Jump to content
Welcome to our new Citrix community!

Load Balancing Citrix Directory not working perfect


Recommended Posts

Hello,

 

we have 2 citrix director servers running since version 1903. Both servers are load balanced through a citrix adc 12.1 build 55. On both director servers, for single sign on, i configure a kerberos account.

The authentication is working fine. 

 

After some ours, i browse to the director website (without closing the browser before) i got the login form, so single sign on is not working. Then, i open a new tab and single sign on is working. But within the first tab, login is not possible.

for me, it sounds like a persistent or cookie issue.

 

On both director servers on the website i configure the session state to 720 minutes and on the load balancer vserver is configure a persistent cookie with a timout of 720 minutes.

Have is something forgotten ?

Link to comment
Share on other sites

What timeout are you setting the cookie persistence too and did you customize the director timeout?

Are your NetScaler cookies set to version 0 or version 1 and is the system clock/timezone properly set and time synchronized on the adc and director servers.  

If still a problem, ensure cookie version 0 is set (system > settings > change http parameters)

Or try setting the load balance persistence to cookie timeout 0 OR try changing persistence to sourceip and the appropriate timing.

 

Please note in some of the versions of 12.1, the cookie timeout fields do not display in the GUI unless you change persistence and reselect it to get the fields to render (I saw this in 12.1.5x.y...i don't remember which 5x build we were on 12.1.51 or .55, but might be fixed in later builds; haven't compared to know for sure.)

 

Its a possibility that the kerberos authentication cookie isn't as long as the website cookie and causing a problem.  Also, the new tab vs. existing tab.  I think when you start a new tab with a new authentication, it may overwrite your original authentication cookie.  If you can try by first changing persistence from cookie to sourceip to see if it makes a different and then kerberos on vs off, you might be able to isolate whether its the kerberos issue or the persistence issue.  During testing, you might want to shorten the timeouts just to make it is easier to repro and isolate the issue. If you can't do that, then work with the times you have but see if you can identify if there is a specific timeout being hit.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...