NT User Group Authentication Problem

[sunny456]

Running Citrix Metaframe on W2K and connecting to SQL Server 2000 (SP2) on another W2K box using NT Authentication.

Using Citrix users cannot access SQL via an NT User Group account until I add each individual user to the database. After that they are ok and are given the correct group access??? When not using Citrix, logging into the domain directly, everything works fine.

Anybody know any Citrix setting that will allow proper NT Authenication to SQL Server 2000?

Thanks in advance.

 

[JeffHicks]

Your problem is not 100% clear so let me ask some questions to try to get clarification.

Do you have an application running on Citrix that is hitting the SQL Server 2000 database? or are you refering to the Citrix datastore being on a SQL 2000 database? Is the group you used to grant access to the SQL Server also a member of the local Users group on the Citrix server?

 

[sunny456]

Jeff, thanks for the response, I'll clarify.
The users are running an application on a Citrix server which in turn accesses a SQL Server 2000 database by calling stored procs. The NT user groups that we have setup are used to administer permissions in SQL to these stored procs. A SQL admin account was used to setup the permissions in SQL and a domain admin account was used to setup the users into the NT user groups. These groups are not local to the Citrix server.

What's really strange is that by adding the individual user accounts into the SQL db, giving them no explicit permissions to run any stored procedure, they are granted access to the same stored procs they their NT user group should have???

It's seems as if the Citrix server/SQL connection can't resolve NT user groups properly.

 

[JeffHicks]

Do they use an ODBC connection? If so, I would ensure that it is a system data source. Have you verified that the MDAC versions are the same between your Citrix server and your workstations? Is the Citrix server a member of the domain that the users are in? How about the workstation that works? How do you grant access to Citrix? Users must be in the Users group, Power Users group, or Administrators group to log onto Citrix (unless you created some other group and explicitly granted the required permissions to it).

I am not a SQL expert although I have done some SQL administration in the past. On the surface, the key to your problem seems to be in the difference between your Citrix server (which doesn't work) and the workstation that you can get it to work on. I hope the questions above do not seem overly simplistic. I am just trying to get a total picture of your environment and perhaps stir up a thought in your head as to what the problem may be. Hoep this helps.

 

[sunny456]

Jeff, thanks for your feedback.


Do they use an ODBC connection?
YES
If so, I would ensure that it is a system data source.
Yes it is a system DSN and have verified that there are no conflicting user DSNs set up with the same name.
Have you verified that the MDAC versions are the same between your Citrix server and your workstations?
All use MDAC v2.6
Is the Citrix server a member of the domain that the users are in?
YES
How about the workstation that works?
YES
How do you grant access to Citrix? Users must be in the Users group, Power Users group, or Administrators group to log onto Citrix (unless you created some other group and explicitly granted the required permissions to it).
100+ Citrix users and no problems logging in only accessing SQL via an NT user group.

It would seem that the workaround of adding the individuals user account into the SQL db suggests that this is a security issue between Citrix and SQL Server. And since NT user accounts work fine from any workstation not using Citrix that this is either a Citrix bug or a Citrix/MS SQL compatibility issue.

We do not have a true Citrix expert here and I was hoping that someone could suggest a Citrix configuration that we could check.