Jens Ostkamp

March 29, 2021

Hello everyone

I am currently experiencing issues regarding network drives connection after establishing a SSL VPN connection (Split Tunnel)

Im running Citrix Gateway 12.1 and using SSLVPN. Basically everything works fine, but when I try to click on one of my mapped network drives, it always prompts me for authentication with the error message "The system cannot contact a domain controller to service the authentication request. Please try again later." - after manually entering the credentials below this error message, it authenticates successfully and network drive can be used afterwards.

Since my clients did use SSL VPN from Sophos before where this was never an issue and network drives just reconnected after establishing a VPN connection by themselves without any user interaction, i would want to implement this again.

Doesn't matter if I try to access through apps or explorer. After authenticating manually once, all network drives work well. When I dont use the mapped network drive and try to enter the location of the mapped drive manually (\\fileshare01\abc\) it prompts for authentication aswell.

From my understanding SSL VPN has issues to pass-through the windows credentials? Or does Gateway Plugin use the credentials when authenticating to SSL VPN? Because I only have a RADIUS and a non-auth LDAP (for group extract).

NetScaler build is: 12.1 61.18

Thanks very much in advance

March 29, 2021

I am currently experiencing the same issues. Did someone fix this issue or even had this aswell?

Im running Citrix Gateway 12.1 and using SSLVPN. Basically everything works fine, but when I try to click on one of my mapped network drives, it always prompts me for authentication with the error message "Could not contact Domain controller" - after manually entering the credentials, it authenticates successfully and network drive can be used afterwards.

Since my clients did use SSL VPN from Sophos before where this was never an issue and network drives just reconnected after establishing a VPN connection by themselves without any authentication mechanisms, i would want to implement this again.

Guess I will have to raise a support ticket as well, or is this a 12.1 build thing which is fixed in 13.0?

NetScaler build is: 12.1 61.18

Basically the same issue Jamey had.

Thanks very much in advance

Posted October 6, 2020 · October 6, 2020

21 minutes ago, Roman Dario Lemes Gonzalez said:

Traffic from NSGW to STA should use Netprofile bound to VPN Gateway, only monitor traffic is the one will not honor this. If this is not the case, open a case with Citrix Support. What version are u running? 13.0.64.x should work good.

Thanks

Hey,

i am using latest 12.1 build. Should work with that aswell i guess?

I will be doing some tests regarding your feedback, maybe i saw the monitor packets in my packet trace.

What is about the ICA traffic to worker server?

thanks again!

Posted October 6, 2020 · October 6, 2020

20 minutes ago, Roman Dario Lemes Gonzalez said:

Hello,

Netprofile won't work for dynamically generated services (like STA, nor SF monitor). I've opened an enhancement already for this purpose. As a workaround for STA and other dynamically generated services you could bind the netprofile to those monitors directly and it will be used at that point. Downside of this approach is if you have multiple Gateways on the same appliance all will use the same netprofile for those monitors as configured before.

Thanks

Hey,

thank you very much for your response!

So, if i bind that netprofile to the monitor - will only the monitor use the dedicated SNIP? Because as soon as a user connects over Gateway, there will be traffic to STA, SF, Worker for that user and if, i need to ensure that ALL traffic goes over that one SNIP to these three backends, since my client wants to separate firewall policies by services (hence regarding the different SNIPs).

Thank you for your support!

Best regards

Posted October 6, 2020 · October 6, 2020

Hey everyone,

im having difficulties telling my NetScaler to use a specific SNIP for all traffic for one vServer on my Gateway.

Background is, that I want to separate service communication with different SNIPs (for example, SNIP-exchange, SNIP-Citrix, SNIP-Radius etc.). This works well for each service, only when i bind my net profile to Citrix Gateway vServer it just gets ignored and acts like no net profile at all is bound (round robin from all SNIPs).

I could workaround that by adding a LB vServer (even tho just one SF / DDC exists) with StoreFront server behind it and bind the net profile to this LB vServer/service. Problem is - STA communication (and i guess worker communication as well, but i didnt get that far to test it) is not easily done this way, as STA will fail when i target it to a LB vServer and my StoreFront Gateway configuration aren't pointing to these exact same LBs (which I obviously want to avoid as it creates a weird network route for STAs).

So - did I do/think something wrong implementing net profiles on my Gateway or is it a known bug?

