Enabling Pass through Authentication in Citrix

You can pass user credentials to Web servers on the secured network configured for Basic, Digest, or Integrated Windows Authentication. This feature avoids requiring users to enter their credentials multiple times to access Web resources. For example, if a team Web site in your organization is configured for Digest Authentication, you can pass the credentials with which users log on to the Access Gateway to that site. If you do not enable the URL address to support Digest Authentication, users might be required to log on to the Web site.

Note that the authentication required for a Web site is determined by the settings of the site’s host Web server.
When configuring a Web resource, you can enable its URL addresses to use one of the following methods of pass-through authentication:

Basic authentication: Credentials are passed to the Web site in plain text.

Important: Because credentials are passed in plain text, consider using SSL for Web sites that use Basic pass-through authentication.

Digest authentication: Hashed credentials are passed to the Web site using Digest Authentication.

Integrated Windows authentication: Hashed credentials are passed to the Web site using Integrated Authentication. NTLM or Kerberos authentication is used, depending on your Web server configuration.

Caution: When using any of the three pass-through authentication methods, the target Web application is first presented with the credentials with which the user logged on to the Access Gateway. Accessing Web sites that require a second, differing set of credentials through Access Gateway can result in the caching of the second set of credentials.

To specify pass-through authentication for a Web site

1. Click Start > All Programs > Citrix > Management Consoles > Access Management Console
2. In the console tree, select the Web resource and under Common Tasks, click Edit Web resource.
3. On the URL Addresses page, select the Web site’s URL and click Edit.
4. In the Authentication types supported area, select the authentication method being used by the Web site.

Disabling passthrough authentication on Citrix PNagent

Occasionally as an administrator, you want to be able to log onto via our Citrix PNAgent with different credentials for testing. Depending on your farm setup, pass-through authentication is most likely enabled, and hence your client will be the same. To disable this on your workstation.

1. Open the registry and browse to: HKLM\System\CurrentControlSet\Control\NetworkProvider\HwOrder
2. Open ProviderOrder string, delete the entry PnSson
3. Now browse to HKLM\System\CurrentControlSet\Control\NetworkProvider\Order and delete the entry PnSson
4. Reboot

Read More

The license list is incomplete. An error occurred while getting the information. Error Code: 2c1/800a001a

Symptoms

The license list is incomplete. An error occurred while getting the information. Error Code: 2c1/800a001a.

Possible Causes

1. The server name was changed.
2. The IP address was changed.
3. The server in question could possibly see the data store and some of the ZDC’s, but not all of them.
4. The server in question must be able to talk to all ZDC’s in the farm.
5. Make sure all the ZDC’s and the data store server can resolve the DNS name of the server with the problem.
6. The license information in the datastore is corrupted.
7. A license has been recently been added and the Refresh of the Management Console has happened prior to the completion of the license addition. Wait a short time and Retry the license query.



Action/Resolution
1. Recreate the local host cache (LHC).
2. Use CTX107800 – DSCHECK Version 5.15 to fix any possible datastore corruption.
3. Run queryhrto see if there is corrupt information. If there is a corrupted entry, locate the corrupt Host ID and make a note of the number. Run queryhr –d <Host ID number> and press Enter.
4. Ping the server in question by IP address.
5. Ping the server in question by name. If the name does not resolve and the ping is unsuccessful, it is a DNS issue.
6. Ensure there are no relevant hotfixes that may address license issues. This is not necessarily a complete list. CTX104982 – Readme - Service Pack 4 for MetaFrame XP 1.0

The IMA Service failed to start because of license group corruption in the data store.

Note: This fix prevents corruption in the data store but it does not correct any corruption that may already exist. You need to check for corruptions present in the data store and correct them using the appropriate tools.

Read More

How to securely redirect to Web Interface in Citrix

As default Web Interface should be used with SSL encryption (HTTPS) enabled, since users are sending credentials overt the wire. This is even more important when using WI internally because researches showed that most attacks are coming from inside.
Difficult part is that users are not very familiar with typing httpS...

