Forum Discussion

Sheigh_65772's avatar
Dec 03, 2014

XenApp 6.5 with Kerberos Auth and CIFS-Windows Shares

I have been having difficulties with this issue for some time and I am hoping that someone can shed some light on it. All information in this post will be from my test bed environment, however the same issue is occurring in our live development environment.

We are running 11.5.1 HF5 and so far I have been able to get Kerberos authentication working in order to access my published Citrix Applications with APM proxying all ICA traffic and replacing the Citrix Web Interface. The issue comes in when once a published app is launch, for example Notepad, I am then unable to access any mapped drives or other CIFS-Windows shares using Kerberos and instead I am asked for my Username and Password.

I have been mostly following this thread to get to where I currently am as I have a similar scenario: F5 BigIP LTM 6900

In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query.

In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query.

My mapped drives are in both

\\servername\share
and
\\fqdn\share
forms.

Would appreciate any help I can get,

Sheigh

  • As an update we still haven't made progress on getting the kerberos credentials to pass through for accessing the CIFS shares (all servers within the same AD Domain, client workstations on separate domain or no domain at all) with NTLM credentials always being requested. At this point I'm pursing two other directions:

     

    1. Kerberos auth only to the Citrix Web Interface, from there utilize XenApp Single Sign-On (Password Manager) for authentication to the published apps which should get us the NTLM credentials
    2. Configure certificate based authentication (not kerberos) and see what that will get us
  • Hi Sheigh, I'm seeing this same exact issue with a recent deployment. My implementation is almost identical to yours just on a much larger scale. Have you been able to figure anything out? Per this article from Citrix (http://support.citrix.com/article/CTX110784) that last Kerberos hop should work properly as the SPN's are set properly for the CIFS share and delegations set right in AD. If you have figured out an answer please let me know. I'll keep researching it and post any findings. Jimmy
  • Hey Jimmy, Haven't figured out a solution yet. We contacted Citrix last week and we didn't get very far with them, they just wanted to send us some whitepapers. We plan on contact Microsoft to see if we can get some support on that end. If I get this working I'll be sure to post up details on what we had to do. Sheigh
  • Sheigh, I've got this pretty much figured out. there are quite a few items that can be parts of the problem but I now have all the way up to 5 hops working. There is too much detail to try and put on a message board but if you have some form of contact information I can help you get things going in the right direction. For us, the biggest problem was related to server side security hardening. These are the two main items, but there are others that can contribute to the issue: 1. local policies\user rights assignment\"impersonate a client after authentication" - SYSTEM needs to be added, this allows the local system to request a service on behalf of the user 2. We also had to change the AD delagation properties at the Citrix servers to Any Authentication Protocol. One thing I've found out, SSPI errors don't always mean Kerberos problems, a lot of times they are really trying to say access is denied.
  • hi jimmy, i am having the same issue in my environment. please advise what is the fix that you put in to resolve your issue. thanks.