Jump to content
Welcome to our new Citrix community!
  • 0

Trust issues

Jimmi Sivan


Problem no. 1:


I have a XenApp 7.6 site with all delivery controllers and VDA servers (Windows Server 2012 R2 Standard) located in domain A in forest A. Connection to the site is established through NetScaler VPX.


The users are located in a child domain B in forest B.


There is a one-way transitive forest trust with forest A trusting forest B.


The permissions to the XenApp delivery group is assigned to a domain local security group from domain A. The domain local security group contains a member security group from child domain B.


The NetScalers have Web Interface 5.4 installed on the NetScalers with a NetScaler Gateway on port 443. There is an LDAP authentication policy with connection to two specified domain controllers in the root domain of forest B pointing to the secure Global Catalog (port 3269).


I am able to authenticate with test accounts from both a child domain and the root domain of forest B, and the user is presented with the applications he has permissions to. So the nested permissions and the NetScaler Gateway authentication is successful.


However, when I try to launch an application I receive the "The specified domain either does not exist or could not be contacted" error:



I have also attached an application log entry from the delivery controller when the application is trying to be launched, as well as security logs from the delivery contoller:





And an output from the aaad.debug:



I have replaced IP-adresses and domain names, but it is just for illustration purposes. For example, the IP-address is the IP of one of the domain controllers in the root domain of forest B.


There are no firewall openings from any of the XenApp servers to domain controllers in forest B. The only firewall openings are from the NetScalers NSIP’s and SNIP’s to two specific domain controllers in the root domain of forest B on ports 636/TCP and 3269/TCP, and the errors occurs regardless of using port 636 or 3269.


According to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-architecture-article/xad-plan-active-directory.html it should be sufficient with a one-way transitive trust.


Do any of you know if it is necessary with firewall openings from the XenApp delivery controllers or VDA servers to domain controllers within forest B?

Firewall openings are in place from domain controllers in domain A in forest A to domain controllers within forest B, and I wanted the domain controllers in domain A to handle, and forward if necessary, all the authentication for the users in forest B. But I suppose it is insufficient?



Problem no. 2:


When authenticating on the NetScaler Gateway with test users from root or child domain of forest B I get to the well-known white /Citrix/XenApp/auth/agesso.jsp site. It takes a while to load until I finally see the agesso.jsp site. Then I need to refresh it 3-5 times before I am actually logged into the Web Interface and presented with the applications I have permissions to. I have tried with various single sign-on options on the session policy, but to no avail.


Any ideas why this occurs?


There is no issue when I log on with users from domain A in forest A, and the single sign-on in the session policy matches that domain. All the XenApp servers are located on this domain as well, so obviously it works fine.


I suppose there is no way to have single sign-on for two domains unless I create the domain drop-down box as mentioned in:



I apologize for the long thread, but thank you for taking the time if you have made it this far :)






Link to comment

2 answers to this question

Recommended Posts

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...