In my last Citrix Project with Netscaler (SAML SP) with IBM TFIM (SAML IDP), StoreFront 3.9 and XenApp 6.5 HF 7 we has some issues with the Kerberos Ticket Caching, default is 15 minutes.
Failure
On Customer side, in the external portal we have one link, for each publish application, if the user clicks to one of this link, the AD Group Membership was changed to the Application behind the link, the SAML Authentication works well but storefront does not shown the right application, it’s shown the old Application before the Group Membership was changed, what the hell !
I stumble over this Article “How to Configure User SID Enumeration in the XML Service“, this is more XenDesktop 4 and 5, but this old XenDesktop Version are IMA based, same as XenApp 6.x
I have set this Keys on the XML Brokers, restart XML and StoreFront servers, but it doesn’t help
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XMLService
Name: EnableSIDEnumeration
Type: DWORD
Value: 1
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: S4UTicketLifetime
Type: DWORD
Value: 0
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: CacheS4UTickets
Type: DWORD
Value: 0
I’m also set this values without the EnableSIDEnumeration on both StoreFront Servers, but same issue. In Addition I’m also tested with the Values 1 on both, but the issue still exist. We opened up an Citrix and an Microsoft Case with the Customer together and after 2 days we had the solution running.
Solution:
On the StoreFront Servers, we are set this to Registry Keys, resolve the issue
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: S4UTicketLifetime
Type: DWORD
Value: 5
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: CacheS4UTickets
Type: DWORD
Value: 0
We does not find any public article about the Value 5 for S4UTicketLifetime,seemingly Microsoft internal only. I have a look to the RFC https://tools.ietf.org/html/rfc1510#section-9.2 and see a minimum lifetime of 5 minutes.
For now it’s important to have a look to the Domain Controllers, to see if the have more CPU and RAM Usage, the Kerberos Caching is now turned-off.