When a company acquires another company, after email and Active Directory, the next thing people usually want is to share applications between the companies. From an AD perspective, most often a two way transitive trust is established between your domain and the company you’re acquiring. From a Citrix perspective (I’m using Web Interface for this example), just add the newly acquired company’s domain to your domain drop down list for the XenApp site:
Right click your site > Authentication Methods > Explicit > Properties > Authentication Type > Settings > Domain Display > Add:
Then right click your site > Server Farms and add the new farm/XML Brokers just like you always would. Verify the “domain users” security group for the new domain is added to your Remote Desktop Users group on all farms (easy via GPO) and you’re done (this is assuming you’re not publishing anonymous apps).
When a user logs into a Web Interface, immediately in the background all farms specified for the site are contacted and Citrix apps or desktops the user has access to will be enumerated via XML. You can verify this using a packet capture and monitoring the XML ports for all your farms. After this completes, the user is then logged into the Web Interface and will see all of their app icons. This is a very quick process and takes all of a couple of seconds even with a large number of farms being enumerated. You can also verify this is happening successfully by RDPing into a server on any farm on any of your domains and see the successful logins from other domains in your Security event logs. The user logging into the Web Interface must be on a domain that has a two way trust enabled with all the different domains of the farms specified for this to work, or the Web Interface login will fail and they will get a message saying:
"Please verify your user name and password and try logging on again. If you cannot log on, contact your help desk."
Let me give you a sample scenario. There is a two way trust between your primary domain (DomainA) and two acquired domains (DomainB and DomainC). But there is no trust between the two acquired DomainB and DomainC domains. Each domain has it’s own Citrix farm and these 3 farms have been added to your Web Interface already and they are allowed in the domain drop down box using the method I described above.
A user on your primary domain will login on the Web Interface using their “DomainA\userID” credential and will immediately see Citrix apps coming from the DomainB and C farms without issues because there is a two way trust in place.
But if a user attempts to login from DomainB using their “DomainB\userID” credential, the Web Interface will hang at the the login screen for 5-10 seconds because it is attempting to enumerate apps from the DomainC Citrix farm to which it has no access to. The Citrix server on DomainC’s farm will return an XML failure back to the Web Interface because it doesn’t recognize the domain and in return the Web Interface will “fail” the entire login and display:
"Please verify your user name and password and try logging on again. If you cannot log on, contact your help desk."
So even if you have rights to the first 2 farms, if it fails on the 3rd farm if won’t let you login to the Web Interface. As a result the user will get no access to any Citrix resources from any farm and call in to the help desk since that’s what the default error tells the user to do. The message can be customized by the way if you need to, I covered this before in a previous article on web interface customization.
The ideal solution is make sure you have a two way trust in place between all domains. No hub and spoke model. Think spiderweb. You can verify domain trusts by logging into a Citrix server and opening up Active Directory Domains and Trusts (type this in the run box):
domain.msc
then right click on the domain and click the Trusts tab:
Citrix uses trust based routing and it can get pretty hairy in large complex environments and especially with older versions of Presentation Server/XenApp. That’s why I say it’s ideal to have a two way trust between all domains to avoid this complexity.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Jeff
June 13, 2017 at 8:43 PM
I’m seeing this same issue between two domains but its very intermittent. The trust is in place and can’t easily be reproduced. Also only happens when there is a higher user load. Doesn’t happen after hours.
Jean Carpes
June 21, 2019 at 8:10 AM
Hi, Jason. Thans for the excellent article. But I still have an issue, maybe you can waste two minutes to clarify it, please: It is a simple scenario: Two domains with a two way trust configured. All my Citrix sctructure is over my Domain “A”. I configured my StoreFront to accept my Domain “B” as a trusted domain and the “Domain B Users” group ia a member of all Citrix Servers (StoreFronts ans XenServers).
The problem is:
1. When I try to logon my Citrix WebSite with a Domain “B” User, it took lots of time to complete the action, and sometimes it didn’t complete. So, after I’m logged in, when I try do access some app, It seems to be stucked on “Welcome” page, and in the most part of attempts, the app does not open, maybe by timeout.
I conclude that it’s not a Citrix problem, at least exclusively. I got it trying to logon to my xenapp server, member of Domain “A”, with my user, member of Domain “B”, through RDP, and the behavior was the same: Stucked on Welcome Page.
Do you have any light to put over this? Thank you in advance.