Citrix Provisioning support for communicating with SOAP service with NTLM protocol disabled

August 12, 2024

Citrix Provisioning support for communicating with SOAP service with NTLM protocol disabled

ON-PREMISES STATUS

     Now Available
Citrix Provisioning

By default, the Citrix Provisioning uses Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. As part of the Kerberos architecture, it is crucial to register (create a service principal name (SPN)) with the domain controller (Kerberos Key Distribution Center). If the creation of SPN fails, the Kerberos authentication fails, and Citrix Provisioning falls back to using NT LAN Manager (NTLM) authentication.

However, NTLM is highly insecure and vulnerable to attack.

With this enhancement, config wizard will create SPN in the backend. Administrators can run the config wizard to generate the SPN, ensuring that Citrix Provisioning supports Kerberos authentication when NTLM is disabled.  If SPN creation fails, it is likely due to insufficient privileges associated with the current user account. Re-run the config wizard using an account with full admin rights. 

For information, see Support for communicating with SOAP service with NTLM disabled.