locked
KCD for XenApp 5 is not available RRS feed

  • Question

  • Hi,

    it seems that the KCD option for XenApp 5 is not longer available in UAG. In IAG SP2 the option was selectable. I figured out that in the wizardsdefault.ini file the opion ReplyToAuthType=1 did causes this behaviour. The question now is whether it is a bug or there by purpose (because KCD is not supported anymore with XenApp Web Interface 5.x !?). I thererefore created a custom wizardsdefault.ini without this option (I also created RuleSet_ForCitrixXenApp5KCD.ini ruleset files under the RuleSet folder for the URL Set to get imported) and configured KCD for the new XenApp Webapp. KCD did in fact work (at least I was authenticated against the XenApp Web Interface using a Kerberos ticket).

    Best regards

    Thomas

    Tuesday, November 16, 2010 7:21 PM

Answers

  • it seems that the KCD option for XenApp 5 is not longer available in UAG. [...]

    Best regards

    Thomas

    Thomas,

    I think you've stumbled onto something. I’ve just checked (on a UAG SP1 build) and indeed, in the default flow of configuring a Citrix XenApp application in UAG, the KCD option is greyed out. As it turns out, this is only true when the option right above it, “Select an authentication method”, is set to “HTML form” - which is the default for this application template. But if you go and change that to “401 request”, the “Use Kerberos constrained delegation” option becomes enabled and you can select it.

    Regards,


    -Ran
    • Proposed as answer by Ran [MSFT] Wednesday, November 24, 2010 2:23 PM
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 5:49 PM
    Wednesday, November 17, 2010 1:45 PM

All replies

  • Hi Thomas,

    Can you provide some more detail for the benefit of others, or perhaps a link to a blog article?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 16, 2010 8:03 PM
  • Hi Jason,

    sure, here is my custom WizardDefault.ini:

    [Application_List]
    NumOfApps=1
    App1=CitrixXenApp5KCD

    [CitrixXenApp5KCD]
    Name=Citrix XenApp (Web Interface 5.0) KCD
    AppType=2
    InternalApp=0
    Types=1,2
    LegalCharsSet=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789:@&=$+_-!',;~{}/
    DangerousCharsSet=/\\:*?""<>|.%
    DengerousCharsIncludeNull=1
    ParamNameCaseSensitive=0
    ParamValCaseSensitive=0
    UrlCaseSensitive=0
    AllowWebdav=0
    PassLogoffToRWS=0
    ReplyToAuth=0
    UseSNT=0
    Image=images/AppIcons/ApplicationAccess.gif
    SSLVpnTemplate=CitrixPresentationServer
    SSLVpnContentType=application/x-ica
    SSLVPNNumOfElements=2
    SSLVPNElement0ID=0IPBIND
    SSLVPNElement1ID=0
    0IPBINDName=Citrix Farm Servers:
    0IPBINDType=0
    0IPBINDGuiType=2
    0IPBINDValidation=IP/DNS NotEmpty
    0Name=Citrix Farm Ports:
    0Type=1
    0GuiType=0
    0Value=1494,2598,3389
    0Validation=Ports
    OpenNewPage=1
    FormLogin=1
    UseLLNMode=1
    ShowNote=2
    ActivateSmugglingProtection=1
    MaxHTTPBodySize=49152
    ContentTypeList=application/x-www-form-urlencoded|multipart/form-data

    As I wrote you might also need to create URL ruleset files named RuleSet_ForCitrixXenApp5KCD.ini (just copy RuleSet_ForCitrixXenApp.ini) in the Ruleset\Levelx (0-4) folders in order to have a proper URL Set. I have no idea how to make this update safe though.

    Best regards

    Thomas

    Wednesday, November 17, 2010 7:53 AM
  • Thanks for sharing Thomas...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, November 17, 2010 8:57 AM
  • it seems that the KCD option for XenApp 5 is not longer available in UAG. [...]

    Best regards

    Thomas

    Thomas,

    I think you've stumbled onto something. I’ve just checked (on a UAG SP1 build) and indeed, in the default flow of configuring a Citrix XenApp application in UAG, the KCD option is greyed out. As it turns out, this is only true when the option right above it, “Select an authentication method”, is set to “HTML form” - which is the default for this application template. But if you go and change that to “401 request”, the “Use Kerberos constrained delegation” option becomes enabled and you can select it.

    Regards,


    -Ran
    • Proposed as answer by Ran [MSFT] Wednesday, November 24, 2010 2:23 PM
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 5:49 PM
    Wednesday, November 17, 2010 1:45 PM