Geeks With Blogs

News

eXTReMe Tracker


Head Explodes Too much information

I spent a lot of time trying to figure out how to get pass-through authentication on Citrix to work so that my users could just go to the web-interface, automatically login and see their applications and be able to run the apps without having a login appear at the server.  I finally got it to work.

Seems like all over the web the posts and comments said that pass-through wouldn't work without the full program neighborhood client, but in my case it appears to be working with only the web client... and I've done this on more than one computer here.  If you download the client install from citrix.com and install it, you are given the option to install the web client, program neighborhood and program neighborhood agent.  I have only been installing the web client.

First of all, I set the authentication method on the web-interface to pass-through.  This allowed people to go to the URL and auto-login to see their apps.  This part was easy, but the problem was that even though this worked, users were still presented with a login box when they ran an app.  The login came from the server with the application itself, which made sense.  So this means that the ICA client needs to know to go ahead and pass credentials onward.  There is a key file that has to be modified to do this. 

Look for APPSRV.ini in this location:
C:\Documents and Settings\USERNAME\Application Data\ICAClient

Open that file and add the following lines under [WFClient]:
EnableSSOnThruICAFile=On
SSOnUserSetting=On

Now you should be able to go to your citrix web interface URL, be automatically logged in, see your apps, click an app and the ICA file is opened by the client and your credentials are passed onto the server.  This works like a charm and is going to make our Citrix deployment much nicer.

In a little more than a week I will be off to Citrix Administrator training for a week!

Posted on Friday, December 9, 2005 11:23 AM Citrix | Back to top


Comments on this post: Citrix MPS 4.0 Pass-through authentication with only the ICA web client

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
IT WORKS! I've spent around 10 hours racking my brain on this one. I created the below script and published it via group policies. it adds the lines needed for SSon to the appsrv.ini file. The user is required to open up the citrix website atleast once so that the appsrv.ini file is generated.


REM ** IF THE APPSRV.OLD EXIST, THEN THERE IS NO NEED TO **
REM ** APPEND THE APPSRV.INI AS IT HAS ALREADY BEEN DONE. **
if exist "%APPDATA%\icaclient\APPSRV.OLD" goto end
if not exist "%APPDATA%\icaclient\APPSRV.INI" goto end

REM ** GENERATES THE APPSRV.INI WITH THE PROPER SETTINGS **
echo EnableSSOnThruICAFile=On >> "%APPDATA%\icaclient\APPSRV.INI"
echo SSOnUserSetting=On >> "%APPDATA%\icaclient\APPSRV.INI"
copy "%APPDATA%\icaclient\APPSRV.INI" "%APPDATA%\icaclient\APPSRV.OLD"
:end
Left by Arnaldo Cabral on Dec 20, 2005 12:02 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I am looking for a solution for this same situtation except that all my Citrix servers have the Novell client 4.9 installed, and it fails there. I even changed the
SSOnCredentialType=NDS and it still didn't work. The contextless logon is looking for a tab response after the username is inputed.
The pass-through cannot do the tab response. Any Ideas?
Left by Eddie Paredes on Dec 22, 2005 4:29 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
With Web Interface 4.2 the passthru works for only one Farms application set. Anyone try more than one Farm with Passthru??

ScottC
Left by ScottC on Feb 14, 2006 2:27 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
The appsrv.ini on the client worked, if these settings are put into the ICA file on the server the client gets it automatically downloaded. I have had to delete the "%APPDATA%\icaclient" directory in order to get the server copy. Best done from source as you then capture all new users

Thanks for the fix, its saved trawling through loads of citrix support suggestions, and no worked anyway as they just said change server copy, not telling you about client copy
Left by David Creighton on Feb 15, 2006 4:05 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I have tried the solution an it works for published applications that the User connection type is Anonymous.

For published applications with Explicit User connection type, users auto-login to see their apps but it they're still presented with a login box when they ran an app. am using win 2003 term server.

Does it mean it works only Anonymous logins.
Left by Webit on Jul 17, 2006 1:51 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
This definately appears to only work with anonymous logins.

