This is one of the common problems reported by several customers in a XenApp environment using Kerberos. As such, locking the account itself is a big nightmare for any system administrator, there are some excellent articles on the Microsoft website about this topic on how to solve problems, which tools are required, etc. (eg en-http://technet.microsoft.com/ / library / cc773155% 28v = ws.10 29.aspx%). However, the Citrix side, especially XenApp side, things are slightly different, depends on how the environment is configured. Users confronted account lockout problem for the ICA session to the XenApp servers configured to use Kerberos Constrained or Unconstrained delegation, can use following tips to isolate the problem. Citrix Kerberos can be enabled for Pass-through (w / or w / o smartcard) authentication method.
When Citrix Kerberos is enabled, connecting to a session is based on Kerberos ticket. XenApp servers must be "trusted for delegation" is the same as the authentication point is not 'A Web Interface. Check http://technet.microsoft.com/en-us/library/cc995228.aspx information on how Kerberos Constrained Delegation. The only important aspect is that there is no automatic way to restore NTLM we have no access to credentials. Most of the time, if account lockout-related problem in Kerberos Citrix environment than is the reason. The best way to solve the problem is to identify the server and isolate
The tools that can be used -. Trace Network - network boot trace on the target XenApp server or through the console or rdp. Draw the start of the session, after you reproduce the problem and save the track open.
Handy Filter WireShark to watch Kerberos tickets / answer requests
kerberos.msg. Type == 12 || kerberos.msg.type == 13 || kerberos.msg.type == 30 || kerberos.msg.type == 10 || kerberos.msg.type == 11
(above is just an example)
The things to look in the trace - 1. Check Krb_Error_ messages and 2. NtLmSsp messages (ntlmssp_challenge, etc).
in both cases, check that the service server is in the picture and try to eliminate it from the environment. Other things to try is a new test user profile and without, just to check if problem occurs because of something mapping in the logon script. Once you have identified the control server service if it can understand Kerberos ticket or not, a server service requires manual configuration changes to enable Kerberos and in some cases can be backend is not compatible or does not include Kerberos . If that is the case, then we need to involve third party provider
Things to try -. Hotfix Rollup Pack 1 has a solution around this -
- when running a published instance of Internet Explorer using the neighborhood Agent program or plug-in online , the following error message may appear: "the page can not be displayed." accordingly, users can be incorrectly locked out of their accounts when launching applications or accessing other resources in a Kerberos environment. To resolve the issue, Fix # 184053 was introduced to skip NTLM authentication by setting the following registry key: Key: HKEY_LOCAL_MACHINE SOFTWARE Wow6432Node Citrix CtxSSP NTLM
Name: HandlingMethod
Type: REG_DWORD
data: 0 (use the previous authentication method); 1 (use the new method)
However, this resolution may not be satisfactory for customers who want users to authenticate using NTLM, especially for Web browsers. This hotfix adds a bit to the registry value as follows:
Data: 0 (use the previous authentication method); 1 (skip NTLM authentication); 10 (skip NTLM authentication for all but Web browser processes)
[From XA0W2K8R2X64R01] [#213871]
Other tools - There are some good tools MS side to understand and verify Kerberos ticket on a machine such as: -
1. Kerbtray - GUI tool to verify Kerberos ticket
2. Klist -. command line tool for the same purpose, but you can also purge a ticket
3. / C locking tools A - Netlogon Parser, LockoutStatus etc.
Most of the time with the steps and tools above, we are able to answer 0% of questions related to account lockout in the Citrix Escalation Kerberos environment
0 Komentar