Saturday, November 16, 2013

Connecting to Citrix XenDesktop 5.6 virtual desktops through a Web Interface configured with pass-through authentication fails after flashing a black screen

Problem

Environment:

  • 2 x Citrix Web Interface at version 5.4.2.59
  • 2 x Citrix XenDesktop 5.6 DDCs at version 5.6 with Hotfix 7
  • VDA Agent on VDIs at version 5.6.300
  • Pass-through authentication is configured for website
  • Client used to connect to Web Interface portal is joined to the domain

Symptoms:

  • User is able to successfully log into the pass-through authentication page from the fat / thick client via URL directing to Web Interface website (no CAG)
  • Clicking on the XenDesktop Dedicated Desktop icon briefly shows the Citrix Receiver launch with the progress bar at about ¼ then disappears
  • The Desktop Viewer window appears to launch displaying a black screen (in some cases he may see an out of place username and password prompt displayed by the Windows 7 VDI)
  • Within seconds, the black screen disappears and he is back to his fat / thick client’s desktop with the web page
  • Continuing to click on the dedicated desktop or pooled desktop icons exhibit the same behavior
  • Testing with a single or dual monitor setup exhibit the same symptoms
  • Using his same credentials on the t610 in the same VLAN which is also configured for pass-through authentication does not exhibit the same behavior

Troubleshooting:

While reviewing the event logs on the virtual desktop that the user failed to log into, the following event ID 1620 warning followed by the event ID 1030 informational events were logged during the unsuccessful login attempts:

image

The details to those events are:

Event ID Warning: 1260

Log Name: Application

Source: Citrix ICA Service

Event ID: 1260

Level: Warning

ICA connection is cancelled because auto-logon is enforced and auto-logon failed. For more information, see http://support.citrix.com/proddocs/topic/online-plugin-121-windows/ica-sson-enable.html.

image

Event ID Warning: 1030

Log Name: Application

Source: Citrix Desktop Service 

Event ID: 1030

Level: Information

The Citrix Desktop Service detected that a user session has ended. Session 0:635200501869038107 for user 'domain\jsmith' has ended.

image

Clicking on the link provided in the warning (http://support.citrix.com/proddocs/topic/online-plugin-121-windows/ica-sson-enable.html) isn’t much help as it brings you to a:

404 page Not Found: The Requested Page Cannot Be Displayed

… that Citrix probably took off:

clip_image002

Troubleshooting Steps Tried:

Searching for the string provided 5 or 6 results with various suggestions such as:

1. Turning on Kerberos in the Citrix GPO ADM for the fat / thin clients <-- Did not work

image clip_image002[4]

2. Modify the Web Interface pass-through authentication page’s domain settings to use FQDN instead of NetBIOS <-- Did not work

image

3. Edit either the local policy or via GPO for the VDI’s: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment <-- I can’t see why we would need to change this as the issue is intermittent

4. Use the Get-BrokerSite cmdlet on a DDC to ensure that TrustRequestSentToTheXmlServicePort is set to True:

image

Solution

While I have yet to determine the root cause, the workaround solution I put in for this problem to buy me some more troubleshooting time was to add the following following registry key onto the VDI:

HKLM\SOFTWARE\Policies\Citrix

DWORD: EnforceAutoLogon

Value: 0

image

As per the following forum post, a Citrix engineer wrote the following:

http://forums.citrix.com/thread.jspa?threadID=284282

First off, in XD5, the default behavior when pass-through credentials aren't properly provided has changed. In XD4, you would get prompted to authenticate at the VDA Winlogon screen if SSON failed. In XD5, by default anyways, the VDA will drop the connection if credentials aren't properly received. To workaround this behavior, create a new DWORD value called 'EnforceAutoLogon' in HKLM\Software\Policies\Citrix, and set it to 0. This will change the VDA behavior to dump you back out to the Winlogon screen instead of just closing the connection.

So basically what’s happening here is that pass-through authentication isn’t working on the fat / thick client downstairs and the default behavior for XenDesktop 5 is to drop connections if the credentials aren’t passed over.  With the registry shown above set on the VDI, XenDesktop will not drop the connection but rather display the following:

clip_image001

Note that if you can’t update the catalog of a pool for whatever reason or perhaps unable to log onto dedicated VDIs because users are logged on, you can use a GPO assigned to the computer object to add this registry key in as such:

image

image

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Policies\Citrix

Value name: EnforceAutoLogon

Value type: REG_DWORD

Value data: 0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Not exactly the best solution but users who wonder why they need to retype their credentials is much better than users who are unable to connect.

No comments: