Novell Home

Single Sign-On to Citrix Web Interface 4.0 using eDirectory Authentication

Novell Cool Solutions: Tip
By Kevin Hurni

Digg This - Slashdot This

Posted: 31 Aug 2005
 

PROBLEM:

How do I single sign-on into the new Citrix Web Interface 4.0 that is configured to use NDS/eDirectory authentication?

SOLUTION:

This scenario assumes that you are using the Citrix Web Interface 4.0 configured to use "NDS" authentication.

It also assumes iChain 2.3 Build 278.

The Web Interface server is setup to use LDAP for the context lookup.
The four fields "visible" on the main login page for Web Interface are:

  • Username
  • password
  • Context
  • Tree

The context field is set for: [Find Context]
The WI (Web Interface) server looks up the context via LDAP.
The Tree name is greyed out in our case because we only have one tree.

Change the "webinterface.abc.com" to your DNS name of your Citrix Web Interface 4.0 server.

Change TREENAME to the name of your NDS Tree.

This also assumes that the DEFAULT "web interface" timeout has not been changed. This way, when the user sees the "your session has timed out, click here to login", they can click on the URL and iChain will re-login them in via the form fill.

The form fill policy for iChain is setup as follows:

EXAMPLE:

<!-- Web Interface for Citrix Metaframe v4 --> 
<urlPolicy>
<name>Nfuse2</name>
<url>webinterface.abc.com/Citrix/MetaFrame/auth/login.aspx</url>
<actions>
   <fill>
      <input name="user" value="~cn">
      <input name="password" value="~password">
      <input name="context"  value="%5BFFind+Context%5D">
      <input name="LoginType" value="Explicit">
      <input name="tree" value="TREENAME">
      <input name="submitMode" value="submit">
      <input name="slLanguage" value="en">
      <input name="ReconnectAtLoginOption" value="None">
    </fill>
   <post/>
 </actions>
</urlPolicy>

<!-- Web Interface for Citrix Metaframe v4 timeout 
    In a packet trace Citrix sends back a 302 object moved when there is a
 timeout event at the application level.   By inspecting the packet with the
 formCriteria tag and intercepting the content we then redirect to
 the actual nFuse timeout page using the redirect tag.  --> 
<urlPolicy>
<name>Nfuse4Timeout</name>
<url>webinterface.abc.com/Citrix/MetaFrame/*</url>
<formCriteria>
<title>Object moved</title>
</formCriteria>
<actions>
      <redirect>webinterface.abc.com/Citrix/MetaFrame/auth/loggedout.aspx?
NFuse_MessageType=Info&NFuse_MessageKey=SessionExpired&NFuse_LogEventID=</redirect>
 </actions>
</urlPolicy>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell