Storefront

StoreFront Groups in a Group Policy Restricted Groups Environment

Posted on by Dan Herman

Introduction

I was recently in a position where I had to investigate why a Citrix StoreFront 2.1 (And subsequently 2.5) implementation wasn’t working properly. They had a variety of synchronisation/propagation issues and I also discovered other strange behaviour. It transpired that the environment used Restricted Groups to reconfigure the Local Administrators group on all infrastructure servers. This is a documented problem (http://support.citrix.com/article/CTX138744) as StoreFront requires the following users to be present in the Local Administrators Group:

NT SERVICE\CitrixClusterService
NT SERVICE\CitrixConfigurationReplication

Unfortunately the simple solution of adding the users wouldn’t work, as they would be removed on each refresh of Group Policy. Removing this policy wasn’t an option, though we were able to modify it.

The obvious resolution is to add the above users into your Restricted Groups Policy, but unfortunately the Group Policy GUI doesn’t allow the adding of  “NT SERVICE” users.

Work Around

Browse to the File System path of your Group Policy (e.g., \\domain\sysvol\domain.tld\Policies\{GPO-GUID})  and then browse to Machine\Microsoft\Windows NT\SecEdit\GPTTMPL.INF

\\domain\sysvol\domain.tld\Policies\{GROUP-POLICY-GUID}\Machine\Microsoft\Windows NT\SecEdit\GPTMPL.INF

Where Restricted Groups are configured, this INF file contains the raw configuration, where you should see something along the lines of:

[Unicode]
Unicode=yes
[Version]
signature=”$CHICAGO$”
Revision=1
[Group Membership]
*S-1-5-32-544__Members = *S-1-5-21-12345678-123456789-123456789-513

Where S-1-5-32-544 denotes the “Administrators” group and the SID to the right denotes a user or group that is a member of the administrators group. The configuration can understand both SIDs and full text names and is comma separated. So, to add our Citrix users simply modify the file as follows:

[Unicode]
Unicode=yes
[Version]
signature=”$CHICAGO$”
Revision=1
[Group Membership]
*S-1-5-32-544__Members = *S-1-5-21-12345678-123456789-123456789-513,NT SERVICE\CitrixClusterService,NT SERVICE\CitrixConfigurationReplication

And then, if you go back to the GUI, you’ll see the following:

Restricted Groups GUI

Restricted Groups GUI

And, if those groups exist on a machine where the policy is applied, they’ll be included in the Administrators group.

Share

Enabling PNAgent Single Sign On (SSO) with Storefront 2.1

Posted on by Dan Herman

Background Information

StoreFront 2.1 provides compatibility for the Online Plug-In and legacy clients by enabling the exposure of a Web Interface “Services Site” style config.xml page. This is used by the PNAgent to discover the site (i.e. store) configuration options and is configured

More information: http://support.citrix.com/proddocs/topic/dws-storefront-21/dws-legacy-support.html

By default, StoreFront is configured to only allow “Prompt” authentication from a PNAgent connection and an application launch.

Enabling PNAgent SSON to StoreFront

In order to allow PNAgent to use Single Sign-On to connect to the StoreFront server and enumerate the applications, do the following:

  1. Browse to C:\inetpub\wwwroot\Citrix\[StoreName]\Views\PnaConfig
  2. Make a backup of “Config.aspx”
  3. On the production copy of “Config.aspx”, make the following changes:
  4. Find the line starting with “<LogonMethod>” and ending with “</LogonMethod>”
  5. Change this line to “<LogonMethod>sson</LogonMethod>”
  6. Save the file and restart PNAgent. It should now automatically login and return the published applications.

Enabling PNAgent SSON to the Published Applications

In order to allow a user to correctly launch a published application delivered by SSON PNAgent, do the following:

  1. Browse to C:\inetpub\wwwroot\Citrix\[StoreName]
  2. Make a backup of “web.config”
  3. On the production copy of “web.config”, make the following changes:
  4. Find the line starting with “<pnaProtocolResources”
  5. Within that line, locate the “logonMethod” setting and change the method to “sson”. i.e. logonMethod=”sson”
  6. Your applications should now authenticate correctly.
Share