Jump to content
Welcome to our new Citrix community!

User who has multiple domains but same username and password is authenticated to only one storefront site via LDAP


Recommended Posts

Here’s the scenario:

John Smith has the username of RZK3DT

John is a part of two domains, NA and CORP

He has one password that is synced to both accounts

 

When John logs into his citrix environment with his corp\R2K3DT and his synced password from the NS gateway and when creds are passed storefront presents him his NA storefront resources; not the one CORP resource that he should have.

 

Now when John changes his password on his corp account, he is able to see his one citrix asset.

 

Have you guys seen where AD/Citrix is unable to make the distinction for the same username and password but each account resides in a different domain?

 

We have this scenario right now with users who are now "inherited' by the company but have their own domain for some resources; thusly they have TWO domains but the same username and password for boh.

Link to comment
Share on other sites

There's a lot of things that can affect what is going on here:

Is there one storefront being used for both domains, or separate storefronts for each?

Does storefront request info from multiple cvad sites or a single one?

Is the gateway passing the correct single sign on domain to storefront?

And how is the authentication on the domain handled: single domain selection via dropdown list or a policy cascade?

 

To clarify what you are expecting: you want john to be able to use either na or corp on one gateway, get to one storefront, and it will fetch the Na or corp resources respectively?  (But you aren't having the user specify the domain using a domain drop down list OR by upn logon instead?)  Either of these would likely prevent the current issues; but my guess is you have a policy cascade and aren't submitting the specific sson domain to storefront...but I would need more info.

 

The fact that you are getting an overlap, means you are likely have some conflicting settings.

It is possible to keep the na and corp resources separate, but you need to do a few things differently than you are. But before trying to "fix" it, I would clarify the exact scenario you are in and what exactly you want the results to be.

 

 

Link to comment
Share on other sites

Hi Rhonda, I'm answering your question under my personal Citrix forum account and not my work; which I didn't mean to use...:).

 

There's a lot of things that can affect what is going on here:

Is there one storefront being used for both domains, or separate storefronts for each? There are TWO storefront servers that are used in a storefront server group for propagation. This group is for ALL DOMAINS within the company (NA, CORP, etc).

Does storefront request info from multiple cvad sites or a single one? There is a SINGLE fqdn URL used (companyvdi.company.com). That URL is actually load balanced for two stores; an external store for external users and an internal store for internal users. That load balancing feat is handled with VIPs for the stores

Is the gateway passing the correct single sign on domain to storefront? There is no single sign on. Depending on how the user comes in from NS Gateway, they are directed to the proper authentication. External users are required to use MFA to authenticate; internal users utilize their username and password. Authentication is done on a two VIPs, one each for the two domains in the environment. The LDAP order of authentication is NA first then CORP for the user.

And how is the authentication on the domain handled: single domain selection via dropdown list or a policy cascade? It is a policy cascade....no domain drop down.

 

Now what I found during the course of the day is the following:

* The users in corp are allowed to SIYNC their passwords in both domains (I'm no fan of this because it can lead to issues like this one)

* for MFA, it appears that there are MULTIPLE domain accounts for these particular set of users

 

When I had John unsync his password to one of the accounts he had, he could authenticate properly to the appropriate resources without issue. Keep this in mind: I only wanted CORP users to access their resources; not authenticate to the NA resources/storefront page as they would not have anything there.

 

Once John was able to authenticate to his CORP resources internally with his new password, I then had him try to do so via a hotspot to test his MFA authentication. That is where we found out that because he and other users in the CORP domain had multiple accounts in the MFA portal, he would get an invalid credentials entry on the external netscalers that would say RADIUS: invalid credentials for RZK3DT.

 

Working with the MFA team, they found the issue of the multiple domains and they disabled the NA MFA account. Once that account was disabled, John was able to authenticate properly via MFA with his CORP\RZK3DT credentials.

 

The lesson learned from this were the following:

* In a multi-domain environment, users should NOT have multiple MFA accounts

* For accounts in the CORP domain, the AD team suggested using the CORP.COMPANY.COM\RZK3DT user name entry to help distinguish the synced accounts (Just not liking that syncing of passwords still)

 

In this scenario I also found that my environment wasn't the only one suffering from this issue; this is actually a known issue and many things that use AD have had issues with the MFA component.

 

Let's just say...it's been a long day.

 

Thanks for responding....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...