Thank you very much in advance for any help! :)

Best regards

July 22, 2020

Hey Carl,

thanks for the hint, unfortunately this didn't solve anything. Still getting these messages within my nsepa.txt file:

July 21, 2020

I need to bring this topic up again - i have the same problem currently with OPSWAT scans and my log telling me:

12:38:15.489 | EVENT | EPA packge doesn't exist on disk. Error code : 3l

and:

and

17:25:42.992 | DEBUG | Path to be opened : C:\Users\xxxx\AppData\Local\Citrix\AGEE\epaPackage.exe

17:25:43.071 | DEBUG | downloaded total 980904 bytes

17:25:43.117 | DEBUG | ns_HTTPrequest return value is: 980904

17:25:43.117 | DEBUG | ns_verifyfile: called

17:25:43.227 | DEBUG | ns_verifyTrustedCert success

17:25:43.227 | DEBUG | ns_verifyfile output=Citrix Systems, Inc.

17:25:43.227 | DEBUG | ns_verifyfile returns 1

17:25:43.242 | DEBUG | EPA lib path is non-ansi

17:25:47.617 | DEBUG | ns_verifyfile: called

17:25:47.633 | DEBUG | ns_verifyTrustedCert success

17:25:47.633 | DEBUG | ns_verifyfile output=Citrix Systems, Inc.

17:25:47.633 | DEBUG | ns_verifyfile returns 1

17:25:47.633 | DEBUG | EPA library couldn't be loaded ..

17:25:47.633 | DEBUG | Failed to load EPA library

17:25:47.633 | DEBUG | Faield to initialize EPA library

17:25:47.633 | DEBUG | ns_EvalPolicy: BROWSER_60000 returns 2003

17:25:47.633 | EVENT | ns_EvalPolicy returns 2003

17:25:47.633 | DEBUG | ns_free_dependspol:num_mallocPolicyBuffer=0

17:25:47.633 | DEBUG | Memory has been allocated for the buffer.

I have tried a simple scan with checking for the browser im using to connect to VPN which obviously must work, but it doesn't.

A classic expression scan (for example checking for my source ip) does work.

The described workarounds don't work for me, the used NetScaler Version is 11.1 64.14.

I have tested 3 different clients and two different NetScaler (other one is 12.1 newest build). All same behaviour.

Policy Expression:

CLIENT.APPLICATION(BROWSER_90_100) EXISTS

Profile has nothing specified other than "allow".

Thank you very much in advance.

bestregards

February 11, 2020

Hey,

thank you for your reply. As we had documented cases where clients of us got attacked before even Citrix made the vulnerability public and other cases where log-files got manipulated /deleted. Thats why we will re-install every appliance in the wild, no matter if we could detect a successful attack or not - since this vulnerability was exploitable since ever we won't take any risks, even though it's not really a trust-supporting thing for our clients regarding Citrix reputation

February 11, 2020

I have had this issue with hanging browser as well. Something with SSL Certificates / bindings seems to be not working correctly.

I also had an issue, where i bound a certificate to a vpn vserver and after i checked the certificate binding with an external site (sslshopper.com) it still showed the old certificate, GUI showed me the correct binding, CLI showed me the old binding. When I tried to unbind the certkey via CLI i got errormessage that this certificate doesnt exist. Only after completely re-adding the whole vserver it worked correctly. I only had this issue with the security fixed 13.0 firmware, older 13.0 firmware worked correctly regarding certificates but i had other bugs (mentioned in start post)

February 4, 2020

Hey everyone,

probably you guys have to deal with the aftermaths of the well known CVE, so I hope someone has some time to answer my question:

I've come across a "list" of "exposed" Wildcard Certificates on the internet. As we know compromised ADC appliances held the private key of our (wildcard)certificates, so if an appliance got hijacked it is likely that the attacker could also obtain this critical information.

So far so bad - i have patched around 30 appliances these days (and some time before hotfixed the same amount) and of course I've always checked with all the tools, scans and bash commands i could find to look after a possible attack on the appliances. Some were compromised, some not. Now to my question again - https://github.com/tijlvdb/wildcarded-citrix-2020/blob/master/exposed_wildcards.txt this list of possible exposed wildcard certificates got my attention, especially since there is another site around which basically checks for exposed certificates or unpatched appliances as well (and i think regarding the certificate check it relates to this database). Now my problem with this list is, that I can find certificates of appliances belonging to me (or my clients) which never showed any sign of attack, i have been really fast like implementing the workaround the day it got released and patched the appliance of course as well as soon as the patches were available. Still, certificates belonging to these appliances show up there which confuses me a bit, because I can rule out almost certainly a successful attack. On the other hand, as i wrote I had some compromised appliances which definitely should show up on that list (or the certificates belonging to these appliances) but they don't.

