Forum Discussion
Jimmy_Jennings_
Feb 11, 2015Nimbostratus
Sheigh,
I've got this pretty much figured out. there are quite a few items that can be parts of the problem but I now have all the way up to 5 hops working. There is too much detail to try and put on a message board but if you have some form of contact information I can help you get things going in the right direction. For us, the biggest problem was related to server side security hardening. These are the two main items, but there are others that can contribute to the issue:
1. local policies\user rights assignment\"impersonate a client after authentication" - SYSTEM needs to be added, this allows the local system to request a service on behalf of the user
2. We also had to change the AD delagation properties at the Citrix servers to Any Authentication Protocol.
One thing I've found out, SSPI errors don't always mean Kerberos problems, a lot of times they are really trying to say access is denied.