Questions about SEE Administrator, Console and Configuration Manager

I need a solution

Hi, everyone.

I have some question that needs answering:

What permissions do an SEE Admininstrator needs from the AD to work on the SEE Management Console?

Another thing I would like to know if any changes on the Group Policy and AD Computers and Users will be reflected on the Active Directory? If yes, does this means the SEE Administrator will be able to feedle with the AD from the SEE Management Console?

Can we limit the access to the SEE Configuration Manager?

What are the best practises if there’s any?

0

Related:

  • No Related Posts

Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP

The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.

This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.


For Basic Authentication Policies with LDAP:

Log into the Netscaler GUI.

Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.

Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.

For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.

Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”

Create a Name for the policy. Make the Expression in the lower box: NS_TRUE

Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.

Click “Create” on the LDAP Policy page to create the policy with the new server.

Click on “Bind” to bind the policy with the set priority.

Now you should see two LDAP policies with the same priority and different policy names.

Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.


PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.

Related:

  • No Related Posts

Successfully Deploying XenDesktop in a Complex Active Directory Environment

The following environments assume that XenDesktop 5.x is installed on all DDCs and VDAs. This article is based on the registry based Controller Discovery – this is the recommended method for multiple forest registration.

The NetBIOS and Fully Quality Domain Name (FQDN) can be different. For example, the NetBIOS name could be BOB but the FQDN could be parent1.local or the NetBIOS name and FQDN can be the same:

Example: NetBIOS name is parent and the FQDN would be parent.local.

Note: Dots in NetBIOS names are not recommend.

Appropriate user access permissions are given for successful machine creation. In a cross-forest setup, use Delegation Control Wizard to keep permissions to minimum use. Permission must be given for the DDC Administrator to create machines in a different forest in a specific Organizational Unit (OU). The following minimum permission can be given for successful machine creation:

  1. Open Active Directory Users and Computers Microsoft Management Console (MMC).

  2. Right-click your OU and select Delegate Control.

  3. On the first screen, click Next.

  4. In the Users & Groups screen, click Add and pick a user or group you want to delegate rights to and click Next.

    The best practice is to assign a group rather than a single user, as it is easier to manage and audit.

  5. In the Tasks to Delegate screen, select Create a custom task to delegate and click Next.

  6. In the Active Directory Object Type screen, select Only the following objects in folder and select Computer objects.

    User-added image

  7. Select Create selected objects in this folder and click Next.
  8. In the Permissions screen, select General and then select Read and Write.

  9. Click Next.

    User-added image

  10. Click Finish to complete the delegation control.

Different types of Active Directory Setups

Simple Single Domain Deployment

The following diagram illustrates a XenDesktop deployment in a single Active Directory domain, where the DDCs, VDAs, and the users are all in the same domain.

User-added image

In this Single domain setup, all relevant components and objects are based on one single domain. Registration of VDAs with the DDC should be successful and no additional configuration, that is, the registry key changes is required.

Following is a list to check if VDA is unable to register with the DDC:

  1. Check Event Viewer for errors on both the DDC and the VDA.

  2. Ensure that the firewall is open for port 80 between the VDA and the DDC.

  3. Check that the FQDN of the DDC is correct in the registry setting of the VDA machine. On the VDA, check the following Reg Key:

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

    HKEY_LOCAL_MACHINESOFTWARECitrixVirtualDesktopAgent and confirm the parameter ListOfDDCs had the correct FQDN.

    If using 64-bit Virtual Machine, the VDA Reg Key is HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixVirtualDesktopAgentListOfDDCs

  4. Ensure that the DNS settings are correct on VDA and DDC, and both the computers can resolve each other by DNS name and reverse lookups. Use the XDPing tool, downloadable from the Knowledge Center article CTX123278 – XDPing Tool to further troubleshoot.

  5. Check that the Time is in sync between the VDA and DDC are correct.

    For further troubleshooting, see Troubleshooting Virtual Desktop AgentRegistration with Controllers in XenDesktop.

Single Forest with Multiple Domains or Single Forest with Multiple Domains with shortcut trusts

The following two diagrams illustrate a XenDesktop deployment in a single forest with multiple domains and a Single Forest with multiple domains with shortcut trusts – where the DDC, VDA, and Users are all based in different domains.

The following is the illustration for Multiple Domains:

User-added image

The following is an illustration for Multiple Domains with short cut trusts:

User-added image

Multiple Domains: DDC, Users, and VDA are based in various domains, by default, a bidirectional transitive trust relationship exists between all domains in a forest.

Multiple Domains with short cut trusts: DDC, Users, and VDA are based in various domains but at two-way shortcut, trust has been manually created between the DDC domain and the VDA domain. Typically, shortcut trusts are used in a complex forest where it can take time to traverse between all domains for authentication. By adding a shortcut trusts, it shortens the trust path to improve the speed of user authentication.

For successful registration of the VDA with the DDC, the following should be configured correctly. DNS Forward/Reverse Lookup Zones are in place and configured on the relevant DNS servers. For further troubleshooting of VDAs not registering, see Following is a list to check if VDA is unable to register with the DDC: mentioned in the Simple Single Deployment section.

Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

See Managing a Forward Lookup Zone for information on managing Lookup Zones.

On the Desktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests: HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On the Virtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found by using a tool such as ADExplorer from sysinternals or by using the XDPingtool.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.

Multiple Forests with One-Way Selective trusts

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment using One-way Selective Trusts. The DDC is in a different Active Directory forest and the end users and existing VDAs (created either manually or through an alternative method) are in a separate Active Directory forest. In a one-way selective trust, automatic creation of Virtual Machines through DDC will fail, because of authentication issues.

For this example, the NetBIOS and FQDN are different in each Forest and domain.

