Symptoms
The client may be prompted to log on a second time when connecting to a published application delivered by NFuse or Web Interface.
Causes
Various
Resolutions
1. Properly configure the feature, as outlined in the Administrator’s Guide, Enabling Desktop Credential Pass-Through (Single Sign-On).
2. The Web Server must be a domain member in order for IIS to perform a domain authentication.
3. Connect directly to a MetaFrame XP Feature Release 2 or greater server to verify that Single Sign-On is correctly configured and operating on the client device. Citrix article CTX368624 - Troubleshooting Citrix Pass-through Authentication (Single Sign-On) may assist in resolving any Single Sign-On issues.
4. When implementing the Web Interface to connect users through a load balanced Web site (using Microsoft load balancing to map two IIS Web servers into a virtual IP address) and Internet Explorer is used to connect to the virtual IP address, the IIS logon box appears. The result is that manual log on is required to get your application list and another logon to launch an application. The virtual IP address must be added to the Trusted Sites zone in the properties of Internet Explorer under Tools, Internet Options, Security tab.
5. The Windows NT LAN Manager (NTLM) was configured on the IIS as the authentication method, the desktop credential pass-through was configured on the Web Interface, and one of the following was in place:
Users did not use a domain account to log onto the workstation
— or —
Users tried to access the Web Interface using the IP address
6. Ensure users log on to the workstation with a domain account. If this is not possible, the desktop credentials pass-through feature cannot be used. This is by design.
7. Use the NetBIOS name or Fully Qualified Domain Name (FQDN) to access the Web Interface or add the Web Interface to the trusted site in the users’ Internet Explorer application.
8. CTX102845 – Web Interface Permission Settings
9. CTX102842 – Desktop credential pass-through: Error: The web server is configured incorrectly to authenticate you using your requested login type
10. CTX104917 – NDS Users Do Not Receive Applications When Authenticating to Web Interface Using Desktop Credential Pass-through
11. CTX105900 – Error: The credentials supplied were invalid. Please try again...with Desktop Credential Pass-Through
12. Workspace Control does not work when Pass-through authentication is used with a Web Interface 3.x version or greater. Ensure Trust Requests sent to XML service is set in the properties of each Web Interface broker server in the Management Console.
13. CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10.x of the Presentation Server Client
