Jump to content
Welcome to our new Citrix community!
  • 0

Director single sign-on and constrained delegation

Guest Graham Powell


Guest Graham Powell

I'm trying to get Director configured for single sign-on, but all of the instructions I have seen ask me to configure the service account using unconstrained delegation, ie. in the account's Active Directory properties, on the "Delegation" tab, I'm supposed to use "Trust this user for delegation to any service (Kerberos only)".  But in my organization that is considered a vulnerability.  I need to be able to instead choose "Trust this user for delegation to specified services only".


I have done this, and created records with service type "Host" for each of the Director servers, and also created records with type "http" for each server and for the generic URL, but single sign-on is still failing.  Does anyone have an recommendations on how to get constrained delegation working for Director?

Link to comment

2 answers to this question

Recommended Posts

  • 0
  1. Verify proper SPNs for the Delivery Controller computer accounts.
    1. Setpsn -L <COMPUTER>
    2. The computer account should have http and host records for the NETBIOS and FQDN
  2. Ensure that delegation is properly configured for the computer account hosting Director. 
    1. Trust this computer for delegation to the specified services only
    2. Use Kerberos Only
    3. GC -> Domain Controllers
      LDAP -> Domain Controllers
      HOST -> Delivery Controllers
      HTTP -> Delivery Controllers
  3. On the machine hosting Director, open IIS Manager, expand the Server node in the Connections list, and click Application Pools.
  4. Right-click the Director Application Pool and select Advanced Settings.
  5. Select the Identity property row, and click the ellipses button to open the Application Pool Identity window. Select the Built-In account option and select NETWORK SERVICE from the drop down menu.  Click OK, and click OK once more to set the Application Pool Identity.   Click Recycle in the Actions Pane to restart the Director Application Pool.
  6. Enable Windows Authentication for the website hosting Director. To do this, expand the Sites node under the Server node in the Connections panel and expand the Web Site hosting Director. In the middle panel under the IIS section, double-click Authentication. In the Authentication panel, right-click Anonymous Authentication and select Disable. Right-click Windows Authentication and select Enable. Ensure only Windows Authentication is enabled. 
  7. Right-click Windows Authentication and select Providers. Verify that Negotiate and NTLM are enabled, and click Cancel.
    1. If one or both of them are not listed, select it from the list of available providers and click Add.
  8. In the Connections list, click the Director node to view its properties panel, and in the middle panel under the Management section, double-click Configuration Editor. From the Section drop-down list, expand the system.webServer node > the security node > the authentication node, and select windowsAuthentication.
    1. Set the useAppPoolCredentials property to True.
  9. In the Connections list, click the Director node to view its properties panel, and in the middle panel under the Management section, double-click Configuration Editor.  Click Add in the Actions pane and create a Setting with name AllowKerberosConstrainedDelegation and Value of 1.  Click OK.
  10. In the Connections panel, select the web Server name, and in the Actions panel, click Restart to apply the changes.
  11. Close IIS Manager.
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...