Jump to content
Welcome to our new Citrix community!
  • 0

Director SSO with NS LB not working


Question

Hi,

 

I'm trying to configure SSO for Director on Xenapp 7.15 with Nescaler Load Balancing. The Director is installed on the Storefront servers and the Delivery Controllers are on others servers. I followed the procedure on Carl Stalhood's website (http://www.carlstalhood.com/director-7-15/#directorsson).

 

I use a separate URL for director than storefront as asked and i've registered the SPN for the user service account to both servers and load balanced URL.

 

The only difference i had to configure was to enable Kernel-mode authentication. Otherwise, there is a login pop up window when i try to access the console and no user/password is working.

 

Now the situation is:

 

On localhost: the login page appear with the message following message:

 

"your session has ended. to continue, please log on"

 

On this page i can clic open session and it uses SSO, but as i understand, it should login without asking.

 

From an other computer when i use the load balanced URL, i have the same message but the option to open a session automatically is not there. I have to enter my credentials and the logon is working.

 

Do you have any idea? thank you for your help.

Link to comment

9 answers to this question

Recommended Posts

  • 0

Hello,

 

Did you managed to solve this issue ? Can you give us some feedback pls ?

 

I'm facing the same error message but I don't think it's related to LB as I have same message when targeting a specific director server. But still I have use the service domain account - setspn command - Kerberos trust - AppPool Credentials method.

In fact, my director console i'm pointing to are on some VDA servers designed for admin people (and I don't want to target DC servers).

It may be the deported console the root of the problem.

Link to comment
  • 0

Too bad :(

 

I've managed to make SSO working for every single director console but still the LB is not working :

 

- For DC01 & DC02 :

  • "setspn -S http/DC0x.corp.local corp\DC0x"
  • AD computer object "DC0x" Kerberos Trust Delegation changed

- For VDA1 & VDA2 :

  • As they are no DC server, had to change IIS Director Application Settings Service.AutoDiscoveryAddresses to DC0x.corp.local (VDA1 to DC01 and VDA2 to DC02)
  • "setspn -S http/VDAx.corp.local corp\service_account"
  • AD user object "service_account" Kerberos Trust Delegation
  • AppPool Director Identity = corp\service_account
  • system.webServer/security/authentication/windowsAuthentication : useAppPoolCredentials = True

With this setup all 4 urls have SSO working fine

DC01.corp.local/Director

DC02.corp.local/Director

VDA1.corp.local/Director

VDA2.corp.local/Director

 

The LB VServer is set with VDA1 and VDA2.

I have run "setspn -S http/director.corp.local corp\service_account"

 

But still the LB SSO won't work : I get the "your session has ended. to continue, please log on" message on the result url "director.corp.local/Director/LogOn.aspx?sessionLost=true&cc=true"

Link to comment
  • 0
On 4/4/2018 at 5:17 PM, Fabien Papineau said:

Too bad :(

 

I've managed to make SSO working for every single director console but still the LB is not working :

 

- For DC01 & DC02 :

  • "setspn -S http/DC0x.corp.local corp\DC0x"
  • AD computer object "DC0x" Kerberos Trust Delegation changed

- For VDA1 & VDA2 :

  • As they are no DC server, had to change IIS Director Application Settings Service.AutoDiscoveryAddresses to DC0x.corp.local (VDA1 to DC01 and VDA2 to DC02)
  • "setspn -S http/VDAx.corp.local corp\service_account"
  • AD user object "service_account" Kerberos Trust Delegation
  • AppPool Director Identity = corp\service_account
  • system.webServer/security/authentication/windowsAuthentication : useAppPoolCredentials = True

With this setup all 4 urls have SSO working fine

DC01.corp.local/Director

DC02.corp.local/Director

VDA1.corp.local/Director

VDA2.corp.local/Director

 

The LB VServer is set with VDA1 and VDA2.

I have run "setspn -S http/director.corp.local corp\service_account"

 

But still the LB SSO won't work : I get the "your session has ended. to continue, please log on" message on the result url "director.corp.local/Director/LogOn.aspx?sessionLost=true&cc=true"

 

I'm having the exact issue you are. 

I have only set up SPN to http/director, but if i amend my local host file to point "Director" to one of the 2 servers directly, it works fine. If i go through the NetScaler LB, it fails. 

To add to this, i am using SSL on the Director connections (i have also registered https/Director spn just in case)

 

Following this thread whilst i start to wireshark what is being passed through.

 

Link to comment
  • 0

Did anyone ever find a solution to this? 

We are currently implementing this with SSL internally using a Content Switching Virtual Server load balanced across two XenDesktop Controller Servers (with Director installed on them). We have followed all the steps in this forum post and from Carl's latest step by step instructions. No matter what we do, we still have to log in manually to the Forms page because we are presented with "your session has ended. to continue, please log on" as mentioned by Olly Thompson and fpapineau above.

 

If anyone has managed to get this to work please share the steps you followed, it would be greatly appreciated!

 

Edit: We were finally able to get this to work in our environment by ensuring that all forms of authentication were disabled for Director in ISS apart from Windows authentication and ensured that both useAppPoolCredentials and useKernelMode were set to True (contrary to the steps indicated by Carl in his walk-through).

Edited by msouthw91
Solution found
Link to comment
  • 0

 

Here are the steps we followed to fix the single sign on issue for Citrix Director:

 

1.      Created a service account for Citrix Director in AD.

 

 

2.      Register an SPN for the URL of Citrix Director website.

 

 

3.      Enable Kerberos delegation for the service account and Director computer account.

 

 

4.      Update the service.discoveryaddress in application settings in IIS on Citrix director server.

 

 

5.      Update the useAppPoolcredentials and useKernelMode credentials to true in configuration editor.

 

6.      Disable all other authentication methods:

 

7.      Configure Domain policies to

 

·        Add the director site to trusted sites (value =2)

·        Automatic logon with current username and password

 

Regards,

Prabh

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...