Information is always obtainable, managing that information is the key. I specialize in Terminal services, Thin-client, Virtualization, Networking, Wireless and (QOS) Quality Of Service for all of the above, but that doesn't mean you wont see posting for other technologies. Here, you'll find referance information, helpful hints and any other things that I find to be useful.

Wednesday, November 7, 2007

Citrix ICA client with Single Sign On

When Single Sign On is enabled the Program Neighborhood client can pass the authenication from the Client to the Presentation Server or From the Client to the Web Interface and then from the Client to the Presenation Server.

There are a bunch of tweaks that are need on the Citrix ICA client to get Single Sign On working. Including a couple of tweaks to get this working without user interation during deployment.

First you need to configure the PN.ini and APPSVR.ini file for the client. On a test machine install the ica32pkg from Citrix.com Run pn.exe and configure the client as needed for your environment then edit and copy the PN.ini and APPSRV.ini files that are located in "c:\document and settings\%username%\application data\Citrix\ICA Client\"

For the PN.ini file you need to append this line under the [WFClient] line.


And for the APPSRV.ini file these lines need to be appended under the [WFClient] as well.



Using an MSI editor, replace the files inside of the orginal ica32pkg.msi with the newly created files. You will also have to replace PN.SRC and APPSRV.SRC with the matching .INI files just created.

Once you get the package back together with the new files, run


This will start an administrative installation of the new client.

Importaint selections are...

1. Create Client Package, Select "Single Windows Installer file"

2. Personally I have removed the Program Neighborhood Agent client since it's not used in our environment.

3. User Local User Name and Password, Select Yes, and don't check "Use Kerberos"

Everything else in the installation menu is completly up to your liking.

Once the new installation file is created. Install it on a fresh machine or a machine that will need an upgrade from an older verison. Don't install on a machine that already has this client already installed. If so, it will not upgrade the machine with the proper .ini files nor complete the installation without asking to remove or repair.

Once the package is installed you will need to launch the application and then reboot. This is needed because the application needs to read the new configuration information and make some registry settings on the machine so the single sign on service is started at boot up. If you don't run the application before restart single sign on will not work and you will be prompted with a server authenication prompt while launching an application. Most users will get confused if they see this prompt... Another solution to having to launch the application before reboot is applying what program neighborhood does to the machine after installation and before the reboot. Here is the registry settings that are needed for single sign on to work without user interaction (starting program neighborhood closing it and reboot.ing)

For this value you need to append PNSSON to the end. This is a bit tricky but can be done with some scripting. Have a script read this value, place it in a file, append the PNSSON text to the end of the line then have your script load this value back into the registry.


For the rest of the entries nothing speical is needed.


"ProviderPath"="C:\\Program Files\\Citrix\\ICA Client\\pnsson.dll"
"Name"="Citrix Single Sign-on"



Post a Comment

<< Home