Citrix passthrough authentication

I am trying to access Citrix using Kerberos pass-through authentication. The Mac is bound to AD and windows shares work fine without additional credentials.
I can connect to published Citrix apps fine if you save user name and password in the client edit script or when prompted when connecting. Ticking the pass-through authentication box not working (you would think that the fact it gives you that option it should be supported). Anyone with experience of Citrix able to help with this? Citrix works without a problem on our PC's.

check if your company has patched the Citrix servers, I have read their is an update to allow kerberos login via pass through
I believe this is the link for the citrix page
http://support.citrix.com/article/CTX116264

Similar Messages

  • IWA passthrough workaround for FireFox users?

    We have implemented an IWA passthrough authentication scheme with 10g so that Windows users with IE do not need to log in to OAM. Unfortunately we have many UNIX users who use FireFox. This does not work for obvious reasons but the bad thing is that they get prompted with a Basic Auth dialog box which transmits their credentials over the wire in clear text. Is there a way to catch the browser type in OAM such that all FireFox users are directed to one AuthN Scheme while all IE users are directed to the IWA passthrough scheme, bypassing the logging in step?
    Craig

    You should have setup your SSO server to use https...
    Apart from that, Unix knows kerberos, as does MS Windows (and you probably use that for the MS Windows users/IE users) - shouldn't you be looking in that direction?
    Change the setup for FF (network.negotiate-auth.trusted-uris: add you SSO domain) and things should work for those users as well.

  • Lotus Notes connector: Error while crawling LOB contents

    Hi all,
    I am trying to configure Lotus Notes connector on SP search. We have successfully followed the Randy Rempel's blog on
    test environment. No problem to search lotus notes content.
    In production environment, we've followed the same procedure but we are facing the following problem. During the full crawl, the below error is thrown
    Error while crawling LOB contents. ( Error caused by exception: Microsoft.BusinessData.Infrastructure.BdcException The shim execution failed unexpectedly - Exception has been thrown by
    the target of an invocation..: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail] An unexpected error occurred in the Lotus Notes protocol handler while processing the URL
    We have forced Lotus Notes Connector to be more verbose, without success.
    Any help will be appreciated
    David

    Reset the index and re-crawl. That usually claers it
    If you are using NTLM authentication, then make sure that you specified the PassThrough authentication for crawling
    Probably you need to debug the BDC code that underlies the external content types.
    can you Check the permission that you have set for the lotus notes domino databases? Was the content access account added to the local administrator group?
    If this helped you resolve your issue, please mark it Answered

  • Error in crawl log "Error while crawling LOB contents. ( Error caused by exception: Microsoft.BusinessData.Infrastructure.BdcException The shim execution failed unexpectedly - The method or operation is not implemented..; SearchID "

    Hi 
    I get the following error in my crawl logs
    "Error while crawling LOB contents. ( Error caused by exception: Microsoft.BusinessData.Infrastructure.BdcException The shim execution failed unexpectedly - The method or operation is not implemented..; SearchID "
    Because of this i suspect, the search results are not including those aspx pages marked as "Hide physical urls from search".
    This error is not available in the another environment where the aspx pages are coming in the results.
    Thanks
    Joe

    Hi Joe,
    Greetings!
    Reset the index and re-crawl. That usually clears it
    If you are using NTLM authentication, then make sure that you specified the PassThrough authentication for crawling
    Probably you need to debug the BDC code that underlies the external content types.
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/41a86c43-151d-47cd-af73-967a4c940611/lotus-notes-connector-error-while-crawling-lob-contents?forum=sharepointsearch
    Please remember to click 'Mark as Answer' on the answer if it helps you

