I have an odd issue that I spent all day yesterday troubleshooting, with no success.
I have a Web Interface site (4.5.1.8215) which is managing two Citrix farms – one PS4.5, one PS4. I have users in another domain forest who need access to this site, and a cross-forest trust exists between the forest in which the Citrix servers live and the forest in which the users are located. Note again that the trust exists at the forest level and not the domain level.
And now for the odd part.: If I remove the PS4 farm from management in the WI site (Manage Server Farms option), users in a domain in the trusted forest have no trouble logging in to the WI. Their applications are enumerated and they can launch published apps. When I add the PS4 farm back into the managed farms, however, users in domains in the trusted remote forest can no longer log in to the WI (Error message: The supplied credentials were invalid. Please try again or contact your system administrator for help).
To rule out any issue with the WI or the setup of the website, I created application sets in the PN with connections to the PS4 and PS4.5 farms. Same result – was able to authenticate to the PS4.5 farm, but not the PS4 farm, when using an account in the remote trusted forest. The error message when trying to authenticate to the PS4 farm was the same as when attempting to log into the WI.
I figure that it’s an issue with either the XML or IMA service in PS4, but I haven’t been able to find the solution. Has anyone out there had this issue and resolved it?
(BTW, I found a recent similar post where the solution was to add the Domain Users group from the trusted domain to the local Users and/or Remote Desktop Users group/policy. Tried that, no luck.)
Thanks Emil and Brian for your suggestions and recommendations.
Emil - I've already done what you suggested for the purposes of server security. However, when it comes to authenticating via the WI, I was hoping to have the users log in using their usual credentials.
I've found the answer that I wanted, and it's not the answer that I was hoping for. From the PS4 Advanced Concepts Guide, p211:
With Windows Active Directory forests, you can create a two-way forest trust that allows a transitive trust among all child domains in the trusted forests. However, Presentation Server does not support the use of this type of trust among child domains. If you require a trust between two child domains in separate forests, you must create an explicit trust between the domains.
Unfortunately, politics are currently preventing us from creating a domain-level trust. There is a work around, which would be to add XenApp servers from the farm to the non trusted domain. In this event Trust-Base Routing feature will be engaged and it will allow one Web Interface Site to operate under these conditions, otherwise the only solution is to use multiple Web Interface sites.
Are both the 4.0 & 4.5 farm in the same domain? Try having the user login with RDP directly to the Citrix server and see what error they get.
I don't think your problem is with Citrix in any way.
Hi Brian, thanks for your follow-up.
Both PS4 and PS4.5 are in the same farm. I have an ongoing debate (with myself, I know it's sad) as to whether my problem is AD-related (and/or GPO-related) or Citrix-related. I'm pursuing both options, but there are convincing arguments on either side.
If the problem is NOT Citrix-related, why does the problem only surface with the PS4 farm? If the servers from both farms are in the same domain (in fact, in the same OU, with the same GPOs applied), doesn't that point to a Citrix angle? And specifically, to an issue with the older versions of the IMA and/or XML?
Correction: when I said "both PS and PS4.5 are in the same FARM " I meant, of course, the same DOMAIN. The PS4 and PS4.5 servers are in different farms.
Normal 0 false false false MicrosoftInternetExplorer4
Well, what I meant about not being something with Citrix I meant the Citrix software not the host OS/Server Citrix is installed on.
I wonder if you'll get much the same error if they try it over RDP (eliminating Citrix as the problem).
If you are just adding a second farm to a WebInterface site your authentication method should be the same and work for both farms. Unless the 4.0 farm server can't contact (name resolution, etc) the trusted domain. Do the users have to enter a domain, or do you have that enforced? How is your "configure authentication methods" setup for the WI site?
You might try to work a fudge by adding the users into a Universal Group and then into the Pre-Windows 2000 Compatible Access groups on 'all' (or just the users/Servers domain) domains. Also up the auditing of Security on your boxes to see if it will give you a nice error.
--Emil