Jump to content
Welcome to our new Citrix community!
  • 0

Load balance Director with SSO enabled gives "Your session has ended. To continue, log on."

Filip Schepers1709162530


Our environment CVAD 1912 LTSR CU3


We configured SSO on Director and did the following:

1.  created a service account in AD

2. created an SPN based on our VIP url with that service account

3. enable kerberos delagation on the service account

4. We changed the identity in the application pool of Director(IIS) to the service account

5. Update the useAppPoolcredentials and useKernelMode credentials to true in configuration editor

6. Only enabled "Windows authentication" on our IIS director servers

7. Our vip LB url is configured to run under "Local intranet" where we have enabled "Automatic logon with current username and password"


When we goto our director LB vip we see the warning message "Your session has ended. To Continue, log on." Also in the address bar we see /Director/LogOn.aspx?sessionLost=true&cc=true


We already checked the persistence of our LB, and configured it with Coockieinsert or sourceip but without any change.

The following discussion is also mentioning that https://discussions.citrix.com/topic/390389-director-sso-with-ns-lb-not-working/ but without any solution.


Someone has any idea or suggestion?


Many thanks upfront,

Filip S.


Link to comment

2 answers to this question

Recommended Posts

  • 0

Yes in fact we changed the protocol on our Netscaler loadbalancer to SSLBRIDGE instead of SSL.


So like this:

add service svc_director1 srv_server1.domain SSL_BRIDGE 443
add service svc_director2 srv_server2.domain SSL_BRIDGE 443
add lb vserver vsrv_Director SSL_BRIDGE 443
bind lb vserver vsrv_Director svc_director1
bind lb vserver vsrv_Director svc_director2


Let's hope it will also fix your problem.


Of course when you connect to Director URL you need to manually type in /Director at the end of your fqdn name.

Because SSLBRIDGE is in fact a stupid loadbalancer that sends everything to the backend Director servers, without doing any ssl interception/inspection.


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...