citrix4Active Directory Account Lockout Issues and Citrix

Posted by citrix on May 21, 2009
Karen Rember We have had recurring Active Directory account lockout issues in our Citrix Environment ever since its implementation. Unfortunately, I was not at the company when at time of the implementation, so I don’t know what considerations went into it, however I do have a lot of information to share:

THE PROBLEM

AD user accounts lock out and continue to lock out. The problem occurs directly after or a short time after (varies anywhere from a couple minutes to a day or two) a user changes his or her AD user account password. The “fix” is to reboot both Citrix servers. The problems don’t occur again until a user is prompted to change his/her AD password again.

Another important note, this problem is specific only to those who are Citrix users with an AD account. We have hundreds of other user in our AD environment that don’t use Citrix and they don’t have these account lockout issues when there password is changed. So, we believe the problem lies somewhere in our Citrix environment.

WHAT HAS BEEN RULED OUT AS A CAUSE

Typical account lockout causes such as too stringent a password policy, scheduled tasks running under a user account, services running under a user account, manual persistent mapped drives and AD replication (ran dcdiag to confirm).

OUR ENVIRONMENT

-Two Windows 2003 Server Standard-based domain controllers on same physical and AD site.
-Citrix licensing running on DC02 (secondary domain controller)
-Terminal Service licensing running on DC02 (secondary domain controller)
-Redundant Citrix servers running on same physical and AD Site.
-Remote office clients are running Windows XP SP2. The PCs are on our domain (single site, single domain, so it’s very flat) authenticating to our domain and hence domain contollers via a WAN link (dual T1 speed). They then access or Citrix servers CTX10 or CTX11 via the Citrix web client (9.2 or higher). They logon to Citrix using their AD accounts.
-User accounts that lock out have their logon script applied via Group Policy (just like everybody else in our corporate environment) and they have a Terminal Services Profile path defined to a remote server.

WHAT I SUSPECT MAY BE THE PROBLEM CAUSE

We are getting numerous Failure Audit (Event ID 675) entris in the Security Event Logs on our domain controllers at the time the lockout occurs.

Pre-authentication failed: User Name: graichen User ID: %{S-1-5-21-235807593-3111295927-3616810240-1154} Service Name: krbtgt/WSE.LOCAL Pre-Authentication Type: 0×2 Failure Code: 0×12 Client Address: 10.20.2.34

Pre-authentication failed: User Name: graichen User ID: %{S-1-5-21-235807593-3111295927-3616810240-1154} Service Name: krbtgt/WSE.LOCAL Pre-Authentication Type: 0×2 Failure Code: 0×18 Client Address: 10.20.2.34

It appears that Kerberos or at least Kerobos in conjunction with how it is set up in Citrix may be causing the issue? We are using only the “Explicit” authentication method on our Citrix Web Interface. Does this necessarily mean we aren’t using Kerberos for Citrix and that I’m going down the wrong path? I just can’t help but notice the hundreds of the above mentioned errors in the Event Log dealing directly with Kerberos.

We would GREATLY appreciate any help and/or advice you could offer as we have been troubleshooting this for a couple years now and are getting sick of rebooting the servers as a “fix”! Thanks!
Karen Rember Yes, our Citrix servers are typically the client machines being cited in the 675 Events.
Karen Rember Hi Justin,

We typically don’t have disconnected sessions on our Citrix servers. Here is what our Citrix users Terminal Services Confiuration settings are (most of which are defined in the ICA-TCP settings that override user account settings in AD Users and Computers.

End Disconnected Session - 3 hours
Active Session Limit - Never
Idle Session Limit - 3 hours
When session limit is reached or connection is broken - disconnect from session
Allow reconnection - from any client

Our users log in to Citrix via the web client and lauch the specific published apps they need, so that being said, they can have multiple sessions open at a time.

If you can, please let me know if anything looks suspicious to you regarding the client settings or anything else you may think of. Thanks!
Justin Holland This URL contains details about Kerberos errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Search for KDC_ERR_CLIENT_REVOKED - that is your 0×12 error. The 0×18 error means simply a bad password was provided. However, the 0×12 error may be caused by other things. I have tons of 0×18 errors on our DC, but it is a non-issue.

You could enable Kerberos debugging on your DC to get more information. Be careful of the level you choose so you don’t overload your DC.

Sorry I don’t have the exact answer. But I think that even though it manifests in your Citrix environment, it is not a Citrix setting. I will be interested to hear your resolution.

Regards,
Justin
Manny Lopez Hi Karen,

Did you ever figure this one out? We are experiencing something similar.

Thanks.
Ian Pugh I would have thought that if you are changing your password and then connecting back to a disconnected session then you will get lockouts as the session has a different password to the current user password.

Do you auto-reboot your citrix servers?

Do you automtically logoff your disconnected session after a period of time?

When the user logs onto the PC, are they authenticated against a different DC than logins to the Citrix servers?
Category: Citrix4