For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 27, 2014

Interesting. I've experienced the "err vdi" message before on 11.4 and 11.5 and have an open case on it. That's why I asked to set APM SSO to debug. Before I suggest opening a new case to coincide with what I've seen, let's review some of the baseline required configurations:

 

Virtual server:

 

  • HTTP profile
  • Client SSL profile
  • SNAT (as required)
  • Access Profile (your access policy - reviewed next)
  • Connectivity Profile (default settings are fine)
  • VDI & Java Support option checked

Citrix Remote Desktop profile:

 

  • Destination: Host Name or IP Address (there is an issue with using a pool - not sure if it's fixed yet - for now point it at a single XenApp server)
  • Auto Logon: Enable
  • Broker Authentication: Kerberos
  • Kerberos SSO configuration (your Kerberos SSO profile)

Access Profile (VPE):

 

  • Given that this is for DoD CAC, I'm assuming you've created some process to query the AD for userPrincipalName to get the sAMAccountName for the Kerberos SSO.
  • Advanced Resource Assign:
    • A simple webtop
    • Your Citrix remote desktop resource

XenApp servers:

 

  • IIS CtxAdminPool and CtxScriptsPool application pools set to use LocalSystem (CTX130480)
  • IIS authentication for Default Web Site set to Windows Authentication only (Anonymous not required)
  • XenApp Hotfix rollup 3
  • The following registry entry (CTX124603)
    • HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer
    • IgnoreRegUserConfigErrors (DWORD) = 1
  • XenApp global policy enabled for "Trust XML requests"

Domain controller:

 

  • XenApp servers set to delegate HTTP/ and HOST/ to themselves, HTTP/ to other XenApp servers, and CIFS/ and LDAP/ to the domain controllers, using the "use Kerberos only" delegation option (CTX124603)

This is the absolute minimum requirement for XenApp with Kerberos SSO (although I didn't list specific Kerberos SSO settings), so you may have additional configurations. You're also getting the application list, so I have to assume that Kerberos SSO is working. If your settings are more or less the same as mine, I'd go ahead and open a new case as this is likely similar to an existing/known issue.