29 Sep 2012

MPNotify not called by Winlogon when Kerberos authentication is used on XenApp 6.x

As I first noticed this behavior in March 2012 I didn’t expect to have a support case with Citrix, Microsoft and Appsense for about 6 months duration. The behavior affects services and applications implemented as network credential providers on a XenApp host. Usually they get launched by MPNotify which is spawned by Winlogon upon a correct and regognized logon method. But MPNotify was never kicked off when using Kerberos or Kerberos Pass-through logon method on XenApp servers. So in my case this affected the Appsense Environment Manager on the XenApp hosts, because the agent runs under LOCALSYSTEM and uses a credential provider for impersonation. So long story in short words.. Appsense EM was off the game when using Kerberos logon method on XA session hosts.

Citrix has now published a hotfix for XenApp where MPNotify gets spawned correctly on Kerberos logons.

Hotfix for XenApp 6.0 HRP1

Hotfix for XenApp 6.5 HRP1
The HF for XA6.5 HRP01 has not been published yet. You might call Citrix Support to get the private or wait a few weeks till it has been officially released cauz I’m not allowed to share the private at this time.

! For Appsense EM you need the most recent version which also includes a fix required for the issue mentioned above.

Happy Kerberos-ing … 🙂