It’s always something that seemed to be quite tricky and hard to find out exactly how to do – enable single sign on and true passthrough authentication in the Web Interface.
Typically an administrator would enable passthrough in the web interface settings. This would allow a user to bring up the web interface and see their applications, however upon launch the user would be presented a MS GINA based prompt for credentials. The end result is if they don’t enter credentials into the web interface they just have to do it at the MS prompt.
Here is the solution:
Depending on the client the steps vary, but here are the steps for 12.x of the client:
- Add the web interface to the trusted sites
- Add the SSOnRegUpx32 or x64 registry key (can be found here http://support.citrix.com/article/CTX124871)
- Either globally or just on the client inject the ICACLIENT.ADM administrative template extension to group policy. Then enable the local username and password setting. Here’s a detailed explanation: http://support.citrix.com/article/CTX124871
- Configure Passthrough authentication at the web interface setting
This worked for me and I hope it works for you too!
Citrix has a huge number of utilities and support tools. So many that it’s hard to keep track. That was until I found this awesome list:
A lot of newer Citrix Administrators probably think of Program Neighbourhood Agent (PNAgent) when I mention Program Neighbourhood (PN). This is not the same thing, Program Neighbourhood was the original Citrix Presentation Server and Metaframe (now XenApp) Client. It was a manually configured client the relied on the administrator to point it to a farm for enumerating applications. Compare this to the PNAgent which communicates with a Web based Citrix XenApp services site, for its easier centralized configuration.
One may ask why do we care about the Program Neighbourhood client then? The reason is, it is really useful when troubleshooting. Because it is manually configured it can test whether an issue lies with the Web Interface, or something more troublesome with the actual XenApp farm. It also allows for a more varied method of testing giving quick and easy control to the administrator.
So with the Program Neighbourhood being gone I often found my troubleshooting a bit more complicated. That was until I found out about the Citrix Quick Launch tool. It allows a administrator (or user) to access applications quickly and directly and bypass dependency on any web interface or pnagent sites.
Hope it helps you too! Here is the link to the tool:
Citrix Quick Launch Tool – CTX122536
I recently had a project which required an element of high security causing many of the Citrix XenApp servers to be isolated behind firewalls and from each other, yet still need full functionality. I found this article which listed the following port requirements very handy!
Original Citrix Article
- Application Performance Monitoring (powered by Citrix EdgeSight)
- EdgeSight Agent to Edgesight Server – TCP 80/443 (Payload and alerts)
- EdgeSight Web console (non-IMA) to RSCorSvc on EdgeSight Agent – TCP 9035
- EdgeSight Agent internal communication – TCP 9036 (client-side database) NOTE: After EdgeSight 4.5, replaced with IPC)
- EdgeSight database – SQL 1433 (configurable)
- Client-side Application Virtualization -
- Streaming Client to Application Hub (File Server/Share) – SMB 445
- EasyCall -
- To client – HTTP(S)-TCP 8443 (PSync)
- To Admin console (non-IMA) – TCP 443
- To LDAP Directory- TCP 389
- To PBX – port varies by vendor
- Independent Management Architecture (IMA) Services – TCP 2512, 2513
- Licensing Service – TCP 27000, 27009 (configurable) – NOTE this has now changed that version 11.6.1 of the license server uses 27000 and a configurable port for the Vendor Daemon, defaulting to 7279 and Licensing administration port is 8082
- Server-side Application Virtualization
- Management Console (Using IMA) – TCP 2512, 2513
- Application requests – TCP XML 80, 8080 or 443 (configurable)
- Access to Applications Virtualized on the Server – ICA-TCP 1494, 2598 (Session Reliability)
- Single Sign-on (powered by Citrix Password Manager)
- Management Console (non-IMA) or Agent to Password Manager Service – TCP-443
- Management Console (non-IMA), Agent or Service to credential store
- Network File Share Credential Store – TCP/UDP 445 (CIFS) or TCP/UDP 135-139 (NetBIOS)
- Active Directory Credential Store – TCP/UDP – 389, 636, TCP – 3268, 3269
- Novell File Share Credential Store – TCP/UDP – 524
- SmartAccess (powered by Citrix Access Gateway)
- Standard and Advanced Edition
- Client connections- TCP-SSL 443 (configurable)
- Advanced Access Control (AAC) to Appliance communication – TCP 80 or 443 (configurable), 9001, 9002, 9005
- Management Console
- to Appliance (non-IMA) – 9001, 9002, 9005
- to AAC – IMA-TCP-2513
- Enterprise Edition
- To client – SSL-TCP 443
- To internal network – SSL-TCP 443, Native Authentication port (i.e. RADIUS 1812, LDAP 389), Native application ports (i.e. ICA-1494)
- Management console (non-IMA) – SSH-TCP 22, HTTP(S)-TCP 80/443
- SmartAuditor -
- Management (non-IMA) – Use local console on Agent or on Server.
- Agent to Broker (Recording and Policy Check) – TCP 80/443 (configurable)
- Player to Broker – TCP 80/443 (configurable)
- Agent to Server (Metadata and Video)- Microsoft Message Queuing,
- Default – TCP: 1801; RPC: 135, 2101*, 2103*, 2105*; UDP: 3527, 1801 (*These port numbers may be incremented by 11 if the initia choice of RPC port is being used when Message Queuing initializes. A connecting QM queries port 135 to discover the 2xxx ports.)
- Over SSL- TCP 80,443
- WAN Optimizer -Guidance provided was to get it from Admin Guide
- Appliance to Appliance – Pass-through native application port (e.g. ICA-1494, HTTP-80, LDAP-389)
- Management Console (non-IMA) – TCP 80
- Client to Appliance – TCP 443
- Web Interface
- Client connections – TCP 80/443 (configurable)
- Server-to-server – TCP XML 80/8080, 443 (using SSL Relay)
- Management console (partially IMA) – DCOM 135 (+ configurable high port range), IMA-TCP 2513, TCP 80/443
Another excellent article for working with firewalls and Citrix Communication is this article. It’s a little old but still very useful.
CTX109929 – Citrix Access Suite 4.2 Connections
Just ran into this issue which has popped up from time to time.
Sometimes when trying to view user sessions in the access management console, the console fails to display any users but rather displays an error message:
“An error occurred. Try performing the task again. If the problem persists, contact support.” Then under details “Unknown error occurred”
This typically indicates the console is having trouble enumerating users or getting valid data back from the data collector. I then found that clicking on each individual server to display users pinpointed which server was not able to provide information as it popped up with its own error unknown message.
I then stopped the IMA service on this server which does not impact users sessions in progress (but will prevent new sessions from being directed to that server). I then ran dsmaint recreateLHC which recreates the local host cache, a subset of the datastore. Then I restarted IMA and made sure the server was back in the farm (verify with the QFARM command).
This then allowed me to discover users on that server, and when clicking on the server folder or top of the farm I could view all users on all servers and not that pain in the butt error!
Other things to check would be the event log on the data collector server, or any issues with communicating with the datastore, or datastore server.
Hope this helps..