Strange behavior here with Citrix Web Interface 4. We are running
Metaframe XPa FR3 with SP4 and relevent hotfixes. Prior to installing
Metaframe/apps, we installed Novell 4.90 SP2 client according to the
recommended procedure from Citrix/Novell. The client is able to
successfully login to the tree using the SLP ip address information
specified in the client. We can log in to edirectory using our
credentials. We are running 2003 Server SP1 and IIS 6.

Our Web Interface 4 box is a 2003 Server SP1 WITHOUT the Novell client
loaded. We have specified the ldap servers on the 389 ports and have no
issues connecting to the ports from other interfaces. In fact, right now
my WI server is still on the internal network yet so I don't see an issue
with straight connectivity.

The problem at hand is, the user is unable to log into the Citrix web
interface to see the published apps icons if there is no user logged on
to the Metaframe XP server itself. The error returned is "Error: The
credentials supplied were invalid. Please try again."

Initially I thought it was due to the fact that no user was authenticated
to the tree on the Metaframe server, but then I caught this post on the
forum: http://support.citrix.com/forums/thread.jspa?
messageID=52289&fromSearchPage=true&#52289
and realized that if I remote desktop into the Metaframe server and click
the advanced button on the client then click on the tree button, just as
stated in the post I found, I was suddenly able to log into the Metaframe
server via WI. I have no issues accessing the Metaframe XP servers using
the same credentials via PN client. The solution given in that thread was
to import and register the MP server into the NDS tree. We have not tried
this yet. Why would this make a difference and how would we go about
doing this? There is no Zenworks or workstation manager components loaded
on the Metaframe server.

Even when the login fails, my context is properly returned so it does
appear that ldap in and of itself is working, but the next step where
those credentials get passed to the Metaframe XP server fail...unless I
log into the Metaframe XP server console or simply click the tree button
on the client.

I'm at a loss on this one as the only thing that I can think of is that
something is preventing the pass through to happen on the Metaframe
server.

I found another post very similar to mine which was not resolved...the
only difference is that the poster was running Presentation Server 4 not
Metaframe XP http://support.citrix.com/forums/thread.jspa?
messageID=399518&fromSearchPage=true&#399518 Just as he did, I verified
the following:

1) Preferred trees are set in the farm.
2) The GINA order is good CTXGINA.DLL and the nNWGINA.DLL.
3) TSClientAutoAdminLogin=1 is set correctly.
4) LDAP Contextless lookups on the PS Novell client are disabled -- using
SLP -- SLP configuration information is hard coded with IP addresses to
two different servers
5)The PS Novell client is hard coded with preferred tree, context and
servers (default location)
6) Users can login to the PS if they go direct (custom connection) and
not through the WI.
7.)Currently, the Metaframe XP server is being accessed successfully via
a third party web interface from Netsilica -- this product uses ldap to
authenticate the user to NDS and then initiates a Citrix session using
the Java client -- so connectivity is possible from an external web
interface
8.)I am able to reproduce the problem on two different WI 4 servers as
well as differing MP XP servers. We do not have a domain, just eDirectory
and workgroup. The production WI 4 server that I was building has two
farms added. Each farm has just one servertwo servers total. If users
are logged into farm 1 and farm 2 servers via PN client, I can log into
MP XP server via WI 4. If no users are logged into farm 1 or farm 2 via
PN client, my attempted login to MP XP server via WI 4 will fail. If I
remove the farm that has no users on it from WI 4, and then attempt to
log in, the log in is successful.

The problem is easily reproduced. If I don't log into the MF XP box or at
least click the tree button on the Novell client, the authentication via
WI 4 will fail. If I click the tree button or log into the MF XP console
(remotely or direct), I can successfully log via WI 4 as many times as I
please. Once I log out of the MF XP console, or close out of the tree
window, the login fails again.

I did reference this article from Citrix
http://support.citrix.com/article/CTX106323 but the only thing it really
talked about was to disable SLP or enable SLP -- SLP is enabled at the MP
XP server and the Novell server. Our desktop clients use these SLP
settings every day.

UPDATE: I did a ctxtrace and compared the scenarios of when I am able to
log into WI vs when I get the invalid credentials error. It appears that
when I get the invalid credentials error, I see errors related to
connecting to NDS in the ctxtrace logfile.

[NDSDrvSS, Error] NDSDrvHelper::ImpersonateProxyUser()
[NDSDrvSS, Error] NDSDrvHelper::ImpersonateProxyUser() Successful.
[NDSDrvSS, Error] NDSDrvHelper::AuthenticateUser - NWDSLogin failed-
Value = -669
[NDSDrvSS, Error] NDSDrvHelper::GetSecurityInfo - ConnectToNDS failed-
Value = -2146238461
[NDSDrvSS, Error] NDSDrvHelper::DetachFromNDS.
[ImaMfRpc, Error] NFuse_EnumerateApplications: GetUserSecurityInfo
failed. Error: 0x80130003.
[ImaMfRpc, Error] IMA_UserMgmt_SAL::Destructor.

as well as

[NDSDrvSS, Error] NDSDrvHelper::ImpersonateProxyUser()
[NDSDrvSS, Error] NDSDrvHelper::ImpersonateProxyUser() Successful.
[NDSDrvSS, Error] NDSDrvHelper::AuthenticateUser - NWDSLogin failed-
Value = 34948
[NDSDrvSS, Error] NDSDrvHelper::GetSecurityInfo - ConnectToNDS failed-
Value = -2146238461
[NDSDrvSS, Error] NDSDrvHelper::DetachFromNDS.
[ImaMfRpc, Error] NFuse_EnumerateApplications: GetUserSecurityInfo
failed. Error: 0x80130003.
[ImaMfRpc, Error] IMA_UserMgmt_SAL::Destructor.

I googled the error and found this on Citrix site
http://support.citrix.com/article/CTX101781 which is an old article and
may not pertain as it discusses Nfuse 1.7 and client 4.83 however it did
seem similar to my problem. The recommended solution is to map a drive to
a Novell resource when the Metaframe XP server starts. I tried to use
the "net use" command to map to our Novell file share, but I get System
error 67 has occurred. The network name cannot be found. I tried a
different syntax without success...so it looks like I'm out of luck until
I can figure out if it is possible to map a Novell share on bootup
without having to login to the Novell client first. My only other option
is to keep a user logged into the console all the time which really isn't
a viable solution.

I appreciate any input on this issue as I have scoured both citrix and
novell sites for the solution but have not found anything definitive yet.