How to disable Citrix or RDP login with SecureLogin

  • 7003641
  • 25-Jun-2009
  • 26-Apr-2012

Environment

Novell SecureLogin
NSL6.1
SecureLogin installed on both workstation and terminal server
Single Sign On is desired for Citrix published applications
Single Sign On is desired for web app and Windows apps launched from workstation

Situation

Unable to disable single sign on to RDP
SecureLogin logs user in when mstsc.exe is launched
User wants to NOT have SecureLogin attempt to log in to the Remote Desktop
 

Resolution

This is occuring because Passthrough authentication is active.  Passthrough authentication is an integral part of SecureLogin, and happens by default when NSL is installed on both terminal server (Citrix or MS) and workstations.  This is working as designed. 

Workaround is to break the virtual channel by removing or renaming one of the virtual channel pieces from the registry or file system. This can be done on either the server side or the workstation side. 
For a diagram of the virtual channel see tid 3149664 at

https://support.microfocus.com/kb/doc.php?id=3149664&sliceId=1&docTypeID=DT_TID_1_1&dialogID=66268541&stateId=0%200%2066270183


By removing one of the virtual channel pieces passthrough authentication will fail.

The following examples will break the virtual channel:

On a Citrix Server:

  • break the gina chain to sl_tsgina by changing the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CtxGinaDLL from sl_tsgina to msgina.

  • remove the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ProtocomPassthroughDll


On a plain Terminal Server:

  • break the gina chain to sl_tsgina by changing the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL from sl_tsgina to msgina.


On the workstation

  • remove HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\tsslsso

  • rename vdslsson.dll found in citrix installation directory


Alternatively, if breaking the virtual channel pass-through support as described above is not desirable, an administrator who wishes to connect to a terminal session from a user's workstation can temporarily disable SecureLogin through the system tray icon menu prior to making the connection.  This will prevent the administrator's credentials from being written back into the user's data store. Remember to re-enable SecureLogin after the connection.


Additional Information

SecureLogin needs to be installed on the terminal server in order to have single sign on for Citrix Published applications.
SecureLogin needs to be installed on the workstations in order to have single sign on for Windows apps and web apps launched from the
workstation.
When installed on both workstation and server, passthrough authentication happens by default.

Steps to duplicate:
- open "manage logins" on a workstation, verify that there is not credential
set for the domain or citrix server listed under logins.
- launch mstsc.exe and connect to a citrix server
- a securelogin dialog will flash briefly
- look in manage logins again. A login will be created for the domain or
citrix server that contains the credentials entered.

Use case: administrators establish an rdp connection to a citrix
server from another user's workstation. Administrator's credentials for the Citrix server will be written to the other
user's credential store.