1. After the Server certificate was applied to IIS, SSL should be disabled
   IIS Manager | Default Web Site | Directory Security | Edit secure communications | Disable SSL
   
   
2. Next is to enable SSL ONLY for Web Interface and every other site/folder you like.
   IIS Manager | Default Web Site | Citrix | MetaFrame | Directory Security | Edit secure communications | Enable SSL
   
   
3. Redirect user to Web Interface via secure channel
   When Web Interface 3.0/4.x was set as default Web Site, then the file webinterface.htm is placed in the IIS root (default %RootDrive%\Inetpub\wwwroot). Now the following line needs to be changed:
   
   window.location="Citrix/MetaFrame/";
   
   to
   
   window.location="httpS://FQDN_WI_SERVER/Citrix/MetaFrame/";

This way user can connect to FQDN_WI_SERVER using port 80 (HTTP) but they will be redirected to WI using HTTPS. Direct connection to http://FQDN_WI_SERVER/Citrix/MetaFrame/ will fail, since SSL is required. If direct connect should also supported, then a bit more scripting is required.

Read More

Nondisruptive upgrade of VMFS-3 to VMFS-5

In vSphere 5 the VMFS filesystem has been updated to version 5 (currently 5.54). In vSphere 4.1 update 1 the VMFS version was 3.46.

In earlier versions of ESX, live upgrades of VMFS, or in-place upgrades, haven't been an option so to upgrade VMFS, basically a new LUNs had to be created and then VMs could be migrated to these new LUNs.

With vSphere 5, VMFS can be upgraded nondisruptively. This is done for each LUN by going to:

Datastore and Datastore Clusters -> Configuration -> Upgrade to VMFS-5.

It is a prerequisite that all connected hosts are running vSphere 5. The upgrade itself takes less than a minute (at least in a small test environment).

In VMFS 5, there is only one block size which is 1 MB. However, when upgrading from v3 to v5, the block size remains what it was before (see the last screendump). In the example below, the 8 MB block size is retained.

The new maximum LUN size is 64 TB - but a single .vmdk file can still not exceed 2 TB minus 512 bytes. The only way to have larger .vmdk's than 2 TB is to create an RDM and mount it as a physical device (as opposed to virtual).

Read More

How to force the Application details description in Citrix

Edit applist.cs in site/serverscripts

-- find --
viewControl.setShowAppDetails( !java.lang.Boolean.FALSE.Equals( userPrefs.getShowDetails() ) );

-- change to --
viewControl.setShowAppDetails( true );

Read More

How to enable "Show current folder location" for all users and always in Citrix

As a default Web Interface doesn't show the current folder location and the user has to set it by him self. To force the setting for all users, again two things need to be changed

1. Show folder as default
   
   Edit applist.cs in site/serverscripts
   
   -- find --
   toolbarControl.setShowCurrentFolder( !java.lang.Boolean.FALSE.Equals( userPrefs.getShowFolder() ) && (currentFolder != null) );
   
   -- change to --
   toolbarControl.setShowCurrentFolder( currentFolder != null );
2. Remove or Disable option from the presentation settings
   
   Edit presentationSettings.inc in site/include
   
   -- find --
   value="<%=VAL_ON%>" <%=viewControl.getShowFolderCheckedStr()%>>
   
   -- change to --
   value="<%=VAL_ON%>" <%=viewControl.getShowFolderCheckedStr()%> checked disabled>
   
    
   
   To remove the option from the presentation settings
   
   Edit presentationSettings.cs in site/serverscripts
   
   -- find --
   bool bCustomizeFolderDisplayOption = true;
   
   -- change to --
   bool bCustomizeFolderDisplayOption = false;
   
    

Read More

How to Disable "Remember folder location" and start always in the root

Web Interface "remembers" (in a cookie) the folder location by default where users exit Web Interface and at the next login starts automatically in that folder. To overwrite the default of remembering folders and starting always in the root, two things need to be changed.

1. Start always in the root
   
   Edit applist.cs in site/serverscripts
   
   -- find --
   currentFolder = userPrefs.getCurrentFolder();
   
   -- change to --
   currentFolder = "";
2. Remove or Disable option from the presentation settings
   
   Edit presentationSettings.inc in site/include
   
   -- find --
   value="<%=VAL_ON%>" <%=viewControl.getRememberFolderCheckedStr()%>>
   
   -- change to --
   value="<%=VAL_ON%>" <%=viewControl.getRememberFolderCheckedStr()%>" disabled>
   
    
   
   To remove the option from the presentation settings
   
   Edit presentationSettings.cs in site/serverscripts
   
   -- find --
   bool bCustomizeRememberFolderOption = true;
   
   -- change to --
   bool bCustomizeRememberFolderOption = false;
   
    

Read More