Does any one of you know how trustworthy this list is or how the information of these certificates got there? Because i find this really disturbing, I could understand if i found certificates there belonging to one of the compromised appliances I manage, but as I described it doesnt make many sense to me and I am not sure if I should re-deploy all of those appliances belonging to these certificates or if its a false alarm.

Would be really grateful if someone could give me a hint here.

Thanks very much in advance!

best regards

edit: now just as i wrote the post the github link doesnt seem to work anymore.

The site which I checked against (and mentioned above regarding the database, which is now not available anymore as it seems) is: https://cve-2019-19781.azurewebsites.net/ I think this site got mentioned a couple of times on other articles about this CVE as well, so I don't know how relatable it is

January 30, 2020

Just installed the new 13.0 with security fixes and unfortunately Citrix still didn't patch the bug, that VPN Pages are not accessible (see: https://discussions.citrix.com/topic/406206-issues-after-updating-to-newer-130-firmwares/)

This bug has been known for some time now and it is really sad to see, that Citrix still didn't manage to fix this bug when releasing the security fix firmware. Now I am forced to downgrade to 12.1 because of this, since the only 13.0 version without this bug was the initial release which is obviously not available anymore. I really expected more here...

December 23, 2019

Hey Julian,

thanks for your response.

Unfortunately, your suggestion would cause Exchange Online requests to fail against NetScaler, as they use /ews for certain requests and don't support pre-authentication. That's why I need so separate OutlookAnywhere /ews requests (with pre auth) and Exchange Online /ews requests (both use /ews/exchange.asmx) without pre-auth on the same CSW vServer.

I am currently thinking about extracting Header from OutlookAnywhere for this, but as far as I could look these requests up in Wireshark, OutlookAnywhere doesn't use this Header in every request, which would cause some requests to fail and resulting in authentication popup on the clien side.

Thank you nevertheless :)

Best Regards

Jens

December 20, 2019

Hey everyone,

I wanted to get some new ideas regarding Content Switch configuration for exchange hybrid setups with pre-auth on the NetScaler.

So far I have solved this issue by writing CSW-policies which excludes the specific URLs for Azure request, looking like this:

( http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("owa.domain.com") || http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("autodiscover.domain.com")) && ( http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/exchange.asmx/wssecurity") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/autodiscover/autodiscover.svc/wssecurity") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/autodiscover/autodiscover.svc") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/mrsproxy.svc") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/metadata/json") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ("/ews/exchange.asmx") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover/autodiscover.json/") || http.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/api") )

The problem with this configuration is, that some of my clients don't have UPN and Mail configured with the same value. This causes problems when users are trying to setup Outlook from external, because OutlookAnywhere will use the /ews/exchange.asmx/ URL, which will then get bypassed by NetScaler to a non-authenticaiton vServer and the user cannot authenticate to Exchange, because exchange will not accept mailaddress as authentication. I know that this issue will go away, when UPN and mail are the same, but until this is the case i need some configuration that will bypass the Azure Connections for Hybrid Exchange in another way and not URL-based. I was thinking about Source-IP but as far as I know the public-addresses are constantly changing on Azure.

So, how do you guys solve nowadays Hybrid Exchange configuration when you have a NetScaler which does pre-authentication for on-prem Exchange users?

Thank you very much in advance and best regards!

December 19, 2019

So far i have encountered these issues:

https://discussions.citrix.com/topic/406206-issues-after-updating-to-newer-130-firmwares/

December 19, 2019

Hey everyone,

I wanted to ask if anyone experience similar issues when upgrading to newer 13.0 Firmware versions?

I've been using the 36.27 Firmware mostly which works perfectly fine.

After updating the one of the newer releases I had a lot of issues I could only fix by downgrading to 36.27 again.

For example:

41.20 broke pre-auth for exchange completely (error after trying to SSO me into OWA which definately came from NetScaler)

47.22 constantly showed me "404 not found" when trying to access the two NSGW vServers. Interestingly Receiver Access worked great.

These two issues were on different appliances in different infrastructures .

Can anyone relate to this? So far only 36.27 seems to work stable.

Best regards!

September 10, 2019

11 hours ago, Ken Zygmunt said:

Jens

firstly, i'm assuming that that you've got full desktops working through NetScaler connecting to RDS Hosts assigned to connection broker(s)?

Assuming yes, then there's only one change you need to do to get RemoteApps working, and that's to edit the bookmark/add a new bookmark

Also, all the testing I did assumed that only an RDWebAccess server was installed, not an RDGateway server. If you have an RDGateway server installed, log onto the Connection Broker and disable it.

Firstly, use Chrome to connect to a RDS WebAccess server, log on, and click on a RemoteApp app. This will download the rdp file allowing you to save it/edit it with notepad to view the settings. Copy the following lines from it... (the example below is for a published Windows Calculator)

alternate shell:s:||win32calc

remoteapplicationprogram:s:||win32calc

remoteapplicationname:s:Calculator

remoteapplicationcmdline:s:

remoteapplicationmode:i:1

The above five lines should be concatenated with an '&' and start with a '?'. i.e

?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

Next, go to Citrix Gateway/Resources/Bookmarks and add a new bookmark

Name: <Anything unique>

Text to display: <What you want to appear in the browser>

Bookmark: rdp://<FQDN of one your your RDS Hosts>, e.g. rdshost1.comtoso.com and then add the above concatenated line

Tick 'Use Citrix Gateway as a Reverse Proxy'

Save Settings

NOTE: the bookmark should point to one of your RDS hosts, NOT the connection broker!!!!!!!!!!!!!

so, assuming your bookmark is the example above, the bookmark should have

rdp://rdshost1.comtoso.com?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

NOTE: This should be all on one line - the editor split i over two...

Add that bookmark to your Virtual Server.

That is all the change you need to make to a working RDP Proxy to get RemoteApps working.

As i said at the beginning, this is assuming that you've got full RDS desktops working through the NetScaler...

Regards

Ken Z

I could test everything now and it works perfectly. Thank you so much for your assistance and passively explaining how RDS works :D! Greatly appreciated!!

Best regards

Jens

September 10, 2019

Hey Ken,

thank you VERY VERY much for this detailed explanation!!

I will try to test this asap. I couldn't really test my setup with NetScaler 13.0 as I was busy yesterday, but I will surely get back to you when I have configured everything as you explained.

I think the biggest mistake on my part until now was, that i pointed the bookmark to the connection broker and not one of the RDS-Hosts (probably Loadbalancing these gonna make some sense here), everything else looks pretty much the same in my lab environment.

Again, thank you so much!

I will reply when i tested everything :)

best regards

September 9, 2019

24 minutes ago, Ken Zygmunt said:

Hi Jens

Yes, can do that, but I used Carl's Stalhood's notes to do mine, which should be your first port of call for this type of information.

https://www.carlstalhood.com/netscaler-gateway-12-rdp-proxy/

I'll post my settings tonight when i get back from my journey...

Regards

Ken Z

Hi Ken,

yes, I check Carls site on a regular base, it's probably the best site for ADC information :)

But he is "just" describing RDP Proxy as a feature for published Desktops. In my case i specifically need not only desktops of RDS farm but also applications to work, thats what I described with these special parameters after the bookmark (and if there is more configuration needed apart from putting the special parameters after the bookmark).

To be honest I can't remember if I tested it with IE as well (as you described), but I know I didn't use ADC 13.0.

I will do some testing over the day, but it would be awesome if you could share your configuration steps (summarized), if you got RDS Apps via RDP Proxy working :)

Thank you very much once again and best regards

Jens

September 9, 2019

On 9/7/2019 at 1:55 PM, Ken Zygmunt said:

Guys

just tested Chrome and Mozilla with NetScaler 13.0 Build 36.27, and RemoteApp/Seamless RDP sessions are now working... they no longer start up as a full desktop.

Looks like it was a bug in Build 12.1

Regards

Ken Z

Hey Ken,

thank you very much for your response and testing with NetScaler 13.0.

Would it be possible to share your confguration, so I can test this in my environment?

Thank you very much in advance!

best regards

Jens

September 4, 2019

Hey,

thanks for the quick response.

I have added all services via FQDN and my appliances are resolving them correctly.

I am not sure if I have to configure KCD on my VPX B Appliance as well? From my understanding, my VPX A will just do KCD against the LB vService/server on VPX B but VPX B won't do any KCD as it is just meant as a LB appliance without offloading or anything.

