Troubleshooting Pass Through authentication with PNA

February 10th, 2009, Author: Colin, Categories: Citrix, How-to

Every now and then when working with Citrix you come across issues. These issues usually have very similar symptoms but not always the same solution, if one exists at all. Pass Through authentication is once such issue.

Until last week the only time I had seen this issue was with a few of the latest released Program Neighborhood Agent (PNA) clients back in 2007/2008. If you are running a generic style environment without many laptops you may not ever see this issue.

More and More venders and hardware suppliers are providing utility software to manage credentials, detect networks and secure your computer systems. Usually it is these utilities that interfere with the successful operation of Pass Through Authentication or as Citrix refers to it as Single Sign-On.

The Single Sign-On process SSONSVR.exe is what manages the passing of credentials through to the Citrix servers so that you can receive the applications you have access too. If this is not running or it is being overruled by another process you will not be able to use pass through.

Intel Credentials Manager is one such utility that interferes with the Single Sign-On process (CTX118628).

What to look For?

The Intel Credentials Manager can affect the Single Sign-On process by loading before the Citrix Single Sign-On (PnSson) process in the network providers list.

In this case you simple open regedit and browse to:

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder

When you get there look at the ProviderOrder string value. Find the IntelNetProvCredMan cut it and paste it after the PnSson entry.

This example was explicitly for the Intel Credentials Manager utility but a similar line could be taken for any issue. Assuming that you have read the release notes and known issues about your current Citrix Client first, the next step would be to try modifying the ProviderOrder string to see if you can find the culprit.

Warning: If you are not comfortable editing the registry do not do it on a production computer. Always make sure that you back up the registry before editing any values. Proceed with caution and at your own risk.

Another thing I would do first is to copy the values from the provider order into notepad and have a look at the entries. Do some google searches to determine what each one does.

Now Cut the PnSson and paste it one in front of where it was. Reboot the machine and see if the Single Sign-On issues has been resolved. This provider list should be fairly short, do not alter the order of RDPNP,LanmanWorkstation,WebClient these are standard entries.

Still Doesn’t work?

If you get this far and pass through authentication still doesn’t work, recheck the basics. Hopefully you would have does these steps in the very first place.

Check that the Program Neighborhood Agent site in the Citrix Web Interface is set to use the Pass Through authentication method.
Uninstall the Citrix Client (all installed clients), reboot and install the latest client. Ensure that you select Yes to allow pass through authentication.
Make sure that the PC has a valid network address and can reach the Citrix Web Interface and Citrix Servers.

Have you got any funny or strange experiences with Citrix Single Sign-On?

Happy Hunting.

Tags: authentication, Citrix, citrix client, citrix servers, network providers, program neighborhood, single Sign-on

2 Comments until now.

Bivin Babu (#)
June 14th, 2009

Hi,

I was going through your post. I have somewhat a similar situation with another product. I tried editing the registry the way you advised but after i restarted the machine, the registry entry reverts back to the normal. I then disabled the wireless connection in the BIOS and logged into the machine> changed the registry value and then rebooted the machine to find the changed value to remain the same as i edited and my product works fine. But the problem is we cannot disable wireless in the laptops, do you think we can have some other workaround!!!!!!!!!!!!!!! Your help is highly appreciated………

Regards,
Bivin
Colin (#)
June 16th, 2009

Bivin

Hard to say without being there.

What it sounds like is that another application or system utility may load that interferes with the single signon process and resets the registry.

Maybe some sort of self healing. The best this to do would be to try and eliminate all application and services that are not standard and try again.

Sounds like you are using a connection sensing utility to check whether the laptop is running on wireless or wired and responds as such. That is the only reason I can think of that single signon would not work when the wireless is enable.

You should not need to disable wireless to get it working.

Comment!

Rss Feedseed