  • AFP appending in front of SMB for Command+K

    I have a client who just got a new MBP, so today was the first day he had it on the all windows network.  There's shares on a 2008 R2 server that, on my identical MBP model, I can map just fine with command+K, using smb://servername or smb://ipaddress
    Both work fine for me, and prompt me for credentials.
    Oh his new one though, it bombs.  In the connection box after you hit return, instead of showing "connecting to smb://blahblah" it shows "connecting to afp://smb://blahblah"
    For some reason, even though I am manually specifying SMB:// as the target, it still prepends AFP:// in front of that AFTER we try to connect.
    Only thing I've found all morning searching is someone who told another user having a similar issue to use lower case, not upper case.  Since we were already using lower case, not helping, and using upper case made no difference either.
    What can I do to kill this AFP:// automatically putting itself in front of the SMB://  ?
    As I said, 2008R2 server and windows AD netwtork, neither mac is part of the domain.  Just using passthrough authentication (which worked fine on his previous model Core2 Duo MBP and still works fine on my 2011 15" quad core i7 MBP with current Lion). 
    What's really frustrating is I hit this once before a few years ago when I first switched from a PC based laptop to my first MBP, and while I found an answer quickly back then, this time I'm not finding the answer anywhere.
    Thanks for any info
    John

    Apparently there is a bug in SMB but if you use CIFS instead, it will work eg:
    CIFS://server/sharename
    I found this info here:
    http://osxdaily.com/2013/10/30/connect-smb-nas-network-shares-os-x-mavericks/

  • Need my custom webauth page displayed with HTTP instead of HTTPS

    I have a custom webauth page installed that I am using with web passthrough authentication on my WLC2006 in order to put up a acceptable use policy page.
    The WLC uses HTTPS to display this which causes a security certificate warning to appear if I go with the WLC's own self-signed certificate. Is there a way I can get the WLC to use plain HTTP to display this page instead so I can eliminate the warning?
    I have already tried installing a trusted 3rd party certificate on the WLC, but I have this very strange problem where mucking with the WLC's web authentication certificate in any manner causes all network activity on the WLC to break except for CDP and ARP, essentially leaving the WLC dead. Three weeks of troubleshooting with Cisco TAC has yielded no progress on that front so now I am trying to bypass the need for a security certificate altogether since I really don't need to encrypt my acceptable use policy page.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

  • Disabling manual entry for Passwords

    All,
    I'm customising the tabbed user form for manual creation of users and i would like to know how i can disable the compulsory password fields. The reason for this is that we dont want to have a password for lighhouse accounts as all users when they login will be authenticating against Active Directory via passthrough authentication. Therefore it is rididculous to generate a random lighhouse password. Any help wd be great.

    well, i believe you must have misunderstood my qn. The disabling of the field is not on the end user form rather on the tabbed user form where administrator type capable users can create new users. this is a valid business case as you only want the users to be authenticated against AD and not want an administrator to type a dummy password for a new user during the manual create process. Anyhow, I have worked out the solution for this. Just need to configure a login module that authenticates against AD only and set that for the user interface login application. This automatically hides the password fields for the tabbed user form when you attempt to create or modify users.

  • Need to add a MSSQL Server to our system

    I remember seeing a SQL connector or something
    Is there anything that will make life easier???
    My understanding is we need Windows Server + CALs + MSSQL Server (+ cals for
    SQL)
    and everything is stored and run on the Windows box....
    About the only thing I can do is store the Backup on the Novell server -
    right??
    (I'd like to use the windows box for minimum - requirement only)

    Simon,
    > I remember seeing a SQL connector or something
    >
    > Is there anything that will make life easier???
    >
    > My understanding is we need Windows Server + CALs + MSSQL Server (+ cals for
    > SQL)
    > and everything is stored and run on the Windows box....
    >
    > About the only thing I can do is store the Backup on the Novell server -
    > right??
    > (I'd like to use the windows box for minimum - requirement only)
    If you need an MS SQL server and the app actually *requires* MS SQL and refuse
    to run on MySQL, then your easiest option is this:
    Enable CIFS on your 6.5 Sp6 or later server.
    Use CIFS Domain emulation to create a Windows Domain on your NetWare server
    Install a 2003 server as a standalone, patch it, install MSSQL
    Then join this 2003 server to the domain
    In MS SQL use passthrough authentication
    This way, your users can use the same credentials for the SQL server.
    - Anders Gustafsson, Engineer, CNE6, ASE
    NSC Volunteer Sysop
    Pedago, The Aaland Islands (N60 E20)
    Novell does not monitor these forums officially.
    Enhancement requests for all Novell products may be made at
    http://support.novell.com/enhancement
    Using VA 5.51 build 315 on Windows 2000 build 2600

