During the Citrix logon process it invokes AD Logon , then VDA and generate the necessary VDI session. I'm using Citrix decode, is it possible to correlate which Domain server was used for Citrix logon process? Currently DMI shows some user name "domain\username", some are display as "Client from xx.xx.xx.xx/24", not sure if it related.
Much appreciated for any comment.
Answer by Sylvian L. ·
Thanks for your reply.
Seems no way out then, neither Citrix Director provide such information. I've created a DMI report which shows the username against corresponding software & server names, however software service "LDAP" not always detected. :(
Answer by Kris Z. ·
Direct correlation is not possible - in order to arrive at direct correlation of user-to-VDA and VDA-to-AD transactions, we would need a deep agent instrumenting the Windows processes responsible for receiving authentication requests and sending AD requests. PurePath equivalent for Windows core, so to speak:-)
What NAM can do is monitor user name within ICA protocol and, separately user authentication request against LDAP/AD server. In both cases user name can be extracted if it's not encrypted, so it would be possible to see against which server did the user authenticate - but not in a sequence that's as clear as a pure path. Something like in the attached screenshot, but with software service name replaced by server name to reveal which LDAP server did the user actually use.
Please note that authentication in such environment may occur through different paths, for example user may first authenticate to AD when logging on to the terminal (desktop PC), then when starting Citrix client, authentication may occur via Windows SSO, so user name won't be needed then. But it may appear later on in ICA traffic. These paths are environment-dependent.
In any case, user name can only be recognized if it shows up in the network packets, then it will be known for the TCP session that's in progress. Before user authenticates, user name is not known, so user name reported is like "Client from xx.xx.xx.xx/24".