NDS tree name and/or NDS username field can be truncated and concatenated with other user information.
(Last modified: 22Sep2003)
This document (10073210) is provided subject to the disclaimer at the end of this document.
fact
Citrix MetaFrame XP
Citrix MetaFrame 1.8
Microsoft Windows 2000 Server with Terminal Services
Microsoft Windows NT 4.0 Server Terminal Server Edition (TSE)
Novell Client for Windows NT/2000/XP
symptom
NDS tree name and/or NDS username field can be truncated and concatenated with other user information.
Message: "Windows Security Message: A domain controller could not be found for the specified domain."
Message: "Logon Message: The system could not log you on. Make sure the User name and domain are correct, then type your password again. Letters in the password must be typed using the correct case. Make sure that Caps Lock is not accidentally on."
fix
On a MetaFrame XP server, the first configuration item to verify upon seeing truncated and/or concatenated user information in the login dialog is whether the Citrix CTXGINA.DLL is properly set as the Windows GinaDLL and configured to call through to whichever GINA is intended to present the user authentication dialogs. See the following documents for more information on CTXGINA.DLL and configuring it for use when the Novell Client for NT/2000/XP is installed
CTX634542, Installing the Novell Client on a MetaFrame XP Server
TID10073207, Using Citrix MetaFrame XP's CTXGINA.DLL in conjunction with Novell client
If using Citrix MetaFrame XP Feature Release 1 (FR1) or a later MetaFrame XP Feature Release, and the NDS integration feature of MetaFrame XP has been enabled, if the NDS tree name is being shown in the Windows domain name field and is truncated and/or concatenated with the user's password, this failure is apparently due to the NDS tree name being longer than what the ICA terminal client could successfully pass through the Windows domain name fields. This issue is discussed in the following document, but is not known to have a resolution as of this writing. Novell recommends contacting Citrix Technical Support to determine the status or solutions to this issue:
If NOT using Citrix MetaFrame XP Feature Release 1 (FR1) or a later MetaFrame XP Feature Release, or the NDS integration feature of MetaFrame XP has NOT been enabled, then the issue is the result of the ICA Client for 32-bit Windows (ICA32) terminal client passing NDS credentials under circumstances where NDS credentials were not expected to be coming through the Windows username & Windows domain fields by the server-side terminal session. Note this includes customers running MetaFrame 1.8 and MetaFrame 1.8 Feature Release 1 (FR1), neither of which provides the NDS integration feature.
In addition, one or more of the elements in the NDS credential information being passed is longer than what can be successfully passed by the ICA terminal client through structures that were intended for the Windows username and Windows domain name. This is why in addition to seeing NDS credentials in fields that normally contain Windows user credential information, the NDS credential information is truncated and/or concatenated with other credential elements.
For example, in MetaFrame 1.8 if the NDS user specification is longer than 20 characters, the NDS user will be truncated at 21 characters and concatenated with the NDS tree name. Similarly, in both MetaFrame 1.8 and MetaFrame XP, if the NDS tree name is longer than 15 characters the NDS tree name will be truncated at 16 characters and concatenated with the NDS user's password. In a MetaFrame XP environment the NDS user specification truncation should not occur if CTXGINA.DLL is properly setup and configured. So if truncation of the NDS username is being seen in a Windows XP environment, the solution is to correctly setup CTXGINA.DLL as described in the documents cited above.
The solution in all situations where the MetaFrame XP FR1 (or later MetaFrame XP feature release) NDS integration features are not enabled is to simply stop the ICA terminal client from passing NDS credentials to begin with. NDS credentials being passed by the ICA terminal client are only successfully used when the NDS integration feature of MetaFrame XP FR1 or later MetaFrame XP feature release is enabled, so the solution for seeing these credentials get truncated in situations where the NDS integration feature isn't enabled is to stop the ICA terminal client from sending NDS credentials in the first place.
The ICA client may be passing NDS credentials because they have been explicitly typed in thinking they were appropriate, or potentially the NDS credentials are being picked up by an ICA32 client configured for "Pass-Through Authentication" on a client workstation where the Novell client was also being used. The solution in that case would be to turn off the "Pass-Through Authentication" feature on the ICA32 client, or configure the "SSOnCredentialType" parameter of the ICA32 6.30.1050 and later clients such that NT credentials are passed to the terminal session by default instead of NDS credentials. Both topics are discussed in the ICA32 6.30.1050 and later "Citrix ICA Win32 Clients Administrator's Guide", available in the ICA32 client download section at http://www.citrix.com/download/.
The topic of having NDS credentials passed through the Windows username and Windows domain fields is also discussed further in the following document:
TID10072616, NDS credentials appear in NT username & domain fields on MetaFrame server
.
document
| Document Title: | NDS tree name and/or NDS username field can be truncated and concatenated with other user information. |
| Document ID: | 10073210 |
| Solution ID: | NOVL81454 |
| Creation Date: | 01Aug2002 |
| Modified Date: | 22Sep2003 |
| Novell Product Class: | NetWare |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.