NDS credentials unintentionally appear in Windows username & Windows domain fields on MetaFrame server login dialog.
(Last modified: 27Apr2006)
This document (10072616) is provided subject to the disclaimer at the end of this document.
fact
Citrix MetaFrame 1.8
Citrix MetaFrame XP
Novell Client for Windows NT/2000/XP
Microsoft Windows 2000 Server with Terminal Services
Microsoft Windows NT 4.0 Server Terminal Server Edition (TSE)
Novell Client for Windows NT/2000/XP
Novell Client for Windows 95/98
Citrix ICA Client for 32-bit Windows (ICA32) version 6.20.986 and later
symptom
NDS credentials unintentionally appear in Windows username & Windows domain fields on MetaFrame server login dialog.
Transparent terminal session login fails citing a domain controller for what is actually the NDS tree name cannot be found.
Message: "Windows Security Message: A domain controller could not be found for the specified domain."
Message: "Logon Message: The system could not log you on. Make sure the User name and domain are correct, then type your password again. Letters in the password must be typed using the correct case. Make sure that Caps Lock is not accidentally on."
change
Possibly started after upgrading to Citrix ICA Client for 32-bit Windows (ICA32) version 6.20.986 or later.
fix
If using Citrix MetaFrame XP Feature Release 1 (FR1) or a later MetaFrame XP Feature Release, and the NDS integration feature of MetaFrame XP has been enabled, then the failure to transparently login to the MetaFrame XP server when NDS credentials are being passed through the Windows username & Windows domain fields is actually an indication that setup of the NDS integration feature was not completed successfully. See the following resources for setting up the NDS integration features for the appropriate MetaFrame XP Feature Release:
"Using MetaFrame XP for Windows, Feature Release 1, with Novell Directory Services" available at http://www.citrix.com/.
If NOT using Citrix MetaFrame XP Feature Release 1 (FR1) or a later MetaFrame XP Feature Release, or the NDS integration feature of MetaFrame XP has NOT been enabled, then the issue is the result of the ICA Client for 32-bit Windows (ICA32) terminal client passing NDS credentials under circumstances where NDS credentials were not expected to be coming through the Windows username & Windows domain fields by the server-side terminal session. Note this includes customers running MetaFrame 1.8 and MetaFrame 1.8 Feature Release 1 (FR1), neither of which provides the NDS integration feature.
To stop this behavior, either turn off the "Pass-Through Authentication" feature on the ICA32 client, or configure the "SSOnCredentialType" parameter of the ICA32 6.30.1050 and later clients such that NT credentials are passed to the terminal session by default instead of NDS credentials. Both topics are discussed in the ICA32 6.30.1050 and later "Citrix ICA Win32 Clients Administrator's Guide", available in the ICA32 client download section at http://www.citrix.com/download/.
Background:
When "Pass-Through Authentication" and "Use local credentials to logon" were enabled on ICA32 clients prior to 6.20.986, the Windows username, password and Windows domain information from the workstation where the ICA32 client was running were passed to the MetaFrame server terminal session via the ICA connection. This was regardless of whether the Novell Client for Windows NT/2000/XP or Novell Client for Windows 95/98 were installed or not.
On a workstation with the Novell Client for Windows NT/2000/XP or Novell Client for Windows 95/98 installed, the ICA32 6.20.986 client and later (at least up to and including 6.30.1050) when configured for "Pass-Through Authentication" and "Use local credentials to logon" will pass the local workstation user's NDS credentials to the MetaFrame server via the ICA connection.
The apparent intent of this feature is to benefit customers using MetaFrame XP FR1 or a later MetaFrame XP Feature Release, and that have the NDS integration feature enabled and are also using the Novell client on the ICA32 workstations. Under this configuration, having the ICA32 "Pass-Through Authentication" default to passing the local workstation user's NDS credentials allows for transparent authentication using the NDS user object & context from the local ICA32 client workstation.
However, this feature can cause new and unexpected results for existing MetaFrame customers that have installed the ICA32 6.20.986 or later client on workstations where the Novell Client for Windows NT/2000/XP or Novell Client for Windows 95/98 were already being used. The customer may have configured their server-side MetaFrame and Novell client to successfully transparently authenticate the user when the Windows username and Windows domain were passed-through by previous ICA32 version, but these customers now receive failures when attempting to transparently authenticate because the later ICA32 client is defaulting to passing the NDS credentials from the client workstation instead.
Note that the MetaFrame 1.8 or MetaFrame XP server involved when experiencing this issue may not have a Novell Client for NT/2000/XP installed. The symptom is simply that NDS credentials show up unintentionally in the Windows username and Windows domain fields in whatever server-side login dialog and authentication mechanism is being used. If the Novell client is installed on the Windows 2000 Server or Windows NT 4.0 Terminal Server Edition (TSE) server running MetaFrame, then the ICA32 client workstation's NDS user name and NDS tree name will show up in the Windows username and Windows domain name fields of the "Windows" tab of the Novell login dialog. If the server running MetaFrame does not have the Novell Client for NT/2000/XP installed, the ICA32 client workstation's NDS user name and NDS tree name will show up in the main Windows username and Windows domain name fields of the Microsoft standard login dialog.
Note also that the NDS credential information that gets passed through the Windows username and Windows domain fields may be truncated and/or concatenated with other pieces of the user's credential information when the length of the NDS user object specification or the NDS tree name exceeds the expected length of a Windows username or Windows domain name. Additional information on this topic is available in:
For the Citrix MetaFrame XP pass-through authentication features to function as expected when the Novell Client for Windows NT/2000/XP is installed on the MetaFrame server, ensure that the CTXGINA.DLL is set as the GinaDLL and is properly configured to chain through to Novell's NWGINA.DLL. Additional information on this topic is available in:
CTX634542, Installing the Novell Client on a MetaFrame XP Server
TID10073207, Using Citrix MetaFrame XP's CTXGINA.DLL in conjunction with Novell client.
document
| Document Title: | NDS credentials unintentionally appear in Windows username & Windows domain fields on MetaFrame server login dialog. |
| Document ID: | 10072616 |
| Solution ID: | NOVL80895 |
| Creation Date: | 16Jul2002 |
| Modified Date: | 27Apr2006 |
| Novell Product Class: | Netware Client |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.