ClientName issue resolved?
|
If you use Web Interface 3.0 or later, and especially if you work in health care, you have probably noticed that connections made to Presentation Server via Web Interface don't use the client's workstation NetBIOS name as the Presentation Server ClientName variable. Instead, it's a random string such as WI_e5KPgXSIWWtOWAQTg. This change was introduced as part of the Workspace Control feature that allows users to roam from device to device and have their Presentation Server sessions automatically reconnect when they roam from one workstation to another. But there was a regrettable side effect of leveraging the ClientName variable for unique device identification: some applications, particularly health care apps like Epic, relied on the %CLIENTNAME% environment variable to pinpoint a user's location based on a database of known NetBIOS workstation names. If you run an application in your CPS farm that relies on the "real" client name, then you are left having to choose between application compatibility and workspace contol. (And app compatibility always wins!) Let's take a look at how we got into this mess and how we're going to get out of it. How we got into this mess Long before Citrix released NFuse or Web Interface or even Program Neighborhood, we supported the notion of session reconnection. In a load-balanced WinFrame 1.7 farm for example, if you had a disconnected session and you connected to a published application, the load balancing algorithm would put aside the normal load metrics and send you to the server where your session resides, regardless of how busy that server was. The thing is, the load balancing decision had to be made before you authenticated. (Remember this was before Program Neighborhood, back in the days of Citrix "Application Manager", which would give you a drop-down list of all published applications, whether you had permission to connect to them or not.) So to get you sent back to your disconnected session, the master browser would associate your workstation name with the disconnected session. When the client requested the address of the least-busy server, the workstation name would be included with that request. If there was a disconnected app associated with that workstation name, then that's the server you got sent to. Then if you authenticated as the user with a disconnected session, you would get reconnected. Otherwise you'd get a new session on what might have been the busiest server in the farm. Flash forward to 2004 and the ClientName mechanism is still in place, but most people now use Web Interface for published application enumeration. While developing the Workspace Control feature, the WI developers needed a way to distinguish between a CPS session that is spawned for Uesr1 on Workstation A from a session spawned by that same user on Workstation B. To do so, WI generates a random string such as e5KPgXSIWWtOWAQTg and sets it as a cookie in your browser. When WI renders an ICA file, it adds the line ClientName=WI_e5KPgXSIWWtOWAQTg to mark that session. This was the only way at the time to uniquely associate a browser-to-WI connection with an ICA Client-to-Presentation Server connection. Now when you look at the client name in the Presentation Server console or by querying the %CLIENTNAME% environment variable within a session, you'll see something like WI_e5KPgXSIWWtOWAQTg instead of the real workstation name. If your app needs to know the real client name, the only workaround was to remove the ClientName tag from the Web Interface template so that the ICA client would send its normal string during ICA connections. But that breaks workspace control, because there's no secure, reliable way for a web server to know the name of your workstation. Thomas Koetzing wrote a good article about the ClientName problem a while back. After WI 3.0 was released I wrote an article that discussed the negative effects of removing the ClientName tag. How we're going to get out of it To fix this problem, Web Interface needs to uniquely identify each workstation without relying on the ClientName variable and without knowing what the real workstation name is. For the next release of Presentation Server, the WI dev team in Cambridge has devised what I think is an elegant solution: they will leverage the ticketing model that we already use during authentication. Recall that when a user authenticates to WI and launches a published application, the WI server performs a ticket request, where the user's credentials are sent to the XML broker, the XML broker relays the credentials to the least-busy server and then the least-busy server generates a random ticket that can be used by the ICA client for authentication. The ticket is passed back to Web Interface and included in the rendered ICA file. See section 5.4 of the Web Interface 4.0 Troubleshooter's Guide for a detailed look at how ticketing works. Web Interface will still generate a random string to identify each workstation and set it as a cookie in the browser. But instead of jamming it into the ClientName field, the ID will be passed to the XML broker along with your credentials during a ticket request. When you land on the target server and present your ticket, it now knows who you are and knows the WI-generated ID of your workstation. If you disconnect, it can use that information where it would have used the ClientName variable before. This is going to be a fairly big change. It requires modification not just of Web Interface, but the XML protocol used between WI and Presentation Server has to be extended to support the enhanced ticket request, and the IMA and Load Management underpinnings on Presentation Server have to be modified to use this new XML element. So older Presentation Server farms won't be able to benefit. Fortunately, there are no ICA client dependencies here, so you will only have to upgrade your farm and your WI servers--not every end user client--in order to get this benefit. Jay |
Comments
hi jay
the cool thing is when you use pnagent over CSG to access your application, you will have the real workstation name. This is a really nice side effect.
so for users who need the real name, this workaround can help.
cheers
smue
Posted by: stefan mueri | July 26, 2006 10:04 AM
Hi Jay,
Great explanation on the article. here are my questions....Is there an ETA on the new WI release? When you mention older farms wont benefit, do you mean pre PS 3.0?
Posted by: tony | August 3, 2006 05:18 PM
Right Tony, the change is going to be part of the next Presentation Server release targeted for later this year. When I say older farms, I mean Presentation Server versions 4.0 and earlier will not be able to benefit from the change.
Posted by: JayT | August 3, 2006 10:14 PM
Outstanding Jay.
I recall discussing this with you a little while ago; it's good to see ideas like this move from hallway conversation, to product, to what will be a major usability improvement for our docs.
Posted by: Simon Bramfitt | August 4, 2006 11:47 AM
awesome thanks Jay
Posted by: tony | August 4, 2006 03:39 PM
Hi Jay,
I am not sure if this is the appropraite place to post but I wil try anyway. If it is not please slap me on the wrist :). I have been told that you ae one of the Yodas of the WI....Can you point me in the right direction? I am looking for some code that is simliar to the code in WI 4.0 that does AD authentiaction. I would like use something like this for our companies b2b users that are in a dmz, to have them change their AD password when we flag their accounts to change password at next login. The design and code in the WI does a fantastic job at doing that and I am looking for that same type of authentication. What we would simply like to do is a create a web page that our users can go to that does AD authentication like the WI server. Is this possible and can you help me in the right direction?
Many Thanks
Mini Yoda
Posted by: tony | August 4, 2006 11:16 PM