I will do some more testing today and try to do the KCD configuration on my VPX B appliance as well. (background of this whole scenario btw. is, that I have a client who uses NetScaler as reverse proxy for publishing a CenShare app, but the CenShare servers are loadbalanced on an F5 the NetScaler connects to, so basically the NetScaler does KCD against the F5 where the CenShare services are loadbalanced - so with my lab setup i tried to reproduce this scenario and well, I could reproduce the exact same error, but I am somehow stalling on how to fix this).

Best regards

September 3, 2019

Desired Bandwitdh comes down on what the users are accessing via Citrix.

If it is "standard" Citrix Apps without VoIP stuff, i usually calculate around 500kb/s per User, which would leave you with a needed throughput of roughly 10mbit/s. The lowest throughput you can license is 20mbit/s as far as i remember (ADC Standard license), if you only need Gateway Feature (no loadbalancing) there should be 5mbit/s and 10mbit/s licenses.

How do I set OTP for AAA Users? · September 3, 2019

7 hours ago, RANHO KIM said:

There are no RADIUS servers in stock.
Can't I create a Local ID(aaa user) and apply OTP on Citrix NetScaler?

As Daniel stated, NetScaler itself cannot be a RADIUS server. You will need to setup a remote RADIUS-server the NetScaler can communicate to. Also the OTP-Feature of NetScaler (Native OTP) will only work when you have functional ActiveDirectory as the OTP seed which will generate the OTP on your mobile device, is stored within an LDAP attribute of the User.

Short answer: no, the scenario you are trying to configure will not work (without RADIUS server (if you want RADIUS auth) or LDAP server (if you want Native OTP)

September 3, 2019

Are you trying to separate LDAP and RADIUS authentication (in case a user will get radius when he comes without Citrix Receiver and LDAP when he comes with Receiver) or do you need two policies to make your RADIUS product working?

I haven't configured RSA for a long time, so I am not exactly sure how they are implemented within NetScaler, but I know RADIUS solutions which requires a primary LDAP and a secondary RADIUS authentication policy, both set to ns_true.

Currently, when you come via browser, your policy is set to only use the RADIUS policy because your browser obviously doesn't contain CitrixReceiver User-Agent Header.

That's why NetScaler prompts the error message, because it won't use the LDAP Policy and cannot verify your LDAP credentials.

If you just want LDAP and RADIUS for all users, no matter if they come via browser or receiver, you can just use both policies (LDAP primary, RADIUS secondary or vice versa, depending how RSA works) with ns_true and it should work.

September 3, 2019

Hello together,

i am currently trying to get a KCD authentication to work with the following setup (test lab):

WORKING SCENARION:

ADC VPX Enterprise with a Loadbalancing vServer where a AAA-Forms Authentication is configured. On the AAA vServer there is a RADIUS Policy configured and a Session Profile with a KCD-Account bound.

The goal is relatively simple -> i want a User to authenticate via Radius (SMS Passcode, Challenge Response) and after get a Kerberos Ticket to authenticate to a basic IIS Webserver (only Windows Authentication enabled). I have followed this guide for setting up Kerberos (i know it is for a NetScaler 10.1 but i don't think the technical basics should be the same for a 12.1 regarding how kerberos works): https://support.citrix.com/article/CTX236593 (only difference: i used a keytab file)

This works just fine.

Now the more "advanced" configuration i'm trying to achieve:

I want to connect to a CSW vServer on my ADC VPX A where i am pointing to a load balancing virtual server on the same appliance. The service bound to this LB vServer points to a ADC VPX B where the actual Webserver is bound to. This is where my configuration stopped working, when I'm trying to debug the authentication process i am getting the following error:

root@TestScale05-12# cat /tmp/nskrb.debug
Tue Sep 3 10:15:37 2019
nskrb.c[2082]: nskrb_accept CHILD: started, processing AAA request
Tue Sep 3 10:15:37 2019
nskrb.c[395]: ns_process_kcd_req username is user.name

Tue Sep 3 10:15:37 2019
nskrb.c[399]: ns_process_kcd_req user_realm is internal.domain.suffix, user_realmlen is 21

Tue Sep 3 10:15:37 2019
nskrb.c[405]: ns_process_kcd_req svc is websrv-remotens

Tue Sep 3 10:15:37 2019
nskrb.c[2089]: nskrb_accept PARENT: 1 children spawned
Tue Sep 3 10:15:37 2019
nskrb.c[412]: ns_process_kcd_req gethostbyname failed

