[THIN] Re: Publishing apps to Domain Local groups

• From: Christopher Wilson <christofire@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Fri, 31 Dec 2010 13:41:08 -0500

RESOLUTION!

http://support.citrix.com/article/CTX117489

Second half of this article was the fix.

Configure the XML brokers to perform SID enumeration.  This forces the the
XML broker to do it's own check for group membership, and ensures that it
catches the domain local groups.

From the article:

4. On the XenApp server, go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XMLService\ in
the system registry.

5. Under the XMLService node, add a DWORD value named EnableSIDEnumeration
and set the value to 1.

6. Restart Internet Information Services (IIS) on the Web Interface server.

7. If you want the new permissions take effect immediately rather than
waiting for the Kerberos ticket cache period to expire, restart the XenApp
server.

 Hope that works for you as well.

Regards,
Christopher

On Wed, Dec 8, 2010 at 6:44 PM, Bruce Ricker <brucericker@xxxxxxxxx> wrote:


> Same issue and looking for resolution as well...
>
>   On 12/7/10, Christopher Wilson <christofire@xxxxxxxxx> wrote:
> > Another bit of info.
> >
> > I have isolated this down to Web Interface authentication.  If the Web
> > Interface is configured for PassThru authentication, apps published to
> > domain local groups do not enumerate.  If I use explicit authentication,
> the
> > apps enumerate properly.  Tried the PassThru with and without Kerberos to
> no
> > avail.
> >
> > If I can find a way to keep PassThru auth that is going to be ideal.
> >
> > On Tue, Dec 7, 2010 at 10:44 AM, Christopher Wilson
> > <christofire@xxxxxxxxx>wrote:
> >
> >> I have to use domain local groups because it is a separate forrest being
> >> trusted, as opposed to two domains in the same forrest in which case I
> >> would
> >> do globals into a universal.
> >>
> >>
> >> On Mon, Dec 6, 2010 at 8:20 PM, Magnus Hjorleifsson
> >> <magnus@xxxxxxxx>wrote:
> >>
> >>>  Use  domain global groups in each of the  domains put the global
> groups
> >>> in a universal group in one of the domains. Much easier to manage
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On Dec 6, 2010, at 14:27, "Raffensberger, Stephen D" <
> >>> sraffens@xxxxxxxxxxx> wrote:
> >>>
> >>>    Are they Universal groups or Global groups?
> >>>
> >>>
> >>>
> >>> *Steve Raffensberger*
> >>>
> >>> Produban US
> >>>
> >>> sraffens@xxxxxxxxxxx
> >>>  ------------------------------
> >>>
> >>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
> *On
> >>> Behalf Of *Christopher Wilson
> >>> *Sent:* Monday, December 06, 2010 12:28 PM
> >>> *To:* thin@xxxxxxxxxxxxx
> >>> *Subject:* [THIN] Publishing apps to Domain Local groups
> >>>
> >>>
> >>>
> >>> Greetings all.
> >>>
> >>>
> >>>
> >>> I have an integration problem I'm hoping someone might have some
> insight
> >>> on.
> >>>
> >>>
> >>>
> >>> *Here’s the situation:  *Merger Closed Friday.  Integration in
> progress.
> >>> Need to publish Citrix apps to both companies users.
> >>>
> >>> *Citrix Setup: *One farm CPS 3.0/Windows 2003, one farm XenApp
> 5/Windows
> >>> 2008 sp2.  Both have the same issue.
> >>>
> >>>
> >>>
> >>> *AD set up:* Our users are in a domain with an empty forest root above
> >>> it.  Their users are in a domain with an empty forest root above it.  A
> >>> trust exists between the two forest roots.
> >>>
> >>>
> >>>
> >>> *Problem:* To publish apps to the other domain I **should** be able to
> >>> publish Citrix apps to a domain local group in my domain, and add users
> >>> from
> >>> both domains to that domain local security group.  What I am seeing is
> >>> that
> >>> for applications published to a domain local group, users in that group
> >>> from
> >>> our domain see the app, but members from the other domain do not see
> the
> >>> app.
> >>>
> >>>
> >>>
> >>> I can publish the application explicitly to users in the other domain
> and
> >>> they can see and access the application.  This is not an optimal
> >>> approach.
> >>> Trying to get the domain local group working for all users.
> >>>
> >>>
> >>>
> >>> Has anyone run into this issue before and do you have any
> >>> recommendations?
> >>>
> >>>
> >>>
> >>> Thanks for any help you can offer.
> >>>
> >>>
> >>>
> >>> Best regards,
> >>>
> >>> Christopher
> >>>
> >>>
> >>
> >
>
>
> --
> Sent from my mobile device
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> Follow ThinList on Twitter
> http://twitter.com/thinlist
> ************************************************
>
>

• References:
  • [THIN] Publishing apps to Domain Local groups
    • From: Christopher Wilson
  • [THIN] Re: Publishing apps to Domain Local groups
    • From: Raffensberger, Stephen D
  • [THIN] Re: Publishing apps to Domain Local groups
    • From: Magnus Hjorleifsson
  • [THIN] Re: Publishing apps to Domain Local groups
    • From: Christopher Wilson
  • [THIN] Re: Publishing apps to Domain Local groups
    • From: Christopher Wilson
  • [THIN] Re: Publishing apps to Domain Local groups
    • From: Bruce Ricker

Other related posts:

• » [THIN] Publishing apps to Domain Local groups- Christopher Wilson
• » [THIN] Re: Publishing apps to Domain Local groups- Raffensberger, Stephen D
• » [THIN] Re: Publishing apps to Domain Local groups- Magnus Hjorleifsson
• » [THIN] Re: Publishing apps to Domain Local groups- Christopher Wilson
• » [THIN] Re: Publishing apps to Domain Local groups- Christopher Wilson
• » [THIN] Re: Publishing apps to Domain Local groups- Christopher Wilson
• » [THIN] Re: Publishing apps to Domain Local groups- Magnus Hjorleifsson
• » [THIN] Re: Publishing apps to Domain Local groups- Bruce Ricker
• » [THIN] Re: Publishing apps to Domain Local groups - Christopher Wilson

1. Home
2. thin
3. Archive
4. 12-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---