seen nor heard of this issue.

 

  We've not been able to replicate the issue.

 

This could potentially cause us to stop using Citrix (ironically our renewal is VERY close) especially since Citrix didn't seem really interested in fixing the issue (I spoke with two different support reps on two different occasions today about this).

 

 

[Carl Behrent]

We had this same issue a while back with Storefront v1.2 and never got to the bottom of it, it was very weird.

[Brad Langford]

@Carl Behrent -

1)  So did you see this issue repetitively? 

 

2)  What are you guys using in front of your StoreFront server?  NetScaler?

 

3)  what "solution" did you guys come up with?  Unfortunately I have to come up with some sort of an answer.

 

 

  What I"m doing now is going thru local group policy on each of my RDP app host servers and setting the Remote Desktop session to "allow only one instance.." and also setting the ability to Remote control an RDP session to "no remote control allowed".

 

  I'm hoping this will stop something like this as it's totally weird and a bit scary.

 

  Our servers all have the latest MS patches.  I have a XenApp 7.15 LTSR farm waiting to be tested and released, but I'm not sure that is the answer.

[Brad Langford]

I've reached out to my sales people to have it escalated.  Hopefully I'll find someone who can give me more info on this. 

[Brad Langford]

Have spoken with Citrix support. They are looking into the issue, no hint of resolution for this at this time. 

 

  Hoping @Carl Behrent can reply and answer questions at some point.

[Nathan Joseph1709156207]

Do you have NetScaler in front of StoreFront? I've seen similar behavior seeing the wrong apps and username when Integrated Caching was enabled and configured incorrectly. Try disabling IC if you have it enabled.

[Brad Langford]

@Nathan Joseph - Instead of a NetScaler, at this time we have a Cisco ASA firewall.  Once the user logs in with their SmartCard there, they are presented with the StoreFront 3.7 server (in Classic Mode) and log in with their domain credentials manually.

 

  Citrix told me it's an IIS issue and to call Microsoft.  I called Microsoft and was told by them it's a Citrix issue.  Imagine that.  So now I have to get them both on the phone so they can work it out.  Stay tuned.

[Ed Zimny]

Hi Brad, please direct message me your case # and the support engineer contact you have been communicating with.

[Brad Langford]

Citrix showed up for conf. call with Microsoft to hash out where the issue lies, Microsoft failed to show up and then sent a response 35 min later saying he was trying to find a stand in for him, call was over by then.

 

Rescheduling call maybe both will be there this time.

[Brad Langford]

Rescheduling again due to Citrix can't show up and hasn't appointed someone else to help out.  Hundreds of thousands of dollars a yr well spent on Citrix corp.  

 

  Will keep you posted when I have more info.

[Deepanshu Soni]

Hello Brad,

Please let me know the ticket number which you have with Citrix, I will reach out to the specific team so that we can fix the issue and there can be no delays from our side.

Regards,
Deepanshu
Citrix Technical Support

[Brad Langford]

sorry for the VERY late response to this.  Microsoft took ownership of this issue and due to a failure on our one of our teams fault, the logs rolled over the necessary info and could be recouped.  However we've not seen or heard about this issue again at this time.

[Mark Palangio1709159263]

Hi all, I'm wondering if this was ever resolved?  I have a customer with exactly the same issue as Brad.  It is very intermittent, but we have a trace files that show one use being delivered the other users StoreFront Page and it definitely shows the wrong credentials. 

 

That you.