Introduction
The authentication is a simple concept. the user's credentials are passed to a Web Interface and XenApp / XenDesktop servers, preventing users from having to explicitly authenticate at any time during the process of launching the Citrix application. Although this authentication method seems simple, there are few moving parts, and this article aims to break these down to provide a more detailed understanding of how the process really works within Citrix
Authentication Pass-Through -. Web Interface site
The first step of the transition process occurs on the Web Interface site. Users are able to browse the site for the Web interface, and their powers are passed through and they are presented with their Citrix resources delivered. Web interface is built on Internet Information Services (IIS). For pass-through authentication to work, the IIS Windows Integrated Authentication must be utilized. Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves that it is authenticated by a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the Web browser is responsible for authentication with the Web Interface server (IIS). It is important to note, however, that the powers are never actually exchanged. Instead, the signed hash is provided for IIS, prove that said user has already been authenticated on the Windows desktop. The user of the Web interface uses the AD user context (sometimes called a token) to recover membership in an AD group to the user and to transmit this list of groups directly in XML service for authentication. At this point, the user has passed the Web Interface site and can now see his / her Citrix resources.
- The WI server must be in the same domain as the user, or a domain that has a trusted relationship with the domain of the user.
- If the WI server and user are in different domains, and resources are published using domain local groups in the AD domain user, WI will not be able enumerate these, even with appropriate AD trust (because of the nature of domain local groups).
- WI site should be added as a trusted site or intranet zone in Internet Explorer. In addition, the security settings must be changed so that the authentication user Logon is set to 'Automatic logon with username and password'.
- Pass-through authentication is not supported on the Web interface for NetScaler
- http: // support.citrix.com/article/CTX130153
Through authentication -. XenApp / XenDesktop session
One of the biggest misconceptions with pass-through authentication Citrix is that it occurs only when a user browses the Web Interface site and he / she is automatically passed through. As mentioned above, the IIS authentication method that is used does not work actually exchange the user password. In other words, the web interface is not in control of user credentials. This brings us to the question: How are the users went through the current session XenApp / XenDesktop ICA
While Web browser has a role in the authentication of the user? website, the Citrix client (Citrix Receiver) plays an essential role in ensuring that the user is completely gone through the application or desktop. Citrix Receiver installs a process called ssonsvr.exe, which is the single sign-on client component (no, not password manager SSO, but rather unique identification-authentication information SSO). This process is fully responsible for passing user credentials to XenApp or XenDesktop. Without this piece, pass-through authentication will not work. In non-Enterprise versions of Citrix Receiver, the room SSON is not automatically installed, and must be performed during a client installation command line. For more information, see http://support.citrix.com/proddocs/topic/receiver-windows-34/receiver-windows-cfg-command-line.html.
Resources
the links below include information on enabling Pass-through authentication to Citrix Pass-through common troubleshooting steps and errors, as well as Microsoft documentation describing the different authentication methods in IIS:
http://support.citrix.com/proddocs/topic/web-interface-impington/wi-enable-pass-through-authentication-gransden. html
http: // support. citrix.com/article/CTX135588
http://support.citrix.com/proddocs/topic/receiver-windows-34/ica-sson-enable.html
http: // support.citrix.com/article/CTX118736
http://msdn.microsoft.com/en-us/library/aa292114 (v = vs.71) .aspx
0 Komentar