Lilys Dad

    , , ,

    Citrix Cloud – When is too many nested groups

    Published by

    LilysDad

    on

    Citrix Cloud – When is too many nested groups

    So today an interesting issue was brought up. A few of our users with a new laptop were unable to see their Citrix published application from the Citrix Workspace App. Odd…. nothing has changed permission wise from a Citrix point of view.

    Lets get closer.

    So on our new laptops we have made the switch to Citrix Cloud Storefront as part of a migration to never having the need to upgrade Storefront and have Citrix have that pain. Many a night lost with upgrades to Citrix Storefront (or if your old enough to know, Dazzle!)

    So the users couldn’t see a specific application in the Citrix Workspace app or via the web browser to the Cloud Storefront instance. However, when they reverted to using the onpremise Citrix Storefront then the apps would appear. How odd. Both platforms use the same Citrix Cloud DaaS instance so its not a permissions thing and I have others that have moved and can see their apps.

    Lets dig deeper. Heres the troubleshooting steps:

    • Create a new Delivery Catalog with a test server
    • Publish MS Paint
    • Limit the Delivery catalog to just my account.
    • Refresh Citrix Workspace – tick – I can see it
    • Lets remove my account and refresh to remove it. It then got removed.
    • Added a group I am a member of – Group ABC
    • Refresh Citrix Workspace – tick – I can see it
    • Removed Group ABC and refresh to remove it. It then was removed.
    • Lets add Group DEF which has a few users and Group ABC as members
    • Refresh Citrix Workspace – cross – Its not appeared. Lets refresh. Nope still not present.

    What did that test prove? Well, it proves that Citrix cloud StoreFront cant see the nested group memberships to correctly enumerate the kerberos token, or the kerberos token is to large for the Cloud Storefront to read. Whereas, onpremise Citrix Cloud Storefront has direct line of sight to Active Directory and can read the nesting much better.

    The fix in the end… removed the nested group and added the individual groups to the delivery catalog and users can now see. As a follow-on action, we need to review the groups and see what is required and what isn’t required.

    A fun few hours this morning! And as usual Citrix Support was of no use at all, despite logging a ticket.

    Leave a comment

    Hello,

    I’m Lilys Dad…

    Black and white image of Lilys Dad

    Welcome to my place to blog about all things Microsoft Endpoint management including Intune, Windows 365, Azure Virtual desktop, Windows and more…

    Connect with me…

    Recent posts