that is the right settings, when you do the remote SSO with the web profile for citrix, do not make any changes to resource and post url .when defining the Web Interface (NFuse) URL, check for case sensitivity for example C or c in Citrix or X or x in Xenapp.

Regards,

Jay

I had my problems also, quite some time time back. Debugging the forms during logon directly, I came up with the following:

Label                Name              Value
---------------------------------------------------------
LoginType        LoginType       Explicit
User                 user                  <NTUSER>
Password       password        <PASSWORD>
Domain           domain            <NTDOMAIN>
submitMode   submitMode   submit
slLanguage    slLanguage   en
State                 state                LOGIN

In addition, all the fields should be set to "Not Modifiable", of course.

May this help you!

  Mathias

How do you loginto the SA?

Are you using domain credentials to login to the SA?

How do you login to citrix ?

is Citrix integrated with your domain?

Hi SVK,

I logon to the SA using domain credentials (back-end AD auth).  We have explicit/passthrough auth defined on the Web Interface. 

I tried to discuss this with JTAC, but they say this because theWI logon.aspx is a dynamic URL.  In some of the POST data for the login.aspx form, they say there is a dynamic session token being sent.  Because this is dynamic, they say that is why SSO isn't working.

To me that doesn't make much sense.  Sure WI / IIS uses a session token keep tabs on how long a user has been logged in, as well as their session settings.  That is pretty standard.  I can't believe everyone who has gotten the SSO working with WI has this disabled.

Honestly, it doesn't make sense that it is not working that that reason.   

That URL is not dynamic; and yes, as you indicated, there is a session token that is dynamically generated that is not required as part of the POST. Can you send me the case number directly so I can clarify that with your case owner, please?

I'm more concerned about the use of passthrough authentication; I have not yet seen this work as there is no actual credential prompt. Can you enable NTLM/BasicAuth/Form POST on the WI so that there is an authentication prompt?

We have been using it like this for years, but now we're changing things up on how our users sign to the Juniper. The change is using a user certificate for the Primary authentication to the Juniper, then using our Domain username as the secondary authentication. They choose their certificate from their local machine if they have multiple certs installed. It pulls the Domain username from the certificate and passes that to the Juniper Domain secondary login. They are then prompted for their Domain password. My issue now is that the below is trying to send the primary password to the Web Interface, which doesn't exist. I am going to play with them having to enter their password into the Web Interface.

User           user             <USERNAME> Not modifiable
Password password   <PASSWORD> Not modifiable
Domain     domain        OurDomain      Not modifiable
LoginType LoginType   Explicit              Not modifiable
State           state             LOGIN              Not modifiable

if the username is same as that of the primary only change the password from <password> to <password[2]> this will pass the secondary password to the backend server.

Regards,

SVK