  • Need to Setup Magic Triangle for 10.5

    I already have a xserve running 10.5 that is a OD master and it is joined to the domain, but the passthrough authentication is not working.
    How can I reset or fix the problem. I cannot rebuild the xServe at the moment, but I can ubind and remove the OD, but will this allow me to restart the process?
    -brian

    This is really the 10.6 Directory Services discussion.
    By "...joined to the domain..." you mean an AD domain?
    If bound to AD and running as OD master, Kerberos shouldn't be running (look in Server Admin, OD) as the machine should be using the AD Kerberos realm for kerberized services.
    For SSO / running Kerberos auth to. use services, clients must be bound to the AD.
    (Kerberos needs "clocks to be synchronized", something like no more than 5 min. difference and using same timezone between all machines using it).
    "...passthrough authentication is not working." - passthrough?
    Using AD credentials to access some OS X server hosted services (for example AFP) might work even without client beeing bound to the AD, but not if OS X server demands kerberos auth. for the service in question.
    With "passthrough" you might mean: client wants to ask OS X server for "access" using AD credentials?
    As I understand it (in a service "simplest configuration" - at least not demanding Kerberos auth.) user/client can "authenticate" to OS X server which really asks the AD to auth. the user and (possibly) the OS X server authorize the user to access the service running on the OS X server.
    But if you want to login on a computer using the AD credentials it needs to be bound to the AD AND a corresponding OS X homefolder must be "reachable".

  • Assigning siteminder resource to an IDM user

    The IDM URL is currently protected by siteminder so that we can initiate single signon. My requirement is to have only the SSO login page and remove the IDM login module. I cerated a siteminder LDAP resource pointing to our siteminder server and a login module. I assigned this login module to the end user interface so that the user needs to login only once on the SSO page.
    I created one identity user within IDM and the same user existed in SSO ldap also. I assigned the LDAP resource to that user and tried to save the record. On saving, here is the error I get "Resource 'ESSOQA-SiteMinderLDAP' is not accessible at this time. Correct the resource access problem or remove this resource from the user before attempting any updates".
    PS: The entry DN for the LDAP account starts with ssouid=XXX,ou=XXX,o=test.com. The uid field is not used for entrydn attribute and the ssouid field is a random text . However the uid field in LDAP and the IDM account ID will be the same.
    Please help figure out what the issue could be.

    All you need to do is to link the IDM users with the SSO LDAP resource, don't call the reprovision.
    Also make sure you have SM_USERDN in the pass-thru authentication variable to allow passthrough authentication.
    If you are using Siteminder resource just for authentication then all you need to have is just the LDAP connection parameters.
    -Aravanan

  • OHS in front of OAM/OIM

    All,
    I configured OHS in front of oam/oim 11.1.1.3. Everything works great, however access_log in OHS does not show username for secure page access in oim/oam. Has anyone gone through this setup before, if so can you please let me know what i could be missing.
    Thanks in advance,
    Prasad.

    It is doable :)
    There are 2 stages:
    1) To simply protect the pages you add a /oim/*...* and /oim/* resources and host in the agent you are using to access the server with (webgate) and then any hits will get redirected to the OAM login page. This should be done by default by your webgate agent AND you need to use the 10g webgate for proper integration (11g webgate is not supported for protectingthe IAM suite yet).
    2) For full integration with passthrough authentication and reset password and self-service redirection you'll need to do more. Look through the Oracle docs on how to do this, it's scattered in a few different places, but here are some tips:
    - if you're using VMs take snapshots before trying
    - you'll need to go in EM to change OIM agent properties, in Weblogic to change providers (use OAMIdentityAserter first and then OAMAuthenticator second) and for full integration use the OIM Ldap-Sync (if you're doing it that way) as the identity store.
    - do not use the automated tools that will magically do it for you like 'idmConfigTool'. They did not work for me, but rather wasted 2 days because my configuration did not fit its profile.
    Good luck.
    - JP

