f5.citrix_vdi.v1.1.0rc5 SSO not working against WI 5.4

Hi Greg, I am using version 11.4.1 HF2. I have checked the settings and everything looks the same as you except for the "form parameters" where the "domain" field was not checked, meaning not active. But even if I activate it (which I already did when configuring the iApp), it still only show the background of the WI. I don't get an error from the WI - it only show the background as in the picture attached.

And as I said as soon as I change the SSO to the "old" SSO config - it just works.

Hello Greg,

I am still struggling to solve this problem. I am now on 11.5 on the BigIP. I have not tested the latest rc of the VDI iapp though. Reading the release notes indicates nothing has changed regarding the SSO anyway?

Even if I can use the "old" SSO, I have discovered another problem when using the older SSO: When the WI times out or when you actively logs out of the WI manually, and you then manually logs on to the WI - I get a session error from the WI: "There is a problem with your session.".

That error is most likely a cookie error between the APM and the WI. Also when disabling the SSO all together against the WI - the "Session error" never occurs. When searching for an answer to this problem I have seen this post: http://blogs.technet.com/b/edgeaccessblog/archive/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010.aspx

So it does seem it is something that needs to be done "cookie" wise to get this to work?

And since I am not able to get the new forms-client based SSO included in the new VDI iapp to work, I can't say if that SSO produces the same result reagrding the "Session error"...

Grrr.. Very frustrating problem...

I would suggest opening a case in regards to the SSO troubles, it will be easier to trouble shoot with captures and configurations. For the session disconnects after users log out, look to see if question "Should the iApp remove the APM session when users log out of the Web Interface servers?" within the iApp is set to yes, and if so set it to no.

Thanks for the answer Greg.

However, I am aware of the "logout" thing that also kills the ICA session - that is not the problem I have. Anyway, I did find the reason why I got the "Session error" for the WI. The default SSO for the iapp 2012-06-27 (not the VDI rc5), did have a form setting of "Pass through" that was not enabled. That setting apparently does a pass through of the cookies to the client. When enabling that on the SSO - it works as expected.

Furthermore, that setting doesn't appear to be present in the new "Forms initiated" SSO included in the VDI rc5 iapp? But then again - I haven't had that SSO working as I said above, so I can't say if that SSO exhibits the same error...

I will stick to the old iapp and its' SSO config for the time being.

may have fixed this myself. The blank page was also a java error. The error was in the line defining the domain. i DELETED that form parameter so it only had the user and password.

it worked..

Try Access Policy ->> Application Access ->> Remote Desktop -> profile and edit Username Source to session.logon.last.logonname