Citrix SSON authentication failed for Protected Users Security Group user.
Article ID: CTX574586
Updated On:
Description
Windows login dialog prompt during session launch, even Citrix Domain pass-through Authentication(SSON) type is configured.
Resolution
Remove user from Protected Users Security Group on AD.
To perform SSON-related operations with Citrix pnsson.dll, MpNotify.exe must be loaded in Winlogon.
If MpNotify.exe fails to load, the SSON operation cannot be started.
Problem Cause
During the investigation, it was found that the OS process "MpNotify.exe" was not loaded.To perform SSON-related operations with Citrix pnsson.dll, MpNotify.exe must be loaded in Winlogon.
If MpNotify.exe fails to load, the SSON operation cannot be started.
Issue/Introduction
Citrix Domain pass through authentication(SSON) does not support Protected Users Security Group user.
Additional Information
Protected Users Security Group
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-groupDomain controller protections for Protected Users
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
- Authenticate with NTLM authentication.
- Use DES or RC4 encryption types in Kerberos pre-authentication.
- Be delegated with unconstrained or constrained delegation.
- Renew the Kerberos TGTs beyond the initial four-hour lifetime.
Was this article helpful?
Yes
No
Powered by
