Summary
This article explains how to configure the Citrix XML Service to perform enumeration of security identifiers (SIDs) for user accounts when using Single Sign-on (SSO) or smart card authentication to Web Interface 5.0.
Background
When using SSO or smart card authentication, users’ access to published resources is authorized based on the SIDs of the groups to which the users belong. These SIDs are added to users’ access tokens by the authentication system (for example, by logging on to their physical desktops) and are subsequently accessible to the Web Interface for use in enumerating and accessing published resources. This can lead to two known issues:
• When authentication takes place in a different domain from that containing the XenApp server, resources that are published to domain local groups might not be correctly enumerated because the local groups are not visible at the point of authentication.
• Changes to users’ group memberships are not reflected in the Web Interface until the users' next logon because the SIDs are cached in the users’ access tokens.
These issues can be rectified by moving the enumeration of SIDs to the Citrix XML Service and enumerating on each request.
After configuring XML Service SID enumeration, the XML Service reports the sid-enumeration capability. Versions of the Web Interface earlier than version 5.0 ignore this capability, so the XML Service continues to accept SIDs from the Web Interface instead of performing enumeration itself.
The results of XML Service SID enumeration might be cached because of Kerberos ticket caching, causing a delay in changes to users’ group memberships being reflected in their available published resources. By default, the duration of this caching is 15 minutes, although it may be overridden by the following registry entries, if present:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\S4UTicketLifetime
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CacheS4UTickets
When XML Service SID enumeration is configured and a problem is encountered, there are two new errors that might be reported in the Event Log on the Web Interface server:
• The Citrix servers were denied access to retrieve security identifiers for the user. Either grant the XML Service read permissions to the Token-Groups-Global-And-Universal attribute in Active Directory or disable security identifier enumeration in the XML Service. — This error occurs when the feature has been enabled but the correct token-groups-global-and-universal (TGGAU) permission has not been granted in one or more of the domains contacted for evaluation of users’ group memberships.
• The Citrix servers could not retrieve security identifiers for the user. — This error occurs when SID enumeration fails for any other reason.
Procedure
Caution! Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
1. If the user accounts exist in a different domain from that containing the XenApp server, ensure that the domains share a two-way trust relationship.
2. Verify that the XenApp server can resolve the IP address and contact the domain controller of the user account domain. Requests to the Citrix XML Service might time out if it cannot communicate with the domain controllers.
3. Grant the XML service read access to the TGGAU attribute in Active Directory for each domain. The required permissions can be granted by using the Microsoft Management Console (MMC) Active Directory User and Computers snap-in to add the Authenticated Users group to the following built-in groups:
• Pre-Windows 2000 Compatibility Access
• Windows Authorization Access
4. On the XenApp server, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XMLService\ in the system registry.
5. Under the XMLService node, add a DWORD value named EnableSIDEnumeration and set the value to 1.
6. Restart Internet Information Services (IIS) on the Web Interface server.
7. If you want the new permissions take effect immediately rather than waiting for the Kerberos ticket cache period to expire, restart the XenApp server.
More Information
For more details on the TGGAU attribute, see Microsoft Knowledge Base article 331951.
