This article contains information about configuring the Citrix XML Service to perform enumeration of Security Identifiers (SIDs) for user accounts when using Single Sign-on (SSO) or smart card authentication to Web Interface 5.0.

Background

When using SSO or smart card authentication, access for users to the published resources is authorized based on the SIDs of the groups to which the users belong. These SIDs are added to the users’ access tokens by the authentication system, for example, by logging to their physical desktops. The SIDs are subsequently accessible to the Web Interface for use in enumerating and accessing the published resources. This can lead to the following two known issues:

• When authentication takes place in a different domain from that containing the XenApp server, resources that are published to domain local groups might not be correctly enumerated because the local groups are not visible at the point of authentication.

• Changes to users’ group memberships are not reflected in the Web Interface until the users' next logon because the SIDs are cached in the users’ access tokens.

You can rectify these issues by moving the enumeration of SIDs to the Citrix XML Service and enumerating each request.
After configuring XML Service SID enumeration, the XML Service reports the sid-enumeration capability. Versions of the Web Interface earlier than version 5.0 ignore this capability, so the XML Service continues to accept SIDs from the Web Interface instead of performing enumeration itself.
The results of XML Service SID enumeration might be cached because of Kerberos ticket caching, causing a delay in changes to users’ group memberships being reflected in their available published resources. By default, the duration of this caching is 15 minutes, although it may be overridden by the following registry entries, if present:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\S4UTicketLifetime

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CacheS4UTickets

When the XML Service SID enumeration is configured and a problem is observed, the following two new errors might be logged in the Event Log of the Web Interface server:

• The Citrix servers were denied access to retrieve security identifiers for the user. Either grant the XML Service read permissions to the Token-Groups-Global-And-Universal attribute in Active Directory or disable security identifier enumeration in the XML Service.
  This error is observed when the feature is enabled but the correct Token-Groups-Global-And-Universal (TGGAU) permission has not been granted in one or more of the domains contacted for evaluation of the users’ group memberships.

• The Citrix servers could not retrieve security identifiers for the user.
  This error is observed when SID enumeration fails.

Instructions

To configure the Citrix XML Service to perform enumeration of SIDs for user accounts when using SSO or smart card authentication to Web Interface 5.0, complete the following procedure:

1. If the user account exists in a different domain from that containing the XenApp server, ensure that the domains share a two-way trust relationship.

2. Verify that the XenApp server can resolve the IP address and communicate with the domain controller of the user account domain. Requests to the Citrix XML Service might time out if it cannot communicate with the domain controllers.

3. Grant the read access on the XML service to the TGGAU attribute in Active Directory for each domain. You can grant the required permissions by using the Microsoft Management Console (MMC) Active Directory User and Computers snap-in to add the Authenticated Users group to the following built-in groups:

   • Pre-Windows 2000 Compatibility Access

   • Windows Authorization Access

4. On the XenApp or XenDesktop 4 DDC server, search HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XMLService\ registry key.

   Caution! Refer to the Disclaimer at the end of this article before using Registry Editor..

5. In the XMLService node, add the EnableSIDEnumeration key of the DWORD type and set the value to 1.
   Note: For XenDesktop 5, the registry key is: HKLM\Software\Citrix\DesktopServer\EnableXmlServiceSidEnumeration (REG_DWORD) = 1

6. Restart Internet Information Services (IIS) on the Web Interface server.

7. If you want the new permissions to take effect immediately rather than waiting for the Kerberos ticket cache period to expire, restart the XenApp server.

For more information about the TGGAU attribute, refer to the Microsoft Knowledge Base article - Some applications and APIs require access to authorization information on account objects.