CTX209647
2016-04-22
1970-01-01
We have two domains “Domain1.com" and "Domain2.com" in different forest. External two way trust relationship exists between 2 domains. ...

Symptoms or Error

  • We have two domains “Domain1.com" and "Domain2.com" in different forest.
  • External two way trust relationship exists between 2 domains.
  • XenApp and XML servers are in “Domain2.com" domain and Store front servers are in “Domain1.com" domain.
  • Few users in "Domain1.com" domain is part of a global group called (GGroup).
  • There is a domain local group in "Domain2.com" domain called (LGroup).Now the global group (GGroup) from "Domain1.com" is a member of this domain local group in “Domain2.com”.
  • The domain local group (LGroup) is given access to applications.
  • Now when users from "Domain1.com" domain who are part of global group in that domain(i.e.which in turn member of the domain local group in "Domain2.com" domain) login explicitly (using user name and password) ,they are able to see the applications.Applications are getting enumerated and they can launch applications successfully.
  • But the application enumeration fails when the same users login to Store Front store using domain pass through (Pass-through Authentication).

Solution

We need to add the global group from "Domain1.com" directly to the published application properties to make the application launch work.??


Problem Cause

When domain pass-through is used, IIS (on SF) contacts domain controller for user authentication. With the obtained token, it extracts the user SIDs , which are the group membership information of the authenticated user. Then SF includes these SIDs in the enumeration request and send the request out to XenApp. Then XenApp filters out user’s applications by comparing the SIDs granted access aganist each resource. Now the problems is the SIDs granted access to resources are ones from XenApp domain, while the SIDs in the enumeration request are the ones from Storefront domain. And the SF domain controller will not include the group SIDs of another forest during authentication (i.e. though the user being authenticated truly belongs to them). And that is when it fails.??

Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.