Citrix Requires Password Entry Twice

May 11, 2009 | By Matt In Citrix, Networks, Servers, Windows |


Classic Logon in Windows XP

Originally uploaded by Jak-E

I recently helped a coworker with an issue while implementing a new Citrix XenApp server at a client site.   Here is what was happening:

  • You would log into the web interface in order to access your applications.
  • The applications would show up as usual.
  • You would then attempt to launch an application which kicked off normally.
  • When the ICA logon process got to the point of checking credentials a Windows logon screen would appear.
  • Your user name and domain were filled in but you had to enter your password again.
  • After punching in your password again all worked fine.

So the system was not actually broken, all worked fine.  You simply had to enter your password twice in order to log in – a minor irritation.  This double authentication normally should not take place in a Citrix XenApp or Metaframe environment as the credentials should be passed through from the ICA client.

The root of the issue frequently tends to be that the “Always prompt for password” box is checked in the Logon Settings for the ICA-TCP connection.  To check this on the effected server:

  • Log in as the admin for the server.
  • Navigate to Start –> Administrative Tools –> Terminal Services Configuration.
  • Right click on the ICA-TCP connection and choose properties.
  • Click the Logon Settings Tab.
  • Clear the Always prompt for password check box.  If it is grayed out – keep on reading: there is a policy in place.

In our case the “Always prompt for password” option was grayed out and not available to be unchecked (it was set to checked).  In order to get the box cleared I took the following steps:

  • Logged into a domain controller to manage group policies.
  • Discovered under Computer Configuration –> Administrative Templates –> Windows Components –> Terminal Services –> Encryption and Security there is an option to configure the Always prompt client for password option.
  • Checked all policies on OU where the server was located and inherited polices (including default domain policy) to see if the option was configured.
  • In our case the default domain policy was set to enabled.  Setting the option to either disabled or not configured will clear the check box on your server.  Do this for each location the policy is set to enabled.
  • On your Citrix server: run a GPUPDATE /FORCE to force the changes.
  • Log out and back in – you should be all set.

This one was pretty tricky and there was not a lot out there in the search engines for Citrix requires password twice.  So if you are having this problem – hopefully this will help!  Additionally – this will also cause any RDP connections to other servers to allow the password to pass through the client if it is a domain wide change (like the default domain policy).

Other Related Posts:

No Comments

Leave a reply