Citrix XenApp

Web Interface/StoreFront login issues when working with multiple Citrix farms and domains

When a company acquires another company, after email and Active Directory, the next thing people usually want is to share applications between the companies. From an AD perspective, most often a two way transitive trust is established between your domain and the company you’re acquiring. From a Citrix perspective (I’m using Web Interface for this example), just add the newly acquired company’s domain to your domain drop down list for the XenApp site:

Right click your site > Authentication Methods > Explicit > Properties > Authentication Type > Settings > Domain Display > Add:

Then right click your site > Server Farms and add the new farm/XML Brokers just like you always would. Verify the “domain users” security group for the new domain is added to your Remote Desktop Users group on all farms (easy via GPO) and you’re done (this is assuming you’re not publishing anonymous apps).

When a user logs into a Web Interface, immediately in the background all farms specified for the site are contacted and Citrix apps or desktops the user has access to will be enumerated via XML. You can verify this using a packet capture and monitoring the XML ports for all your farms. After this completes, the user is then logged into the Web Interface and will see all of their app icons. This is a very quick process and takes all of a couple of seconds even with a large number of farms being enumerated. You can also verify this is happening successfully by RDPing into a server on any farm on any of your domains and see the successful logins from other domains in your Security event logs. The user logging into the Web Interface must be on a domain that has a two way trust enabled with all the different domains of the farms specified for this to work, or the Web Interface login will fail and they will get a message saying:

"Please verify your user name and password and try logging on again. If you cannot log on, contact your help desk."

Let me give you a sample scenario. There is a two way trust between your primary domain (DomainA) and two acquired domains (DomainB and DomainC). But there is no trust between the two acquired DomainB and DomainC domains. Each domain has it’s own Citrix farm and these 3 farms have been added to your Web Interface already and they are allowed in the domain drop down box using the method I described above.

A user on your primary domain will login on the Web Interface using their “DomainA\userID” credential and will immediately see Citrix apps coming from the DomainB and C farms without issues because there is a two way trust in place.

But if a user attempts to login from DomainB using their “DomainB\userID” credential, the Web Interface will hang at the the login screen for 5-10 seconds because it is attempting to enumerate apps from the DomainC Citrix farm to which it has no access to. The Citrix server on DomainC’s farm will return an XML failure back to the Web Interface because it doesn’t recognize the domain and in return the Web Interface will “fail” the entire login and display:

"Please verify your user name and password and try logging on again. If you cannot log on, contact your help desk."

So even if you have rights to the first 2 farms, if it fails on the 3rd farm if won’t let you login to the Web Interface. As a result the user will get no access to any Citrix resources from any farm and call in to the help desk since that’s what the default error tells the user to do. The message can be customized by the way if you need to, I covered this before in a previous article on web interface customization.

The ideal solution is make sure you have a two way trust in place between all domains. No hub and spoke model. Think spiderweb. You can verify domain trusts by logging into a Citrix server and opening up Active Directory Domains and Trusts (type this in the run box):

domain.msc

then right click on the domain and click the Trusts tab:

Citrix uses trust based routing and it can get pretty hairy in large complex environments and especially with older versions of Presentation Server/XenApp. That’s why I say it’s ideal to have a two way trust between all domains to avoid this complexity.

2 Comments

  1. Jeff

    June 13, 2017 at 8:43 PM

    I’m seeing this same issue between two domains but its very intermittent. The trust is in place and can’t easily be reproduced. Also only happens when there is a higher user load. Doesn’t happen after hours.

  2. Jean Carpes

    June 21, 2019 at 8:10 AM

    Hi, Jason. Thans for the excellent article. But I still have an issue, maybe you can waste two minutes to clarify it, please: It is a simple scenario: Two domains with a two way trust configured. All my Citrix sctructure is over my Domain “A”. I configured my StoreFront to accept my Domain “B” as a trusted domain and the “Domain B Users” group ia a member of all Citrix Servers (StoreFronts ans XenServers).

    The problem is:

    1. When I try to logon my Citrix WebSite with a Domain “B” User, it took lots of time to complete the action, and sometimes it didn’t complete. So, after I’m logged in, when I try do access some app, It seems to be stucked on “Welcome” page, and in the most part of attempts, the app does not open, maybe by timeout.

    I conclude that it’s not a Citrix problem, at least exclusively. I got it trying to logon to my xenapp server, member of Domain “A”, with my user, member of Domain “B”, through RDP, and the behavior was the same: Stucked on Welcome Page.

    Do you have any light to put over this? Thank you in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Apache

In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version