Updated: 2012/10/12
My second blog post is mainly about something more challenging than optimising your servers, and anyone who has tried to configure Smartcard SSO with AGEE, knows what I am talking about, right?


The root cause behind this blog post is basically due to an engagement I did just after the Knowledge Exchange session in Dublin 2011 and before my vacation was suppose to start. Time was crucial and what I thought would take 2 days to solve took more than 1 week excluding some serious overtime. In the end we found out that we had around 10-12 problems, and the interesting part was that the customer already had this working, for one (1) farm, so how on earth could this be difficult to solve?

So this two part blog post is a collection of “lessons learned”, based upon this and similar engagements, that I have been involved with. I also want to give a big thank you to Holger Fuessler and Mark Strange for the additional input, and the end-customer (you know who you are) for their help.

In this first part you will read about the scenario, some pre-requirements, general Q&A, and in the second part I will include more about some of the issues I found and what to look out for (but then again, the second part all depends on you guys J).


This real life scenario (why keep it simple) include the aggregation of applications from two different farms, a XenApp 5 farm and a XenApp 6 farm, Windows 2003 and Windows 2008 R2, as described below (High Level Architecture).

So, where do you start troubleshooting when this doesn’t work as it should? In our case, it worked when aggregating applications from the XenApp 5 farm, but not for the XenApp 6.

The fundamentals are described below.


  • Active Directory domain functional level must be 2003 or 2008.
  • XenApp and Web Interface servers must be domain members.
  • User accounts and XenApp resouces needs to be in the same Active Directory Domain.
  • XenApp XML service must be running with IIS on servers chosen as XML brokers and STA servers
  • Web Interface 5.3 or later must be used.
  • XenApp version 4.5, 5, and 6 are supported and used – as well as XenApp 6.5.


  • Web Interface delegates HTTP service to all the XML broker/s in use.
  • XML broker delegates the HTTP service to itself and HOST services to all XenApp servers in the farm (per farm).
  • Each XenApp server delegates CIFS and LDAP services to the Domain Controllers and HOST services to itself and HTTP services to the XML broker (per farm).
  • The trust XML request option on the XML broker is selected, for both XML Brokers.
  • The root certificate used to sign the AGEE Virtual server is stored on the Trusted Root Certificate store of the Web Interface server.
  • The Web Interface can resolve the FQDN name of the Virtual server.
  • The Citrix Deliver Services Protocol Transition Service is running on the Web Interface. 

Questions and Answers:

  • Can I share STA between various farms? Yes, you can share the STA server between two different farm versions, just make sure that it is correctly written in the AGEE; the correct path is HTTP(s)://FQDN/Scripts/CTXSta.dll. Assuming, you are running on TCP port 80. Worst case, you might have to modify this to HTTP(s)://FQDN:8080/Scripts/CTXSta.dll or any other format depending on your setup.
  • Is the STA Path case sensitive? No, it is not.
  • Does this setup provide Smartcard SSO with XenDesktop? No, AFAIK, the support and functionality when it comes to Smartcard SSO is still only for XenApp (for this scenario – ICA Proxy).
  • Do I need to allow Anonymous Authentication for the IIS on the second farm (XA6), the one that shares IIS/XML? Yes, you do, just using Windows Integrated Authentication for IIS, will not provide the needed functionality. And furthermore, locked down IIS installations can cause unpredictable results.
  • Do I need to use FQDN? I strongly recommend using FQDN where applicable, for example XML Broker Configuration and Authentication Service URL (WI), Active Directory Delegation, AGEE -WI Address and the STA path.

The second part will include more details, in the mean time, please ensure that you register for the Citrix Synergy in Barcelona, and join my session with Dan Feller.And I do recommend that you register for the event, and join my session if you want the second part posted 🙂