  • SQL 2012 FileTable remote access through Mgmt Studio

    I'm having trouble accessing the FileTable directory from any machine other than the local server.  Does anyone know of a detailed resource for explaining all of the permission 'areas' to allow remote access?
    On the SQL 2012 server:
    I can open 2012 Mgmt Studio, expand down to the FileTable, right-click and Explore the FileTable Directory.  Directory appears and contents are visible.
    On remote computers:
    Doing the same action as above results in: 'The File location cannot be opened.  Either access is not enabled or you do not have permissions for the same.'
    I'm using the same domain account on both systems, and it is a local OS admin & Sysadmin on the SQL server and local OS admin on the remote computer.  Tried turning firewalls off on both machines.
    I setup the Filestream and FileTable using the documentation at:
    http://msdn.microsoft.com/en-us/library/ff929144 'FileTables (SQL Server)
    Any suggestions?
    Cheers,
    J

    What I've found so far:
    1. Leave Windows share as created by SQL Server when enabling FileStream and FileTable.  (ie windows share should have a path of: 
    \\?\GlobalRoot\.....)
    2. Firewall ports TCP 139 & 445 must be open.
    3. Users have db_owner permission to the database.  Based on other posts I think this can be modified, but still working on that.  For me enabling db_datareader and db_datawriter was not enough for users to access the FileTable.  At the moment
    I'm not sure if SQL logins will work as the system seems to use passthrough authentication.  Not sure how SQL logins would pass through from an external client.

  • Need Basic GD Library Installer for  10.5 XServe

    Does Apple have a page where we can download common web server apps, such as GD? For some strange reason it doesn't appear included on the standard server install. I thought this was a typical web server helper app and by now they would have included it?
    I recently moved an app to a new 10.5 server, and it's been a while since I did an install of GD. Everything is working on the new server, however I have to put GD support on the new server. I'm not doing any kind of custom install, and just need the standard GD installed.
    Does anyone have a pointer to the info for installing GD on a new Mac XServer?
    Thank you!

    This is really the 10.6 Directory Services discussion.
    By "...joined to the domain..." you mean an AD domain?
    If bound to AD and running as OD master, Kerberos shouldn't be running (look in Server Admin, OD) as the machine should be using the AD Kerberos realm for kerberized services.
    For SSO / running Kerberos auth to. use services, clients must be bound to the AD.
    (Kerberos needs "clocks to be synchronized", something like no more than 5 min. difference and using same timezone between all machines using it).
    "...passthrough authentication is not working." - passthrough?
    Using AD credentials to access some OS X server hosted services (for example AFP) might work even without client beeing bound to the AD, but not if OS X server demands kerberos auth. for the service in question.
    With "passthrough" you might mean: client wants to ask OS X server for "access" using AD credentials?
    As I understand it (in a service "simplest configuration" - at least not demanding Kerberos auth.) user/client can "authenticate" to OS X server which really asks the AD to auth. the user and (possibly) the OS X server authorize the user to access the service running on the OS X server.
    But if you want to login on a computer using the AD credentials it needs to be bound to the AD AND a corresponding OS X homefolder must be "reachable".

  • Requirements to set up replication between domains

    I have to create transactional replication between two servers on 2 different domains ('server-G' from domain1 and 'server-Y' from domain2) 

    You need to use passthrough or SQL authentication. With passthrough authentication you will need local machine accounts with the same name and passwords. Then specify these accounts in your script. This account will be the subscriber login account for the
    distribution agent.
    Either that or create a sql account on the subscriber which is in the db_owner role in the subscription database and use this account for your distribution agent.
    looking for a book on SQL Server 2008 Administration?
    http://www.amazon.com/Microsoft-Server-2008-Management-Administration/dp/067233044X looking for a book on SQL Server 2008 Full-Text Search?
    http://www.amazon.com/Pro-Full-Text-Search-Server-2008/dp/1430215941