Note: For One-Way Selective trusts, both Forests must be in Win2003 Forest Functional Level or above.

User-added image

Selective authentication is used in environments where users are explicitly granted/ allowed to authenticate to servers and resources on the trusting domain. This method gives domain administrators control on what rights users can be given to access services on the trusting domain. See Enable Selective Authentication over a Forest Trust for more information on Selective trusts.

Configure the following for successful registration of the VDA with the DDC:

  1. DNS for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional forwarders, Forward/Reverse lookup zones, and Stub zones are all acceptable for name lookup/resolution.

  2. Create the Selective trust on the relevant Domain Controllers.

  3. Follow steps provided in the Multiple Forests with trusts (External trusts – NTLM or Forest trusts Kerberos) section.

  4. The VDAs must be granted authentication access to the DDC. This is done through Active Directory Computer and Users snap-in.

    Note: VDAs can be added to a group to make management easier (granting rights). This is recommended.

    a) In Active Directory Computers and Users, browse to the location of the DDCs.

    b) Right-click DDC and click Properties.

    c) Click the Security tab.

    d) Click Add and click Locations to change the domain to where the VDAs reside.

    e) Click on Advanced, and click on Object Types. Choose ‘Computers’

    f) Select all the relevant VDA or Group (recommended) and click OK.

    g) Select the VDA’s or Group and give the rights – Read and Allowed to authenticate, as displayed in the following screen shot:

      1. User-added image

  5. On the DDC, select an Existing Catalog and create a relevant Assignment. When done, the Virtual Machines should show in a Ready State, as displayed in the following screen shot:

    User-added image

For further troubleshooting of VDA not registering, see Following is a list to check if VDA is unable to register with the DDC section.

Related:

  • No Related Posts

“Failure – Probe time out” When Configuring Citrix ADC LDAP Monitor for Service Group

It is a best practice to reduce the returned values to a small number. For Active Directory LDAP systems the filter can be set to cn=Builtin that returns minimal results.

To make this change using ADCGUI, go to Traffic Management > Load balancing > Monitors > edit the LDAP Monitor and add CN=Builtin as filter.

User-added image

To make this change using ADC CLI:

add lb monitor MonitorName -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password password -encrypted -encryptmethod ENCMTHD_3 -LRTM ENABLED -baseDN "DC=dom,DC=com" -bindDN "CN=UserName,OU=CustomOU,DC=com,DC=com" -filter CN=Builtin

Related:

  • No Related Posts

How to hide secondary password field for login page of NetScaler Gateway

Create the following rewrite policy and action to hide secondary password field from NetScaler Login page.

Please follow the below steps, to match the configuration that worked to remove the secondary password field:

1. Open your NS GUI, click on Configuration and open the NetScaler Gateway section.

2. Go to your Gateway vServer and open the Policies menu.

3. Click on the + button.

4. Choose Policy “Rewrite” and Choose Type “Response” , exactly the same as the image below :

5. Go to Policy Binding and Click on Add.

6. Edit the fields of the Rewrite Policy like in the image below, with the expression “HTTP.REQ.HEADER(User-Agent).CONTAINS(AGEE).NOT” :

7. At the Action field, click on Add bottom.

8. Create the Action like in the image below, with the following expression “
pwcount= + 1” :

9. Click on Create bottom, with the Remove_Password_Action selected in the Action field.

10. Bind the policy to the Gateway vServer.

11. Click on Done, save the configuration and Test.

Working with Browser :

This rewrite policy works with Web Browser, however it will not functions the same with Receiver.

Resolution:

NOTE: Remember that the “Rewrite” Basic Feature have to be enabled on the NetScaler, to use this policy.

if you use solution below then users are unable to change password if LDAP prompts for it.

If we want to disable the RSA field on first screen on Web Browser as well as on Receiver window ( Including Windows / MAC / IOS / Android ) Receiver , apply the below changes under the LDAP server profile as mentioned in the screenshot :

Uncheck the Authentication tab if its already checked, and then you will find your LDAP logon on logon page and RSA token is on another page separately.

User-added image

Related:

  • No Related Posts

Access to EMail Quarantine throught LDAP protocol

I need a solution

Good Evening,

We’re installing the Email Security.Cloud and identified that LDAP protocol isn’t present to authenticate the users to Email Quarantine, and this is crucial to us in our environment, because this will cause impact our users to access the cloud Quarantine console and manage their messages.

We work this way on SMG on premises with no trouble. So this will be a big cultural change to our organisation.

Is it possible to add the function for authenticating using LDAP protocol?

Thanks

0

Related:

  • No Related Posts

Error send key to keyserver

I need a solution

Please Help

1. i tried to send key to keyserver, by following user’s guide.

 pgp –keyserver-send user1@example.com –keyserver ldap://keyserver.example.com

  Show error 3090:operation failed, Server is unwilling to perform

2. i tried to check connection with search key another user. it’s work

 pgp –keyserver-search user2@example.com –keyserver ldap://keyserver.example.com

ldap://keyserver.example.com:keyserver search (2504:successful search)
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
 RSA4 pub  2048/2048 [-----] 0xB40B23F7 user2
1 key found
0

Related:

  • No Related Posts

How does ProxySG get the DN for an IWA user?

I need a solution

ProxySG is joined to a Windows domain with forest trusts to user domains. An IWA-direct realm is configured for split authorisation against an LDAP realm.

When a user from a trusted domain authenticates to an explicit proxy service, how does the proxy establish the user’s Distinguished Name to perform the LDAP search, for both Kerberos and NTLM clients?

The user’s DN is not in the NTLM negotiation, does the proxy need network access to the trusted domains to determine this or does it receive it from the DC (e.g. over s_channel)?

Thanks

Matt

0

Related:

  • No Related Posts