Tue Sep 3 10:15:37 2019
nskrb.c[417]: ns_process_kcd_req realm is internal.domain.suffix, realmlen is 21

Tue Sep 3 10:15:37 2019
nskrb.c[423]: ns_process_kcd_req delegated_user len is 39 value is host/fqdn-lbvserver.domain.de

Tue Sep 3 10:15:37 2019
nskrb.c[429]: ns_process_kcd_req password provided, len 25

Tue Sep 3 10:15:37 2019
nskrb.c[498]: ns_process_kcd_req user non-enterprise username user.name@internal.domain.suffix
Tue Sep 3 10:15:37 2019
nskrb.c[506]: ns_process_kcd_req MD5 user.nameINTERNAL.DOMAIN.SUFFIXfqdn-lbvserver.domain.deINTERNAL.DOMAIN.SUFFIX for s4u cache filename

Tue Sep 3 10:15:37 2019
nskrb.c[518]: ns_process_kcd_req MD5 user.nameINTERNAL.DOMAIN.SUFFIXwebsrv-remotensINTERNAL.DOMAIN.SUFFIX for tgs cache filename

Tue Sep 3 10:15:37 2019
nskrb.c[532]: ns_process_kcd_req MD5 fqdn-lbvserver.domain.deINTERNAL.DOMAIN.SUFFIX for tgt cache filename

Tue Sep 3 10:15:37 2019
nskrb.c[538]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_b277cdec37f1740adaf02369977ab493
Tue Sep 3 10:15:37 2019
nskrb.c[539]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96
Tue Sep 3 10:15:37 2019
nskrb.c[540]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6
Tue Sep 3 10:15:37 2019
nskrb.c[542]: ns_process_kcd_req Attempting TGT with host/fqdn-lbvserver.domain.de@INTERNAL.DOMAIN.SUFFIX, outcache /var/krb/tgt_0_b277cdec37f1740adaf02369977ab493
Tue Sep 3 10:15:37 2019
nskrb.c[1321]: ns_kinit cache check failed

Tue Sep 3 10:15:37 2019
init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 1
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1176]: process_pa_data_to_md KDC send 0 patypes
Tue Sep 3 10:15:37 2019
krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 3 10:15:37 2019
krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep 3 10:15:37 2019
send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep 3 10:15:37 2019
send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 2
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1784]: krb5_init_creds_step krb5_get_init_creds: processing input
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1787]: krb5_init_creds_step krb5_get_init_creds: decode AS_REP returned 1859794433, not necessarily an error
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1852]: krb5_init_creds_step krb5_get_init_creds: KRB-ERROR -1765328359, not necessarily fatal
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1176]: process_pa_data_to_md KDC send 5 patypes
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 11
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 19
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 2
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 16
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 15
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1019]: add_enc_ts_padata krb5_get_init_creds: using ENC-TS with enctype 23
Tue Sep 3 10:15:37 2019
krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 3 10:15:37 2019
krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep 3 10:15:37 2019
send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.DOMAIN.SUFFIX in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNALDOMAIN.SUFFIX' using protocol 1
Tue Sep 3 10:15:37 2019
send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 3
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1784]: krb5_init_creds_step krb5_get_init_creds: processing input
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1787]: krb5_init_creds_step krb5_get_init_creds: decode AS_REP returned 0, not necessarily an error
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1807]: krb5_init_creds_step krb5_get_init_creds: extracting ticket
Tue Sep 3 10:15:37 2019
init_creds_pw.c[1824]: krb5_init_creds_step krb5_get_init_creds: extract ticket returned 0
Tue Sep 3 10:15:37 2019
nskrb.c[1460]: get_new_tickets krb5_get_init_creds_keyblock returned 0

Tue Sep 3 10:15:37 2019
nskrb.c[638]: ns_process_kcd_req Attempting S4U2Self with host/fqdn-lbvserver.INTERNAL.DOMAIN.SUFFIX, for user.name@INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
nskrb.c[1733]: ns_kgetcred cache file /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96 does not exist