This fix hasnt resolved this issue for me.
Left by Spagman on Dec 07, 2006 9:58 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
Does anyone know, is there a way to for sure make this work? I have been fighting this issue for the better part of the last month. I have attempted to install different versions of clients and different versions of WI, but to no avail. I have heard that in WI 4.5 you can make this work, but I have not tried with that version yet. Has anyone else tried with WI 4.5?
Left by Rich on Jan 02, 2007 10:20 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
Thanks for the info. If you want the web client pass-through to work for all clients, add the

EnableSSOnThruICAFile=On
SSOnUserSetting=On

Under the [WFClient]: section in the default.ica in the conf file on the web interface server.

That worked for me.
Ryan
Left by Ryan on Feb 13, 2007 12:54 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I have been trying to setup the pass-through functionality using the citrix program neighborhood agent - this all works fine using PS4.0 - web interface 4 running on W2003 32bit boxes. But if I move the citrix program neighborhood agent installation onto our x64 bit Windows 2003 PS4 servers the only option I get is to prompt the client for credentials - no option for pass-through as there was on the 32bit servers - even tried modifying the appsrv.ini file with no success. Any ideas or anyone else with similar problems? Client tested 9.23.
Thanks
Warren Estermann
Left by Warren Estermann on Feb 19, 2007 7:50 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I have managed to find a solution to this issue - it seems like the version of PS4 used to build our environment has a client that does not seem X64bit compliant on the pass-through functionality - if I do add/remove programs - modify the original install to add the Program Neighborhood Agent - then install client 9.23 which detects an already installed client and upgrades it - this still has Pass-through disabled. Run the 9.23 client setup again for a second time to do a modify - this time it will ask to enable pass-through authentication. Can confirm this now works on X64bit servers.

Warren Estermann
Left by Warren Estermann on Feb 19, 2007 10:00 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
Anyone know if this works with the Java Client? I've tried setting the values in default.ica on the WI server and also in Appsrv.ini on the PS4 server but still getting prompted - any ideas?
Left by Nik on Feb 26, 2007 6:37 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I have PasThru working on WI however when i select Use Kerberos to connect to servers i then get the log-on screen from the server

Any ideas
Left by Paul Johnson on Mar 26, 2007 4:59 AM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
For ICA Client 10:

http://support.citrix.com/article/CTX113004
Left by Dwayne Soare on Oct 30, 2007 3:09 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I need the equivilent of this soluton for citrix pres server v4 on unix/solaris I have solaris compiled binaries to dole out via citrix. Have the web services working on the sun server, but am presented with login for citrix web interface authentication. Is there a default password for this? If I use set login/pw with the webserver, still doesn't authenticate.
Left by Cal on Nov 25, 2007 10:43 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I'm still having problem with passThur any idea? I'm running 2003 Server and with WI 4.6 . I still get log-on screen from the server. I try ICA client 10 fixed and APPSRV.ini still not working. Does anyone have any idea???
Left by Kevin on Jan 30, 2008 1:58 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I made the following changes and it worked for me with the ICA web client. Thanks Ryan

Under the [WFClient]: section in the default.ica in the conf file on the web interface server.

EnableSSOnThruICAFile=On
SSOnUserSetting=On
Left by grt8guy on Aug 06, 2008 3:29 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
I've done this, with limited success. The web client did not work for me for widespread installation of web ICA clients. It only worked on systems that had previously had the full PN client, which was removed for the installation of the web client. If I have a system that has had no ICA client, and I install the ICA web client, it did not work. It was weird...
Left by Matt on Feb 24, 2009 3:02 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
When I made these changes, it started working for me with the XenApp12 client. The only issue is that my Active Directory user account gets locked out after it launches the first app succesfully.
Left by Dan on Dec 17, 2010 3:02 PM

# re: Citrix MPS 4.0 Pass-through authentication with only the ICA web client
Requesting Gravatar...
Okay, I added EnableSSOnThruICAFile=On , SSOnUserSetting=On to the [WFClient] section of all the Appsrv.ini's I could find on the client machine PLUS the wfclient.ini in the ICAClient install dir.
Additionally, I have IntelPROWireless which inserts itself in the sign-on for windows(so you can authenticate a wifi connection prior to windows auth) so had to revert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDLL : msgina.DLL
AND
In network connections, choose advanced, advanced settings, Network Providers (tab) and move Citrix Single Sign On to the top.

Left by MacOverAll on Mar 02, 2012 3:59 PM

Your comment:
 (will show your gravatar)


Copyright © Solid | Powered by: GeeksWithBlogs.net