Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Only Administrator could logon to NFuse; all others are reFused 2

Status
Not open for further replies.
Hooyah

Hooyah

IS-IT--Management
Jun 18, 2003
12
0
0
US
I have an XP Presentation Server FR3 installed with the following licensing:

MF XPs 1.0 for Windows
MF XPs 1.0 Connection Pack
MF XPs 1.0 Feature Release 3 Connection Pack
MF XPs 1.0 for Windows, Feature Release 3

When an admin logs on there is no problem. Any less priviledged user cannot log on. This failure extends to both the NFuse and ICA Clients. The NFuse client gives the unspecified error message and the ICA Client gives a credentials error message, that indicates I should confirm the user log on properties (domain logon).

Since I know that this logon works within the domain I know there is more going on.

I appreciate any assistance in getting this resolved as I do many others since there is a significant thread underway at the Citrix Knowlege Forum.

Cheers
 
Sort by date Sort by votes
Go into NFuse admin
( and check the authentication settings. My thought is perhaps you can logon as the local admin, but users can't logon because they don't have accounts on the server? Just a thought.

Cheers
 
Upvote 0 Downvote
Thanks I appreciate the help BeerGood. I did as you recommended, no joy... The path was there but it would not run.

I did notice I had an NFuse 17 folder so uninstalled NFuse Classic and did a modify installation and installed whatever the Web Interface section installs...not a very distinctive name but descriptive.

What I have done to this point now is to confirm that members of the Domain Admins and the Admin accounts can all log on and use apps with both the web interface and the traditional ICA Client.

When I try to go to the WMIAdmin, however I get a page cannot be displayed error.

On a perhaps related note... The JavaWebstart icon...?? I launch it after I reboot on the assumption that it needs to be running and I cannot find a service for a Java Web Service. Rather strange though since all it seems to do is launch some sample java apps...

Thanks again for the assist!

Cheers
 
Upvote 0 Downvote
If the NFuse admin stuff won't run, then there's definitely something funky happening with your install - by rights/default it should be installed. You can check by going onto the server and seeing if the directory is there under the inetpub directory..... Is it possible that (assuming you're running IIs) you've run the lockdown utility (or something similar) on the web server and not allowed asp pages to run? NFuse is very particular about access rights to certain areas, and a few other things so you need to be careful when modifying the default settings......

As for java - well, you shouldn't need to launch it and anyhow frankly it can be a bit flakey but it doesn't sound like this is the problem for you.... (if you do want to use the java client, then I'd recommend copying the latest version into the client directory).

Cheers
 
Upvote 0 Downvote
Yep, I agree! I have not run the lock down utiity...make it work, then tune it...that's my philosophy!

I do have a //server/Citrix/MetaFrameXP/WMIAdmin.asp page It won't come up if I put that url in though (ugh!).

The only approach I have taken to the underlying OS is to patch to current releases. Do any of those lockdown asp?

Another thing I may not have mentioned is this is a DC (I know...resources given, resources used...) but I have made sure the local policy allows logon...

How would I check asp lockdown (brainfart)?

Thanks
 
Upvote 0 Downvote
Good philosophy - unfortunately it's one I don't always follow, and frequently to my own regret... <grin>

Patches shouldn't block anything, although I understand win2k3 doesn't install iis by default now. Anyhoo, on the server - assuming everything is defaut - you should have a C:\Inetpub\ directory. If it's not there, then maybe it's changed in FR3 (I haven't setup a test server yet). PDC/BDC shouldn't matter, other than the security settings you've already checked and the standard potential resource issues. Just for the heck of it though, go to the server itself and try to logon as a non-admin user - if you can't then there's still a security setting you need to change.

As for ASP - you can always run the lockdown utility and choose to re-enable asp (it should detect if asp is enabled or not).

Cheers
 
Upvote 0 Downvote
Since your original post states that you can not get in either using NFuse or the ICA Client, I think you should ignore the NFuse install for now and focus on getting a non-priviledged account to login via the ICA client. This rules out any confusion regarding the web server. THe things I would check are:

Local server permissions - A local group needs to contain the specific users or a global group with the users in it. This group needs to have the logon local user right.

ICA Connection permissions - The ICA connection needs to be enabled and have the appropriate User rights assigned.

Server configuration - Ensure your server has logins enabled (via the Citrix Mgmt Console)

I'm sure I have missed something. Start with these though.
 
Upvote 0 Downvote
Ok, this is great guys...I really appreciate the help!

I attempted to use a regular domain user account to log on locally to server and sure enough I get the message that the local policy of this machine does not allow you to logon interactively...

Now...since this is a DC how do I edit those local policy settings... I have gone into both the domain policy editor and added users and domain users to the logon locally value as well as done the same for the local policy editor...

I do think we are now on the right track.

Cheers!
 
Upvote 0 Downvote
Not a problem.

You don't mention if you're using Active Directory (where you change it via the Domain Controller GPO Security Policy) or not, but (assuming you're running win2k) after making the policy change, you may need to reboot the server (believe it or not) otherwise it can take ages before any changes you make are actually applied. You can avoid the delay by typing &quot;secedit /refreshpolicy machine_policy /enforce&quot;. Just rolls off the tongue, eh? ;-)

If you have the NT resource kit, and you're not a big gui fan, then you can get the file ntrights.exe from that (or you may be able to find it out on the net) and just type &quot;ntrights -u GroupName +r SeInteractiveLogonRight&quot; (where &quot;GroupName&quot; is the group you want to give permission to log onto the server).

Cheers
 
Upvote 0 Downvote
Ok...super!!

For some reason I could not get the domain security policy changes to &quot;take&quot; gotta love M$...

So what I did was to demote the server to being a member server and it seems to be working as desired.

This is very good news indeed and I very much appreciate all the help you guys gave me here.

Cheers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

gazonk.del
  • Locked
  • Question
How to Copy save_set from Tape to Disk -- Continuation
Replies
0
Views
64
gazonk.del
gazonk.del
SBTBILL
  • Locked
  • Question
How to get to files
Replies
1
Views
69
Provogeek
Provogeek
DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
120
ntinlin
ntinlin
dumbchemist
  • Locked
  • Question
Using IDE to SATA/SATA to IDE converters with Netware 5
Replies
18
Views
165
goombawaho
goombawaho
Rock4J
  • Locked
  • Question
Could not find TREE on Windows XP Mode (in Windows 7)
Replies
3
Views
64
JockMullin
JockMullin

Part and Inventory Search

Sponsor

Back
Top