Receiver pass through is failing with Storefront when we are trying to launch application across domains/forests.

Receiver pass through is failing with Storefront when we are trying to launch application across domains/forests.

book

Article ID: CTX209647

calendar_today

Updated On:

Description

  • We have two domains “Domain1.com" and "Domain2.com" in different forest.
  • External two way trust relationship exists between 2 domains.
  • XenApp and XML servers are in “Domain2.com" domain and Store front servers are in “Domain1.com" domain.
  • Few users in "Domain1.com" domain is part of a global group called (GGroup).
  • There is a domain local group in "Domain2.com" domain called (LGroup).Now the global group (GGroup) from "Domain1.com" is a member of this domain local group in “Domain2.com”.
  • The domain local group (LGroup) is given access to applications.
  • Now when users from "Domain1.com" domain who are part of global group in that domain(i.e.which in turn member of the domain local group in "Domain2.com" domain) login explicitly (using user name and password) ,they are able to see the applications.Applications are getting enumerated and they can launch applications successfully.
  • But the application enumeration fails when the same users login to Store Front store using domain pass through (Pass-through Authentication).

Resolution

We need to add the global group from "Domain1.com" directly to the published application properties to make the application launch work. 

Problem Cause

When domain pass-through is used, IIS (on SF) contacts domain controller for user authentication. With the obtained token, it extracts the user SIDs , which are the group membership information of the authenticated user. Then SF includes these SIDs in the enumeration request and send the request out to XenApp. Then XenApp filters out user’s applications by comparing the SIDs granted access against each resource. Now the problems is the SIDs granted access to resources are ones from XenApp domain, while the SIDs in the enumeration request are the ones from Storefront domain. And the SF domain controller will not include the group SIDs of another forest during authentication (i.e. though the user being authenticated truly belongs to them). And that is when it fails. 

Issue/Introduction

Application launch failure ,when we use Receiver pass-through inside a multi-forest environment.
Powered by Wolken Software