Tue Sep 3 10:15:37 2019
krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 3 10:15:37 2019
krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep 3 10:15:37 2019
send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.DOMAIN.SUFFIX in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep 3 10:15:37 2019
send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep 3 10:15:37 2019
nskrb.c[1800]: ns_kgetcred krb5_get_creds returned 0, svcname host/fqdn-lbvserver.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX, impersonate str user.name@INTERNAL.DOMAIN.SUFFIX, deleg NULL outcache /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96

Tue Sep 3 10:15:37 2019
nskrb.c[1873]: ns_kgetcred successfully wrote credentials to cache file /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96

Tue Sep 3 10:15:37 2019
nskrb.c[661]: ns_process_kcd_req service name for s4u2proxy is HTTP/websrv-remotens.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX

Tue Sep 3 10:15:37 2019
nskrb.c[1733]: ns_kgetcred cache file /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6 does not exist

Tue Sep 3 10:15:37 2019
krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 3 10:15:37 2019
krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep 3 10:15:37 2019
send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc01.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep 3 10:15:37 2019
send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep 3 10:15:37 2019
krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 3 10:15:37 2019
krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep 3 10:15:37 2019
send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep 3 10:15:37 2019
send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep 3 10:15:37 2019
send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep 3 10:15:37 2019
nskrb.c[1800]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/websrv-remotens.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX, impersonate str NULL, deleg /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96 outcache /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6

Tue Sep 3 10:15:37 2019
nskrb.c[1805]: ns_kgetcred krb5_get_creds returned -1765328371

Tue Sep 3 10:15:37 2019
nskrb.c[663]: ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328371

My delegation tab of my kcd user in AD looks like this (attached), and the SPNs are set like this (attached):

I hope my understanding regarding kerberos isn't that completely wrong, that i missed some crucial steps here by pointing my LBvServer to a second VPX instance where the actual backend is loadbalanced.

Any help is appreciated and thanks in advance!

kind regards

August 15, 2019

Ah okay, i guess that's the difference then. We have Apps and Desktops and so my goal would be to just always point my RDP Proxy destination towards the RDS Broker Machine which will then manage the incoming connection to the correct worker server/desktop.

I suppose your desktops you use the NetScaler RDP Proxy for are behind your LB vservers? Because my main problem with that setup is, that i can't differentiate between the apps/desktops when I try to establish a connection. That's what I described with putting these "special parameters" (extracted from an .rdp - file the RDSWeb Gateway would deliver) behind the bookmark, because that is what "should" work according to some comments on this JGSpiers blogpost. When I open the .rdp-file I can see that these parameters are indeed included but the connection would always fail with the error message, that the rds broker cant verify the information given in the .rdp-file (even though it is basically the same as when i would use the rds webgateway).

I used server profile for "RDP Redirection" as I have read on many articles that since 12.1 this option needs to be set regarding RDP Proxy with RDS roles on the backend machines.

I already tested - If i use the machines i want to establish an RDP connection to as a direct destination it will work, but I need the broker machine as a destination which then would redirect the request to the correct worker.

My bookmark(s) look like this currently:

rdp://fqdn-ofmybrokermachine.domain.de?alternate%20shell:s:||putty&remoteapplicationprogram:s:||putty&remoteapplicationname:s:putty&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

My RDP-file delivered by NetScaler Gateway would look like this:

alternate shell:s:||putty
remoteapplicationprogram:s:||putty
remoteapplicationname:s:putty
remoteapplicationcmdline:s:
remoteapplicationmode:i:1
redirectclipboard:i:1
redirectdrives:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectpnpdevices:i:0
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
use multimon:i:1
negotiate security layer:i:1
enablecredsspsupport:i:1
authentication level:i:0
full address:s:dns-ofmygatewayserver.domain.de:443
loadbalanceinfo:s:cfc12c53dcf809adf042104f33dd410f7a1f5c1f7025458cf644c4a36dabfa9caaabd7bef383ef68cae252831c709948f05813fa19eb21aa66

Basically im trying to replace the RDSWebgateway with a NetScaler Gateway and I have read that it works with these special parameters (when you have to use apps instead of just desktops) but I somehow can't get it to work. I already thought of opening a Citrix Case but I'm afraid that this workaround isn't supported the way I want it to be, so I guess i won't get that much help. Maybe someone here already did a similar setup and can help me through with this.

Thank you nonetheless so far! :)

Forums

Articles

Labs

Videos

TechZone

Citrix Community Articles

Events

Profiles

Posts posted by Jens Ostkamp