  • Terminal server application and contextless login

    Hi,
    Using zen6.5sp2 here
    terminal server application, to a win2k3 with client 4.91sp2 (french +
    patch kit c for test)
    the credentials are passed correctly from the client to the server, and
    the "single-sign-on" works ok only if I specify the context into the client.
    I can't get the LDAP contextlogin login to work, neither the old
    LgnCLW32.dll
    If I do a local authentification, or throught mstsc as usual, it works
    it's only via the zenworks apps.
    The client 4.91sp1 or sp2 (don't remember) had a bug that it wasn't able
    to pass credentials at all, and that's not what I'm looking for...
    Any clue ?
    Marc

    I beleive this is true, but I'm talking about Novell login... What the
    SAM has todo with this ???
    I do not bother avec Windows login, I have ZEnworks that creates an
    account for me...
    Steps to replicate the problem:
    1) create user1 under context1 into edir
    2) create user2 under context2 into edir
    3) create zen dlu policies, for loging into a regular winxp, and win2003
    terminal server
    4) install novell client (configure the location profile with the
    treename, and the CONTEXT of CONTEXT1 & configure ldap contextless
    login) & zfd on the TS
    5) at this point, if anyone uses mstsc.exe to connect to the TS server,
    he should be able to login to the TS, with a DLU, and get a desktop
    6) create a TS application into ZENworks, which points to the TS, and
    start any app (notepad.exe)
    7) login into a winxp workstation, with user1, start NAl, click the app,
    it should so an "SSO" login to the TS, and start notepad without asking
    a password
    8) login will FAIL with user2, because he's under context2, and zen
    doesn't try todo contextless login
    Yeah, I can create alias, but to me, it's not elegant... and a waste of time
    Yeah, I can use IDM to create another tree, sync all my accounts into 1
    context...
    Yeah, I can live with that for the rest of my users under context2....
    Marc, just trying to help...
    craig wilson wrote:
    > All I can tell you is that it is not going to happen.
    > Contextless Login is done via the client login utilities.
    > These utilities are not involved in the pass-through authentication
    > process. It may not even be possible to do.
    >
    > Through the use of IDM or Lynx this can be completely automated.
    > ------------------------------------------------------------------
    >
    > Create a local account on a workstation and a matching account on a
    > Domain with a matching password.
    >
    > Login locally to the PC and try to access the DC.
    > It works.
    >
    > Try to access a member server to which the domain account has rights.
    > It fails and prompts you to enter your user ID. Specify the ID in
    > domain/id format and you get in.
    >
    > Basically a failure of Passthrough authentication because the "Default"
    > security container is the local SAM for both systems. One holds the ID
    > one does not.
    >
    > This is really the same basic issue Novell is having via passthrough
    > authentication.
    >
    >
    >
    >
    >
    > Marc-Andre Vallee wrote:
    >> come on..........
    >> RFE....
    >

Maybe you are looking for

  • Intermittent Airport

    I've posted this before, but have had little luck, so here goes: The computer in question belongs to my Dad: iMac DV SE 400 mHz 640 megs RAM OS X 10.4.3 The airport card installed in it works only on some occassions, and there seems to be no rhyme or

  • QM Inspection of a Service

    The issue I have involves request to perform QM Inspection when purchasing via a service master, not a material master.  Not MM-knowledgeable enough to understand why material masters are not being used.  That decision has already been taken by part

  • Best method for incremental offsite backups?

    I currently have multiple Macs and a Windows PC running XP.  I also have a 1TB Time Capsule, so all the Macs are backed up via Time Machine.  However, I want to have offsite backups as well, so I purchased 2 matching Seagate GoFlex 3TB drives.  My pl

  • Where do i find x-codek for mac

    where do i find x-codek for mac so I can play all mp3 on frostwire

  • HT1386 Why does my iPod not registered as connected to iTunes all of the sudden?

    So I got a new iPod touch (4th generation) for Christmas this year, and have had no trouble thus far syncing my music and other things to it, but recently, when I plug my device into my computer, iTunes does not register that it is plugged in, but my